OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/net/certificate_error_reporter.h" | 5 #include "chrome/browser/net/certificate_error_reporter.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/stl_util.h" | 10 #include "chrome/browser/net/encrypted_cert_logger.pb.h" |
11 #include "base/time/time.h" | |
12 #include "chrome/browser/net/cert_logger.pb.h" | |
13 | 11 |
14 #if defined(USE_OPENSSL) | 12 #if defined(USE_OPENSSL) |
15 #include "crypto/aead_openssl.h" | 13 #include "crypto/aead_openssl.h" |
16 #endif | 14 #endif |
17 | 15 |
18 #include "crypto/curve25519.h" | 16 #include "crypto/curve25519.h" |
19 #include "crypto/hkdf.h" | 17 #include "crypto/hkdf.h" |
20 #include "crypto/random.h" | 18 #include "crypto/random.h" |
21 #include "net/base/elements_upload_data_stream.h" | 19 #include "net/base/elements_upload_data_stream.h" |
22 #include "net/base/load_flags.h" | 20 #include "net/base/load_flags.h" |
23 #include "net/base/request_priority.h" | 21 #include "net/base/request_priority.h" |
24 #include "net/base/upload_bytes_element_reader.h" | 22 #include "net/base/upload_bytes_element_reader.h" |
25 #include "net/cert/x509_certificate.h" | |
26 #include "net/ssl/ssl_info.h" | |
27 #include "net/url_request/url_request_context.h" | 23 #include "net/url_request/url_request_context.h" |
28 | 24 |
29 namespace { | 25 namespace { |
30 | 26 |
31 using chrome_browser_net::CertLoggerRequest; | |
32 | |
33 // Constants used for crypto | 27 // Constants used for crypto |
34 static const uint8 kServerPublicKey[] = { | 28 static const uint8 kServerPublicKey[] = { |
35 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18, | 29 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18, |
36 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f, | 30 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f, |
37 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b}; | 31 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b}; |
38 static const uint32 kServerPublicKeyVersion = 1; | 32 static const uint32 kServerPublicKeyVersion = 1; |
39 | 33 |
40 #if defined(USE_OPENSSL) | 34 #if defined(USE_OPENSSL) |
41 | 35 |
42 static const char kHkdfLabel[] = "certificate report"; | 36 static const char kHkdfLabel[] = "certificate report"; |
43 | 37 |
44 bool EncryptSerializedReport( | 38 bool EncryptSerializedReport( |
45 const uint8* server_public_key, | 39 const uint8* server_public_key, |
46 uint32 server_public_key_version, | 40 uint32 server_public_key_version, |
47 const std::string& report, | 41 const std::string& report, |
48 chrome_browser_net::EncryptedCertLoggerRequest* encrypted_report) { | 42 chrome_browser_net::EncryptedCertLoggerRequest* encrypted_report) { |
49 // Generate an ephemeral key pair to generate a shared secret. | 43 // Generate an ephemeral key pair to generate a shared secret. |
50 uint8 public_key[crypto::curve25519::kBytes]; | 44 uint8 public_key[crypto::curve25519::kBytes]; |
51 uint8 private_key[crypto::curve25519::kScalarBytes]; | 45 uint8 private_key[crypto::curve25519::kScalarBytes]; |
52 uint8 shared_secret[crypto::curve25519::kBytes]; | 46 uint8 shared_secret[crypto::curve25519::kBytes]; |
53 | 47 |
54 crypto::RandBytes(private_key, sizeof(private_key)); | 48 crypto::RandBytes(private_key, sizeof(private_key)); |
55 crypto::curve25519::ScalarBaseMult(private_key, public_key); | 49 crypto::curve25519::ScalarBaseMult(private_key, public_key); |
56 crypto::curve25519::ScalarMult(private_key, server_public_key, shared_secret); | 50 crypto::curve25519::ScalarMult(private_key, server_public_key, shared_secret); |
57 | 51 |
58 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); | 52 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); |
59 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), | 53 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), |
Ryan Sleevi
2015/05/13 01:02:12
drive by: Gotta use C++ casts, per http://google-s
estark
2015/05/13 01:44:49
Done.
| |
60 std::string(), | 54 std::string(), |
61 base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)), 0, 0, | 55 base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)), 0, 0, |
62 aead.KeyLength()); | 56 aead.KeyLength()); |
63 | 57 |
64 const std::string key(hkdf.subkey_secret().data(), | 58 const std::string key(hkdf.subkey_secret().data(), |
65 hkdf.subkey_secret().size()); | 59 hkdf.subkey_secret().size()); |
66 aead.Init(&key); | 60 aead.Init(&key); |
67 | 61 |
68 // Use an all-zero nonce because the key is random per-message. | 62 // Use an all-zero nonce because the key is random per-message. |
69 std::string nonce(aead.NonceLength(), 0); | 63 std::string nonce(aead.NonceLength(), 0); |
70 | 64 |
71 std::string ciphertext; | 65 std::string ciphertext; |
72 if (!aead.Seal(report, nonce, "", &ciphertext)) { | 66 if (!aead.Seal(report, nonce, "", &ciphertext)) { |
Ryan Sleevi
2015/05/13 01:02:12
s/""/std::string()/
estark
2015/05/13 01:44:49
Done.
| |
73 LOG(ERROR) << "Error sealing certificate report."; | 67 LOG(ERROR) << "Error sealing certificate report."; |
74 return false; | 68 return false; |
75 } | 69 } |
76 | 70 |
77 encrypted_report->set_encrypted_report(ciphertext); | 71 encrypted_report->set_encrypted_report(ciphertext); |
78 encrypted_report->set_server_public_key_version(server_public_key_version); | 72 encrypted_report->set_server_public_key_version(server_public_key_version); |
79 encrypted_report->set_client_public_key( | 73 encrypted_report->set_client_public_key( |
80 std::string((char*)public_key, sizeof(public_key))); | 74 std::string((char*)public_key, sizeof(public_key))); |
Ryan Sleevi
2015/05/13 01:02:12
casts
estark
2015/05/13 01:44:49
Done.
| |
81 encrypted_report->set_algorithm( | 75 encrypted_report->set_algorithm( |
82 chrome_browser_net::EncryptedCertLoggerRequest:: | 76 chrome_browser_net::EncryptedCertLoggerRequest:: |
83 AEAD_ECDH_AES_128_CTR_HMAC_SHA256); | 77 AEAD_ECDH_AES_128_CTR_HMAC_SHA256); |
84 return true; | 78 return true; |
85 } | 79 } |
86 #endif | 80 #endif |
87 | 81 |
88 void AddCertStatusToReportErrors( | |
89 net::CertStatus cert_status, | |
90 CertLoggerRequest* report) { | |
91 if (cert_status & net::CERT_STATUS_REVOKED) | |
92 report->add_cert_error(CertLoggerRequest::ERR_CERT_REVOKED); | |
93 if (cert_status & net::CERT_STATUS_INVALID) | |
94 report->add_cert_error(CertLoggerRequest::ERR_CERT_INVALID); | |
95 if (cert_status & net::CERT_STATUS_PINNED_KEY_MISSING) | |
96 report->add_cert_error( | |
97 CertLoggerRequest::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN); | |
98 if (cert_status & net::CERT_STATUS_AUTHORITY_INVALID) | |
99 report->add_cert_error(CertLoggerRequest::ERR_CERT_AUTHORITY_INVALID); | |
100 if (cert_status & net::CERT_STATUS_COMMON_NAME_INVALID) | |
101 report->add_cert_error(CertLoggerRequest::ERR_CERT_COMMON_NAME_INVALID); | |
102 if (cert_status & net::CERT_STATUS_NON_UNIQUE_NAME) | |
103 report->add_cert_error(CertLoggerRequest::ERR_CERT_NON_UNIQUE_NAME); | |
104 if (cert_status & net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION) | |
105 report->add_cert_error( | |
106 CertLoggerRequest::ERR_CERT_NAME_CONSTRAINT_VIOLATION); | |
107 if (cert_status & net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM) | |
108 report->add_cert_error( | |
109 CertLoggerRequest::ERR_CERT_WEAK_SIGNATURE_ALGORITHM); | |
110 if (cert_status & net::CERT_STATUS_WEAK_KEY) | |
111 report->add_cert_error(CertLoggerRequest::ERR_CERT_WEAK_KEY); | |
112 if (cert_status & net::CERT_STATUS_DATE_INVALID) | |
113 report->add_cert_error(CertLoggerRequest::ERR_CERT_DATE_INVALID); | |
114 if (cert_status & net::CERT_STATUS_VALIDITY_TOO_LONG) | |
115 report->add_cert_error(CertLoggerRequest::ERR_CERT_VALIDITY_TOO_LONG); | |
116 if (cert_status & net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION) | |
117 report->add_cert_error( | |
118 CertLoggerRequest::ERR_CERT_UNABLE_TO_CHECK_REVOCATION); | |
119 if (cert_status & net::CERT_STATUS_NO_REVOCATION_MECHANISM) | |
120 report->add_cert_error(CertLoggerRequest::ERR_CERT_NO_REVOCATION_MECHANISM); | |
121 } | |
122 | |
123 } // namespace | 82 } // namespace |
124 | 83 |
125 namespace chrome_browser_net { | 84 namespace chrome_browser_net { |
126 | 85 |
127 CertificateErrorReporter::CertificateErrorReporter( | 86 CertificateErrorReporter::CertificateErrorReporter( |
128 net::URLRequestContext* request_context, | 87 net::URLRequestContext* request_context, |
129 const GURL& upload_url, | 88 const GURL& upload_url, |
130 CookiesPreference cookies_preference) | 89 CookiesPreference cookies_preference) |
131 : CertificateErrorReporter(request_context, | 90 : CertificateErrorReporter(request_context, |
132 upload_url, | 91 upload_url, |
(...skipping 13 matching lines...) Expand all Loading... | |
146 cookies_preference_(cookies_preference), | 105 cookies_preference_(cookies_preference), |
147 server_public_key_(server_public_key), | 106 server_public_key_(server_public_key), |
148 server_public_key_version_(server_public_key_version) { | 107 server_public_key_version_(server_public_key_version) { |
149 DCHECK(!upload_url.is_empty()); | 108 DCHECK(!upload_url.is_empty()); |
150 } | 109 } |
151 | 110 |
152 CertificateErrorReporter::~CertificateErrorReporter() { | 111 CertificateErrorReporter::~CertificateErrorReporter() { |
153 STLDeleteElements(&inflight_requests_); | 112 STLDeleteElements(&inflight_requests_); |
154 } | 113 } |
155 | 114 |
156 void CertificateErrorReporter::SendReport(ReportType type, | 115 void CertificateErrorReporter::SendReport( |
157 const std::string& hostname, | 116 ReportType type, |
158 const net::SSLInfo& ssl_info) { | 117 const std::string& serialized_report) { |
159 CertLoggerRequest request; | |
160 BuildReport(hostname, ssl_info, &request); | |
161 | |
162 switch (type) { | 118 switch (type) { |
163 case REPORT_TYPE_PINNING_VIOLATION: | 119 case REPORT_TYPE_PINNING_VIOLATION: |
164 SendCertLoggerRequest(request); | 120 SendSerializedRequest(serialized_report); |
165 break; | 121 break; |
166 case REPORT_TYPE_EXTENDED_REPORTING: | 122 case REPORT_TYPE_EXTENDED_REPORTING: |
167 if (upload_url_.SchemeIsCryptographic()) { | 123 if (upload_url_.SchemeIsCryptographic()) { |
168 SendCertLoggerRequest(request); | 124 SendSerializedRequest(serialized_report); |
169 } else { | 125 } else { |
170 DCHECK(IsHttpUploadUrlSupported()); | 126 DCHECK(IsHttpUploadUrlSupported()); |
171 #if defined(USE_OPENSSL) | 127 #if defined(USE_OPENSSL) |
172 EncryptedCertLoggerRequest encrypted_report; | 128 EncryptedCertLoggerRequest encrypted_report; |
173 std::string serialized_report; | |
174 request.SerializeToString(&serialized_report); | |
175 if (!EncryptSerializedReport(server_public_key_, | 129 if (!EncryptSerializedReport(server_public_key_, |
176 server_public_key_version_, | 130 server_public_key_version_, |
177 serialized_report, &encrypted_report)) { | 131 serialized_report, &encrypted_report)) { |
178 LOG(ERROR) << "Failed to encrypt serialized report."; | 132 LOG(ERROR) << "Failed to encrypt serialized report."; |
179 return; | 133 return; |
180 } | 134 } |
181 std::string serialized_encrypted_report; | 135 std::string serialized_encrypted_report; |
182 encrypted_report.SerializeToString(&serialized_encrypted_report); | 136 encrypted_report.SerializeToString(&serialized_encrypted_report); |
183 SendSerializedRequest(serialized_encrypted_report); | 137 SendSerializedRequest(serialized_encrypted_report); |
184 #endif | 138 #endif |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
223 #else | 177 #else |
224 return false; | 178 return false; |
225 #endif | 179 #endif |
226 } | 180 } |
227 | 181 |
228 // Used only by tests. | 182 // Used only by tests. |
229 #if defined(USE_OPENSSL) | 183 #if defined(USE_OPENSSL) |
230 bool CertificateErrorReporter::DecryptCertificateErrorReport( | 184 bool CertificateErrorReporter::DecryptCertificateErrorReport( |
231 const uint8 server_private_key[32], | 185 const uint8 server_private_key[32], |
232 const EncryptedCertLoggerRequest& encrypted_report, | 186 const EncryptedCertLoggerRequest& encrypted_report, |
233 CertLoggerRequest* decrypted_report) { | 187 std::string* decrypted_serialized_report) { |
234 uint8 shared_secret[crypto::curve25519::kBytes]; | 188 uint8 shared_secret[crypto::curve25519::kBytes]; |
235 crypto::curve25519::ScalarMult( | 189 crypto::curve25519::ScalarMult( |
236 server_private_key, (uint8*)encrypted_report.client_public_key().data(), | 190 server_private_key, (uint8*)encrypted_report.client_public_key().data(), |
Ryan Sleevi
2015/05/13 01:02:12
casts
estark
2015/05/13 01:44:49
Done.
| |
237 shared_secret); | 191 shared_secret); |
238 | 192 |
239 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); | 193 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); |
240 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), | 194 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), |
Ryan Sleevi
2015/05/13 01:02:12
casts
estark
2015/05/13 01:44:49
Done.
| |
241 std::string(), | 195 std::string(), |
242 base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)), 0, 0, | 196 base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)), 0, 0, |
243 aead.KeyLength()); | 197 aead.KeyLength()); |
244 | 198 |
245 const std::string key(hkdf.subkey_secret().data(), | 199 const std::string key(hkdf.subkey_secret().data(), |
246 hkdf.subkey_secret().size()); | 200 hkdf.subkey_secret().size()); |
247 aead.Init(&key); | 201 aead.Init(&key); |
248 | 202 |
249 // Use an all-zero nonce because the key is random per-message. | 203 // Use an all-zero nonce because the key is random per-message. |
250 std::string nonce(aead.NonceLength(), 0); | 204 std::string nonce(aead.NonceLength(), 0); |
251 | 205 |
252 std::string plaintext; | 206 return aead.Open(encrypted_report.encrypted_report(), nonce, "", |
Ryan Sleevi
2015/05/13 01:02:12
s/""/std::string()/
estark
2015/05/13 01:44:49
Done.
| |
253 if (!aead.Open(encrypted_report.encrypted_report(), nonce, "", &plaintext)) { | 207 decrypted_serialized_report); |
254 LOG(ERROR) << "Error opening certificate report"; | |
255 return false; | |
256 } | |
257 | |
258 return decrypted_report->ParseFromString(plaintext); | |
259 } | 208 } |
260 #endif | 209 #endif |
261 | 210 |
262 void CertificateErrorReporter::SendCertLoggerRequest( | |
263 const CertLoggerRequest& request) { | |
264 std::string serialized_request; | |
265 request.SerializeToString(&serialized_request); | |
266 SendSerializedRequest(serialized_request); | |
267 } | |
268 | |
269 void CertificateErrorReporter::SendSerializedRequest( | 211 void CertificateErrorReporter::SendSerializedRequest( |
270 const std::string& serialized_request) { | 212 const std::string& serialized_request) { |
271 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); | 213 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); |
272 url_request->set_method("POST"); | 214 url_request->set_method("POST"); |
273 | 215 |
274 scoped_ptr<net::UploadElementReader> reader( | 216 scoped_ptr<net::UploadElementReader> reader( |
275 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); | 217 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); |
276 url_request->set_upload( | 218 url_request->set_upload( |
277 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); | 219 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); |
278 | 220 |
279 net::HttpRequestHeaders headers; | 221 net::HttpRequestHeaders headers; |
280 headers.SetHeader(net::HttpRequestHeaders::kContentType, | 222 headers.SetHeader(net::HttpRequestHeaders::kContentType, |
281 "x-application/chrome-fraudulent-cert-report"); | 223 "x-application/chrome-fraudulent-cert-report"); |
282 url_request->SetExtraRequestHeaders(headers); | 224 url_request->SetExtraRequestHeaders(headers); |
283 | 225 |
284 net::URLRequest* raw_url_request = url_request.get(); | 226 net::URLRequest* raw_url_request = url_request.get(); |
285 inflight_requests_.insert(url_request.release()); | 227 inflight_requests_.insert(url_request.release()); |
286 raw_url_request->Start(); | 228 raw_url_request->Start(); |
287 } | 229 } |
288 | 230 |
289 void CertificateErrorReporter::BuildReport(const std::string& hostname, | |
290 const net::SSLInfo& ssl_info, | |
291 CertLoggerRequest* out_request) { | |
292 base::Time now = base::Time::Now(); | |
293 out_request->set_time_usec(now.ToInternalValue()); | |
294 out_request->set_hostname(hostname); | |
295 | |
296 std::vector<std::string> pem_encoded_chain; | |
297 if (!ssl_info.cert->GetPEMEncodedChain(&pem_encoded_chain)) | |
298 LOG(ERROR) << "Could not get PEM encoded chain."; | |
299 | |
300 std::string* cert_chain = out_request->mutable_cert_chain(); | |
301 for (size_t i = 0; i < pem_encoded_chain.size(); ++i) | |
302 *cert_chain += pem_encoded_chain[i]; | |
303 | |
304 out_request->add_pin(ssl_info.pinning_failure_log); | |
305 | |
306 AddCertStatusToReportErrors(ssl_info.cert_status, out_request); | |
307 } | |
308 | |
309 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { | 231 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { |
310 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); | 232 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); |
311 DCHECK(i != inflight_requests_.end()); | 233 DCHECK(i != inflight_requests_.end()); |
312 scoped_ptr<net::URLRequest> url_request(*i); | 234 scoped_ptr<net::URLRequest> url_request(*i); |
313 inflight_requests_.erase(i); | 235 inflight_requests_.erase(i); |
314 } | 236 } |
315 | 237 |
316 } // namespace chrome_browser_net | 238 } // namespace chrome_browser_net |
OLD | NEW |