Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(34)

Side by Side Diff: chrome/browser/net/certificate_error_reporter.cc

Issue 1117173004: Split cert reporter class into report building/serializing and sending (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: move //c/b/ssl classes into global namespace Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/browser/net/certificate_error_reporter.h" 5 #include "chrome/browser/net/certificate_error_reporter.h"
6 6
7 #include <set> 7 #include <set>
8 8
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "base/stl_util.h" 10 #include "chrome/browser/net/encrypted_cert_logger.pb.h"
11 #include "base/time/time.h"
12 #include "chrome/browser/net/cert_logger.pb.h"
13 11
14 #if defined(USE_OPENSSL) 12 #if defined(USE_OPENSSL)
15 #include "crypto/aead_openssl.h" 13 #include "crypto/aead_openssl.h"
16 #endif 14 #endif
17 15
18 #include "crypto/curve25519.h" 16 #include "crypto/curve25519.h"
19 #include "crypto/hkdf.h" 17 #include "crypto/hkdf.h"
20 #include "crypto/random.h" 18 #include "crypto/random.h"
21 #include "net/base/elements_upload_data_stream.h" 19 #include "net/base/elements_upload_data_stream.h"
22 #include "net/base/load_flags.h" 20 #include "net/base/load_flags.h"
23 #include "net/base/request_priority.h" 21 #include "net/base/request_priority.h"
24 #include "net/base/upload_bytes_element_reader.h" 22 #include "net/base/upload_bytes_element_reader.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/ssl/ssl_info.h"
27 #include "net/url_request/url_request_context.h" 23 #include "net/url_request/url_request_context.h"
28 24
29 namespace { 25 namespace {
30 26
31 using chrome_browser_net::CertLoggerRequest;
32
33 // Constants used for crypto 27 // Constants used for crypto
34 static const uint8 kServerPublicKey[] = { 28 static const uint8 kServerPublicKey[] = {
35 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18, 29 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18,
36 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f, 30 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f,
37 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b}; 31 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b};
38 static const uint32 kServerPublicKeyVersion = 1; 32 static const uint32 kServerPublicKeyVersion = 1;
39 33
40 #if defined(USE_OPENSSL) 34 #if defined(USE_OPENSSL)
41 35
42 static const char kHkdfLabel[] = "certificate report"; 36 static const char kHkdfLabel[] = "certificate report";
43 37
44 bool EncryptSerializedReport( 38 bool EncryptSerializedReport(
45 const uint8* server_public_key, 39 const uint8* server_public_key,
46 uint32 server_public_key_version, 40 uint32 server_public_key_version,
47 const std::string& report, 41 const std::string& report,
48 chrome_browser_net::EncryptedCertLoggerRequest* encrypted_report) { 42 chrome_browser_net::EncryptedCertLoggerRequest* encrypted_report) {
49 // Generate an ephemeral key pair to generate a shared secret. 43 // Generate an ephemeral key pair to generate a shared secret.
50 uint8 public_key[crypto::curve25519::kBytes]; 44 uint8 public_key[crypto::curve25519::kBytes];
51 uint8 private_key[crypto::curve25519::kScalarBytes]; 45 uint8 private_key[crypto::curve25519::kScalarBytes];
52 uint8 shared_secret[crypto::curve25519::kBytes]; 46 uint8 shared_secret[crypto::curve25519::kBytes];
53 47
54 crypto::RandBytes(private_key, sizeof(private_key)); 48 crypto::RandBytes(private_key, sizeof(private_key));
55 crypto::curve25519::ScalarBaseMult(private_key, public_key); 49 crypto::curve25519::ScalarBaseMult(private_key, public_key);
56 crypto::curve25519::ScalarMult(private_key, server_public_key, shared_secret); 50 crypto::curve25519::ScalarMult(private_key, server_public_key, shared_secret);
57 51
58 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); 52 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256);
59 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), 53 crypto::HKDF hkdf(std::string(reinterpret_cast<char*>(shared_secret),
54 sizeof(shared_secret)),
60 std::string(), 55 std::string(),
61 base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)), 0, 0, 56 base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)), 0, 0,
62 aead.KeyLength()); 57 aead.KeyLength());
63 58
64 const std::string key(hkdf.subkey_secret().data(), 59 const std::string key(hkdf.subkey_secret().data(),
65 hkdf.subkey_secret().size()); 60 hkdf.subkey_secret().size());
66 aead.Init(&key); 61 aead.Init(&key);
67 62
68 // Use an all-zero nonce because the key is random per-message. 63 // Use an all-zero nonce because the key is random per-message.
69 std::string nonce(aead.NonceLength(), 0); 64 std::string nonce(aead.NonceLength(), 0);
70 65
71 std::string ciphertext; 66 std::string ciphertext;
72 if (!aead.Seal(report, nonce, "", &ciphertext)) { 67 if (!aead.Seal(report, nonce, std::string(), &ciphertext)) {
73 LOG(ERROR) << "Error sealing certificate report."; 68 LOG(ERROR) << "Error sealing certificate report.";
74 return false; 69 return false;
75 } 70 }
76 71
77 encrypted_report->set_encrypted_report(ciphertext); 72 encrypted_report->set_encrypted_report(ciphertext);
78 encrypted_report->set_server_public_key_version(server_public_key_version); 73 encrypted_report->set_server_public_key_version(server_public_key_version);
79 encrypted_report->set_client_public_key( 74 encrypted_report->set_client_public_key(
80 std::string((char*)public_key, sizeof(public_key))); 75 std::string(reinterpret_cast<char*>(public_key), sizeof(public_key)));
81 encrypted_report->set_algorithm( 76 encrypted_report->set_algorithm(
82 chrome_browser_net::EncryptedCertLoggerRequest:: 77 chrome_browser_net::EncryptedCertLoggerRequest::
83 AEAD_ECDH_AES_128_CTR_HMAC_SHA256); 78 AEAD_ECDH_AES_128_CTR_HMAC_SHA256);
84 return true; 79 return true;
85 } 80 }
86 #endif 81 #endif
87 82
88 void AddCertStatusToReportErrors(
89 net::CertStatus cert_status,
90 CertLoggerRequest* report) {
91 if (cert_status & net::CERT_STATUS_REVOKED)
92 report->add_cert_error(CertLoggerRequest::ERR_CERT_REVOKED);
93 if (cert_status & net::CERT_STATUS_INVALID)
94 report->add_cert_error(CertLoggerRequest::ERR_CERT_INVALID);
95 if (cert_status & net::CERT_STATUS_PINNED_KEY_MISSING)
96 report->add_cert_error(
97 CertLoggerRequest::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN);
98 if (cert_status & net::CERT_STATUS_AUTHORITY_INVALID)
99 report->add_cert_error(CertLoggerRequest::ERR_CERT_AUTHORITY_INVALID);
100 if (cert_status & net::CERT_STATUS_COMMON_NAME_INVALID)
101 report->add_cert_error(CertLoggerRequest::ERR_CERT_COMMON_NAME_INVALID);
102 if (cert_status & net::CERT_STATUS_NON_UNIQUE_NAME)
103 report->add_cert_error(CertLoggerRequest::ERR_CERT_NON_UNIQUE_NAME);
104 if (cert_status & net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION)
105 report->add_cert_error(
106 CertLoggerRequest::ERR_CERT_NAME_CONSTRAINT_VIOLATION);
107 if (cert_status & net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM)
108 report->add_cert_error(
109 CertLoggerRequest::ERR_CERT_WEAK_SIGNATURE_ALGORITHM);
110 if (cert_status & net::CERT_STATUS_WEAK_KEY)
111 report->add_cert_error(CertLoggerRequest::ERR_CERT_WEAK_KEY);
112 if (cert_status & net::CERT_STATUS_DATE_INVALID)
113 report->add_cert_error(CertLoggerRequest::ERR_CERT_DATE_INVALID);
114 if (cert_status & net::CERT_STATUS_VALIDITY_TOO_LONG)
115 report->add_cert_error(CertLoggerRequest::ERR_CERT_VALIDITY_TOO_LONG);
116 if (cert_status & net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)
117 report->add_cert_error(
118 CertLoggerRequest::ERR_CERT_UNABLE_TO_CHECK_REVOCATION);
119 if (cert_status & net::CERT_STATUS_NO_REVOCATION_MECHANISM)
120 report->add_cert_error(CertLoggerRequest::ERR_CERT_NO_REVOCATION_MECHANISM);
121 }
122
123 } // namespace 83 } // namespace
124 84
125 namespace chrome_browser_net { 85 namespace chrome_browser_net {
126 86
127 CertificateErrorReporter::CertificateErrorReporter( 87 CertificateErrorReporter::CertificateErrorReporter(
128 net::URLRequestContext* request_context, 88 net::URLRequestContext* request_context,
129 const GURL& upload_url, 89 const GURL& upload_url,
130 CookiesPreference cookies_preference) 90 CookiesPreference cookies_preference)
131 : CertificateErrorReporter(request_context, 91 : CertificateErrorReporter(request_context,
132 upload_url, 92 upload_url,
(...skipping 13 matching lines...) Expand all
146 cookies_preference_(cookies_preference), 106 cookies_preference_(cookies_preference),
147 server_public_key_(server_public_key), 107 server_public_key_(server_public_key),
148 server_public_key_version_(server_public_key_version) { 108 server_public_key_version_(server_public_key_version) {
149 DCHECK(!upload_url.is_empty()); 109 DCHECK(!upload_url.is_empty());
150 } 110 }
151 111
152 CertificateErrorReporter::~CertificateErrorReporter() { 112 CertificateErrorReporter::~CertificateErrorReporter() {
153 STLDeleteElements(&inflight_requests_); 113 STLDeleteElements(&inflight_requests_);
154 } 114 }
155 115
156 void CertificateErrorReporter::SendReport(ReportType type, 116 void CertificateErrorReporter::SendReport(
157 const std::string& hostname, 117 ReportType type,
158 const net::SSLInfo& ssl_info) { 118 const std::string& serialized_report) {
159 CertLoggerRequest request;
160 BuildReport(hostname, ssl_info, &request);
161
162 switch (type) { 119 switch (type) {
163 case REPORT_TYPE_PINNING_VIOLATION: 120 case REPORT_TYPE_PINNING_VIOLATION:
164 SendCertLoggerRequest(request); 121 SendSerializedRequest(serialized_report);
165 break; 122 break;
166 case REPORT_TYPE_EXTENDED_REPORTING: 123 case REPORT_TYPE_EXTENDED_REPORTING:
167 if (upload_url_.SchemeIsCryptographic()) { 124 if (upload_url_.SchemeIsCryptographic()) {
168 SendCertLoggerRequest(request); 125 SendSerializedRequest(serialized_report);
169 } else { 126 } else {
170 DCHECK(IsHttpUploadUrlSupported()); 127 DCHECK(IsHttpUploadUrlSupported());
171 #if defined(USE_OPENSSL) 128 #if defined(USE_OPENSSL)
172 EncryptedCertLoggerRequest encrypted_report; 129 EncryptedCertLoggerRequest encrypted_report;
173 std::string serialized_report;
174 request.SerializeToString(&serialized_report);
175 if (!EncryptSerializedReport(server_public_key_, 130 if (!EncryptSerializedReport(server_public_key_,
176 server_public_key_version_, 131 server_public_key_version_,
177 serialized_report, &encrypted_report)) { 132 serialized_report, &encrypted_report)) {
178 LOG(ERROR) << "Failed to encrypt serialized report."; 133 LOG(ERROR) << "Failed to encrypt serialized report.";
179 return; 134 return;
180 } 135 }
181 std::string serialized_encrypted_report; 136 std::string serialized_encrypted_report;
182 encrypted_report.SerializeToString(&serialized_encrypted_report); 137 encrypted_report.SerializeToString(&serialized_encrypted_report);
183 SendSerializedRequest(serialized_encrypted_report); 138 SendSerializedRequest(serialized_encrypted_report);
184 #endif 139 #endif
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
223 #else 178 #else
224 return false; 179 return false;
225 #endif 180 #endif
226 } 181 }
227 182
228 // Used only by tests. 183 // Used only by tests.
229 #if defined(USE_OPENSSL) 184 #if defined(USE_OPENSSL)
230 bool CertificateErrorReporter::DecryptCertificateErrorReport( 185 bool CertificateErrorReporter::DecryptCertificateErrorReport(
231 const uint8 server_private_key[32], 186 const uint8 server_private_key[32],
232 const EncryptedCertLoggerRequest& encrypted_report, 187 const EncryptedCertLoggerRequest& encrypted_report,
233 CertLoggerRequest* decrypted_report) { 188 std::string* decrypted_serialized_report) {
234 uint8 shared_secret[crypto::curve25519::kBytes]; 189 uint8 shared_secret[crypto::curve25519::kBytes];
235 crypto::curve25519::ScalarMult( 190 crypto::curve25519::ScalarMult(
236 server_private_key, (uint8*)encrypted_report.client_public_key().data(), 191 server_private_key, reinterpret_cast<const uint8*>(
192 encrypted_report.client_public_key().data()),
237 shared_secret); 193 shared_secret);
238 194
239 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); 195 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256);
240 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), 196 crypto::HKDF hkdf(std::string(reinterpret_cast<char*>(shared_secret),
197 sizeof(shared_secret)),
241 std::string(), 198 std::string(),
242 base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)), 0, 0, 199 base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)), 0, 0,
243 aead.KeyLength()); 200 aead.KeyLength());
244 201
245 const std::string key(hkdf.subkey_secret().data(), 202 const std::string key(hkdf.subkey_secret().data(),
246 hkdf.subkey_secret().size()); 203 hkdf.subkey_secret().size());
247 aead.Init(&key); 204 aead.Init(&key);
248 205
249 // Use an all-zero nonce because the key is random per-message. 206 // Use an all-zero nonce because the key is random per-message.
250 std::string nonce(aead.NonceLength(), 0); 207 std::string nonce(aead.NonceLength(), 0);
251 208
252 std::string plaintext; 209 return aead.Open(encrypted_report.encrypted_report(), nonce, std::string(),
253 if (!aead.Open(encrypted_report.encrypted_report(), nonce, "", &plaintext)) { 210 decrypted_serialized_report);
254 LOG(ERROR) << "Error opening certificate report";
255 return false;
256 }
257
258 return decrypted_report->ParseFromString(plaintext);
259 } 211 }
260 #endif 212 #endif
261 213
262 void CertificateErrorReporter::SendCertLoggerRequest(
263 const CertLoggerRequest& request) {
264 std::string serialized_request;
265 request.SerializeToString(&serialized_request);
266 SendSerializedRequest(serialized_request);
267 }
268
269 void CertificateErrorReporter::SendSerializedRequest( 214 void CertificateErrorReporter::SendSerializedRequest(
270 const std::string& serialized_request) { 215 const std::string& serialized_request) {
271 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); 216 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_);
272 url_request->set_method("POST"); 217 url_request->set_method("POST");
273 218
274 scoped_ptr<net::UploadElementReader> reader( 219 scoped_ptr<net::UploadElementReader> reader(
275 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); 220 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request));
276 url_request->set_upload( 221 url_request->set_upload(
277 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); 222 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0));
278 223
279 net::HttpRequestHeaders headers; 224 net::HttpRequestHeaders headers;
280 headers.SetHeader(net::HttpRequestHeaders::kContentType, 225 headers.SetHeader(net::HttpRequestHeaders::kContentType,
281 "x-application/chrome-fraudulent-cert-report"); 226 "x-application/chrome-fraudulent-cert-report");
282 url_request->SetExtraRequestHeaders(headers); 227 url_request->SetExtraRequestHeaders(headers);
283 228
284 net::URLRequest* raw_url_request = url_request.get(); 229 net::URLRequest* raw_url_request = url_request.get();
285 inflight_requests_.insert(url_request.release()); 230 inflight_requests_.insert(url_request.release());
286 raw_url_request->Start(); 231 raw_url_request->Start();
287 } 232 }
288 233
289 void CertificateErrorReporter::BuildReport(const std::string& hostname,
290 const net::SSLInfo& ssl_info,
291 CertLoggerRequest* out_request) {
292 base::Time now = base::Time::Now();
293 out_request->set_time_usec(now.ToInternalValue());
294 out_request->set_hostname(hostname);
295
296 std::vector<std::string> pem_encoded_chain;
297 if (!ssl_info.cert->GetPEMEncodedChain(&pem_encoded_chain))
298 LOG(ERROR) << "Could not get PEM encoded chain.";
299
300 std::string* cert_chain = out_request->mutable_cert_chain();
301 for (size_t i = 0; i < pem_encoded_chain.size(); ++i)
302 *cert_chain += pem_encoded_chain[i];
303
304 out_request->add_pin(ssl_info.pinning_failure_log);
305
306 AddCertStatusToReportErrors(ssl_info.cert_status, out_request);
307 }
308
309 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { 234 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) {
310 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); 235 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request);
311 DCHECK(i != inflight_requests_.end()); 236 DCHECK(i != inflight_requests_.end());
312 scoped_ptr<net::URLRequest> url_request(*i); 237 scoped_ptr<net::URLRequest> url_request(*i);
313 inflight_requests_.erase(i); 238 inflight_requests_.erase(i);
314 } 239 }
315 240
316 } // namespace chrome_browser_net 241 } // namespace chrome_browser_net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698