OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/net/certificate_error_reporter.h" | 5 #include "chrome/browser/net/certificate_error_reporter.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/stl_util.h" | 10 #include "chrome/browser/net/encrypted_cert_logger.pb.h" |
11 #include "base/time/time.h" | |
12 #include "chrome/browser/net/cert_logger.pb.h" | |
13 | 11 |
14 #if defined(USE_OPENSSL) | 12 #if defined(USE_OPENSSL) |
15 #include "crypto/aead_openssl.h" | 13 #include "crypto/aead_openssl.h" |
16 #endif | 14 #endif |
17 | 15 |
18 #include "crypto/curve25519.h" | 16 #include "crypto/curve25519.h" |
19 #include "crypto/hkdf.h" | 17 #include "crypto/hkdf.h" |
20 #include "crypto/random.h" | 18 #include "crypto/random.h" |
21 #include "net/base/elements_upload_data_stream.h" | 19 #include "net/base/elements_upload_data_stream.h" |
22 #include "net/base/load_flags.h" | 20 #include "net/base/load_flags.h" |
23 #include "net/base/request_priority.h" | 21 #include "net/base/request_priority.h" |
24 #include "net/base/upload_bytes_element_reader.h" | 22 #include "net/base/upload_bytes_element_reader.h" |
25 #include "net/cert/x509_certificate.h" | |
26 #include "net/ssl/ssl_info.h" | |
27 #include "net/url_request/url_request_context.h" | 23 #include "net/url_request/url_request_context.h" |
28 | 24 |
29 namespace { | 25 namespace { |
30 | 26 |
31 // Constants used for crypto | 27 // Constants used for crypto |
32 static const uint8 kServerPublicKey[] = { | 28 static const uint8 kServerPublicKey[] = { |
33 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18, | 29 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18, |
34 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f, | 30 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f, |
35 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b}; | 31 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b}; |
36 static const uint32 kServerPublicKeyVersion = 1; | 32 static const uint32 kServerPublicKeyVersion = 1; |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
107 cookies_preference_(cookies_preference), | 103 cookies_preference_(cookies_preference), |
108 server_public_key_(server_public_key), | 104 server_public_key_(server_public_key), |
109 server_public_key_version_(server_public_key_version) { | 105 server_public_key_version_(server_public_key_version) { |
110 DCHECK(!upload_url.is_empty()); | 106 DCHECK(!upload_url.is_empty()); |
111 } | 107 } |
112 | 108 |
113 CertificateErrorReporter::~CertificateErrorReporter() { | 109 CertificateErrorReporter::~CertificateErrorReporter() { |
114 STLDeleteElements(&inflight_requests_); | 110 STLDeleteElements(&inflight_requests_); |
115 } | 111 } |
116 | 112 |
117 void CertificateErrorReporter::SendReport(ReportType type, | 113 void CertificateErrorReporter::SendReport( |
118 const std::string& hostname, | 114 ReportType type, |
119 const net::SSLInfo& ssl_info) { | 115 const std::string& serialized_report) { |
120 CertLoggerRequest request; | |
121 BuildReport(hostname, ssl_info, &request); | |
122 | |
123 switch (type) { | 116 switch (type) { |
124 case REPORT_TYPE_PINNING_VIOLATION: | 117 case REPORT_TYPE_PINNING_VIOLATION: |
125 SendCertLoggerRequest(request); | 118 SendSerializedRequest(serialized_report); |
126 break; | 119 break; |
127 case REPORT_TYPE_EXTENDED_REPORTING: | 120 case REPORT_TYPE_EXTENDED_REPORTING: |
128 if (upload_url_.SchemeIsCryptographic()) { | 121 if (upload_url_.SchemeIsCryptographic()) { |
eroman
2015/05/12 00:27:51
Is this uploading reports to Google? under what ci
estark
2015/05/12 20:42:15
Eventually, all uploads will be over HTTP, not HTT
| |
129 SendCertLoggerRequest(request); | 122 SendSerializedRequest(serialized_report); |
130 } else { | 123 } else { |
131 DCHECK(IsHttpUploadUrlSupported()); | 124 DCHECK(IsHttpUploadUrlSupported()); |
132 #if defined(USE_OPENSSL) | 125 #if defined(USE_OPENSSL) |
133 EncryptedCertLoggerRequest encrypted_report; | 126 EncryptedCertLoggerRequest encrypted_report; |
134 std::string serialized_report; | |
135 request.SerializeToString(&serialized_report); | |
136 if (!EncryptSerializedReport(server_public_key_, | 127 if (!EncryptSerializedReport(server_public_key_, |
137 server_public_key_version_, | 128 server_public_key_version_, |
138 serialized_report, &encrypted_report)) { | 129 serialized_report, &encrypted_report)) { |
139 LOG(ERROR) << "Failed to encrypt serialized report."; | 130 LOG(ERROR) << "Failed to encrypt serialized report."; |
140 return; | 131 return; |
141 } | 132 } |
142 std::string serialized_encrypted_report; | 133 std::string serialized_encrypted_report; |
143 encrypted_report.SerializeToString(&serialized_encrypted_report); | 134 encrypted_report.SerializeToString(&serialized_encrypted_report); |
144 SendSerializedRequest(serialized_encrypted_report); | 135 SendSerializedRequest(serialized_encrypted_report); |
145 #endif | 136 #endif |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
184 #else | 175 #else |
185 return false; | 176 return false; |
186 #endif | 177 #endif |
187 } | 178 } |
188 | 179 |
189 // Used only by tests. | 180 // Used only by tests. |
190 #if defined(USE_OPENSSL) | 181 #if defined(USE_OPENSSL) |
191 bool CertificateErrorReporter::DecryptCertificateErrorReport( | 182 bool CertificateErrorReporter::DecryptCertificateErrorReport( |
192 const uint8 server_private_key[32], | 183 const uint8 server_private_key[32], |
193 const EncryptedCertLoggerRequest& encrypted_report, | 184 const EncryptedCertLoggerRequest& encrypted_report, |
194 CertLoggerRequest* decrypted_report) { | 185 std::string* decrypted_serialized_report) { |
195 uint8 shared_secret[crypto::curve25519::kBytes]; | 186 uint8 shared_secret[crypto::curve25519::kBytes]; |
196 crypto::curve25519::ScalarMult( | 187 crypto::curve25519::ScalarMult( |
197 server_private_key, (uint8*)encrypted_report.client_public_key().data(), | 188 server_private_key, (uint8*)encrypted_report.client_public_key().data(), |
198 shared_secret); | 189 shared_secret); |
199 | 190 |
200 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); | 191 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); |
201 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), | 192 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), |
202 kHkdfLabel, std::string(), 0, 0, aead.KeyLength()); | 193 kHkdfLabel, std::string(), 0, 0, aead.KeyLength()); |
203 | 194 |
204 const std::string key(hkdf.subkey_secret().data(), | 195 const std::string key(hkdf.subkey_secret().data(), |
205 hkdf.subkey_secret().size()); | 196 hkdf.subkey_secret().size()); |
206 aead.Init(&key); | 197 aead.Init(&key); |
207 | 198 |
208 // Use an all-zero nonce because the key is random per-message. | 199 // Use an all-zero nonce because the key is random per-message. |
209 std::string nonce(aead.NonceLength(), 0); | 200 std::string nonce(aead.NonceLength(), 0); |
210 | 201 |
211 std::string plaintext; | 202 return aead.Open(encrypted_report.encrypted_report(), nonce, "", |
212 if (!aead.Open(encrypted_report.encrypted_report(), nonce, "", &plaintext)) { | 203 decrypted_serialized_report); |
213 LOG(ERROR) << "Error opening certificate report"; | |
214 return false; | |
215 } | |
216 | |
217 return decrypted_report->ParseFromString(plaintext); | |
218 } | 204 } |
219 #endif | 205 #endif |
220 | 206 |
221 void CertificateErrorReporter::SendCertLoggerRequest( | |
222 const CertLoggerRequest& request) { | |
223 std::string serialized_request; | |
224 request.SerializeToString(&serialized_request); | |
225 SendSerializedRequest(serialized_request); | |
226 } | |
227 | |
228 void CertificateErrorReporter::SendSerializedRequest( | 207 void CertificateErrorReporter::SendSerializedRequest( |
229 const std::string& serialized_request) { | 208 const std::string& serialized_request) { |
230 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); | 209 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); |
231 url_request->set_method("POST"); | 210 url_request->set_method("POST"); |
232 | 211 |
233 scoped_ptr<net::UploadElementReader> reader( | 212 scoped_ptr<net::UploadElementReader> reader( |
234 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); | 213 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); |
235 url_request->set_upload( | 214 url_request->set_upload( |
236 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); | 215 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); |
237 | 216 |
238 net::HttpRequestHeaders headers; | 217 net::HttpRequestHeaders headers; |
239 headers.SetHeader(net::HttpRequestHeaders::kContentType, | 218 headers.SetHeader(net::HttpRequestHeaders::kContentType, |
240 "x-application/chrome-fraudulent-cert-report"); | 219 "x-application/chrome-fraudulent-cert-report"); |
241 url_request->SetExtraRequestHeaders(headers); | 220 url_request->SetExtraRequestHeaders(headers); |
242 | 221 |
243 net::URLRequest* raw_url_request = url_request.get(); | 222 net::URLRequest* raw_url_request = url_request.get(); |
244 inflight_requests_.insert(url_request.release()); | 223 inflight_requests_.insert(url_request.release()); |
245 raw_url_request->Start(); | 224 raw_url_request->Start(); |
246 } | 225 } |
247 | 226 |
248 void CertificateErrorReporter::BuildReport(const std::string& hostname, | |
249 const net::SSLInfo& ssl_info, | |
250 CertLoggerRequest* out_request) { | |
251 base::Time now = base::Time::Now(); | |
252 out_request->set_time_usec(now.ToInternalValue()); | |
253 out_request->set_hostname(hostname); | |
254 | |
255 std::vector<std::string> pem_encoded_chain; | |
256 if (!ssl_info.cert->GetPEMEncodedChain(&pem_encoded_chain)) | |
257 LOG(ERROR) << "Could not get PEM encoded chain."; | |
258 | |
259 std::string* cert_chain = out_request->mutable_cert_chain(); | |
260 for (size_t i = 0; i < pem_encoded_chain.size(); ++i) | |
261 *cert_chain += pem_encoded_chain[i]; | |
262 | |
263 out_request->add_pin(ssl_info.pinning_failure_log); | |
264 } | |
265 | |
266 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { | 227 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { |
267 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); | 228 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); |
268 DCHECK(i != inflight_requests_.end()); | 229 DCHECK(i != inflight_requests_.end()); |
269 scoped_ptr<net::URLRequest> url_request(*i); | 230 scoped_ptr<net::URLRequest> url_request(*i); |
270 inflight_requests_.erase(i); | 231 inflight_requests_.erase(i); |
271 } | 232 } |
272 | 233 |
273 } // namespace chrome_browser_net | 234 } // namespace chrome_browser_net |
OLD | NEW |