Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(207)

Side by Side Diff: chrome/browser/net/certificate_error_reporter.cc

Issue 1117173004: Split cert reporter class into report building/serializing and sending (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: BUILD.gn fix Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/browser/net/certificate_error_reporter.h" 5 #include "chrome/browser/net/certificate_error_reporter.h"
6 6
7 #include <set> 7 #include <set>
8 8
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "base/stl_util.h" 10 #include "chrome/browser/net/encrypted_cert_logger.pb.h"
11 #include "base/time/time.h"
12 #include "chrome/browser/net/cert_logger.pb.h"
13 11
14 #if defined(USE_OPENSSL) 12 #if defined(USE_OPENSSL)
15 #include "crypto/aead_openssl.h" 13 #include "crypto/aead_openssl.h"
16 #endif 14 #endif
17 15
18 #include "crypto/curve25519.h" 16 #include "crypto/curve25519.h"
19 #include "crypto/hkdf.h" 17 #include "crypto/hkdf.h"
20 #include "crypto/random.h" 18 #include "crypto/random.h"
21 #include "net/base/elements_upload_data_stream.h" 19 #include "net/base/elements_upload_data_stream.h"
22 #include "net/base/load_flags.h" 20 #include "net/base/load_flags.h"
23 #include "net/base/request_priority.h" 21 #include "net/base/request_priority.h"
24 #include "net/base/upload_bytes_element_reader.h" 22 #include "net/base/upload_bytes_element_reader.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/ssl/ssl_info.h"
27 #include "net/url_request/url_request_context.h" 23 #include "net/url_request/url_request_context.h"
28 24
29 namespace { 25 namespace {
30 26
31 // Constants used for crypto 27 // Constants used for crypto
32 static const uint8 kServerPublicKey[] = { 28 static const uint8 kServerPublicKey[] = {
33 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18, 29 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18,
34 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f, 30 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f,
35 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b}; 31 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b};
36 static const uint32 kServerPublicKeyVersion = 1; 32 static const uint32 kServerPublicKeyVersion = 1;
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after
107 cookies_preference_(cookies_preference), 103 cookies_preference_(cookies_preference),
108 server_public_key_(server_public_key), 104 server_public_key_(server_public_key),
109 server_public_key_version_(server_public_key_version) { 105 server_public_key_version_(server_public_key_version) {
110 DCHECK(!upload_url.is_empty()); 106 DCHECK(!upload_url.is_empty());
111 } 107 }
112 108
113 CertificateErrorReporter::~CertificateErrorReporter() { 109 CertificateErrorReporter::~CertificateErrorReporter() {
114 STLDeleteElements(&inflight_requests_); 110 STLDeleteElements(&inflight_requests_);
115 } 111 }
116 112
117 void CertificateErrorReporter::SendReport(ReportType type, 113 void CertificateErrorReporter::SendReport(
118 const std::string& hostname, 114 ReportType type,
119 const net::SSLInfo& ssl_info) { 115 const std::string& serialized_report) {
120 CertLoggerRequest request;
121 BuildReport(hostname, ssl_info, &request);
122
123 switch (type) { 116 switch (type) {
124 case REPORT_TYPE_PINNING_VIOLATION: 117 case REPORT_TYPE_PINNING_VIOLATION:
125 SendCertLoggerRequest(request); 118 SendSerializedRequest(serialized_report);
126 break; 119 break;
127 case REPORT_TYPE_EXTENDED_REPORTING: 120 case REPORT_TYPE_EXTENDED_REPORTING:
128 if (upload_url_.SchemeIsCryptographic()) { 121 if (upload_url_.SchemeIsCryptographic()) {
eroman 2015/05/12 00:27:51 Is this uploading reports to Google? under what ci
estark 2015/05/12 20:42:15 Eventually, all uploads will be over HTTP, not HTT
129 SendCertLoggerRequest(request); 122 SendSerializedRequest(serialized_report);
130 } else { 123 } else {
131 DCHECK(IsHttpUploadUrlSupported()); 124 DCHECK(IsHttpUploadUrlSupported());
132 #if defined(USE_OPENSSL) 125 #if defined(USE_OPENSSL)
133 EncryptedCertLoggerRequest encrypted_report; 126 EncryptedCertLoggerRequest encrypted_report;
134 std::string serialized_report;
135 request.SerializeToString(&serialized_report);
136 if (!EncryptSerializedReport(server_public_key_, 127 if (!EncryptSerializedReport(server_public_key_,
137 server_public_key_version_, 128 server_public_key_version_,
138 serialized_report, &encrypted_report)) { 129 serialized_report, &encrypted_report)) {
139 LOG(ERROR) << "Failed to encrypt serialized report."; 130 LOG(ERROR) << "Failed to encrypt serialized report.";
140 return; 131 return;
141 } 132 }
142 std::string serialized_encrypted_report; 133 std::string serialized_encrypted_report;
143 encrypted_report.SerializeToString(&serialized_encrypted_report); 134 encrypted_report.SerializeToString(&serialized_encrypted_report);
144 SendSerializedRequest(serialized_encrypted_report); 135 SendSerializedRequest(serialized_encrypted_report);
145 #endif 136 #endif
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
184 #else 175 #else
185 return false; 176 return false;
186 #endif 177 #endif
187 } 178 }
188 179
189 // Used only by tests. 180 // Used only by tests.
190 #if defined(USE_OPENSSL) 181 #if defined(USE_OPENSSL)
191 bool CertificateErrorReporter::DecryptCertificateErrorReport( 182 bool CertificateErrorReporter::DecryptCertificateErrorReport(
192 const uint8 server_private_key[32], 183 const uint8 server_private_key[32],
193 const EncryptedCertLoggerRequest& encrypted_report, 184 const EncryptedCertLoggerRequest& encrypted_report,
194 CertLoggerRequest* decrypted_report) { 185 std::string* decrypted_serialized_report) {
195 uint8 shared_secret[crypto::curve25519::kBytes]; 186 uint8 shared_secret[crypto::curve25519::kBytes];
196 crypto::curve25519::ScalarMult( 187 crypto::curve25519::ScalarMult(
197 server_private_key, (uint8*)encrypted_report.client_public_key().data(), 188 server_private_key, (uint8*)encrypted_report.client_public_key().data(),
198 shared_secret); 189 shared_secret);
199 190
200 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256); 191 crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256);
201 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)), 192 crypto::HKDF hkdf(std::string((char*)shared_secret, sizeof(shared_secret)),
202 kHkdfLabel, std::string(), 0, 0, aead.KeyLength()); 193 kHkdfLabel, std::string(), 0, 0, aead.KeyLength());
203 194
204 const std::string key(hkdf.subkey_secret().data(), 195 const std::string key(hkdf.subkey_secret().data(),
205 hkdf.subkey_secret().size()); 196 hkdf.subkey_secret().size());
206 aead.Init(&key); 197 aead.Init(&key);
207 198
208 // Use an all-zero nonce because the key is random per-message. 199 // Use an all-zero nonce because the key is random per-message.
209 std::string nonce(aead.NonceLength(), 0); 200 std::string nonce(aead.NonceLength(), 0);
210 201
211 std::string plaintext; 202 return aead.Open(encrypted_report.encrypted_report(), nonce, "",
212 if (!aead.Open(encrypted_report.encrypted_report(), nonce, "", &plaintext)) { 203 decrypted_serialized_report);
213 LOG(ERROR) << "Error opening certificate report";
214 return false;
215 }
216
217 return decrypted_report->ParseFromString(plaintext);
218 } 204 }
219 #endif 205 #endif
220 206
221 void CertificateErrorReporter::SendCertLoggerRequest(
222 const CertLoggerRequest& request) {
223 std::string serialized_request;
224 request.SerializeToString(&serialized_request);
225 SendSerializedRequest(serialized_request);
226 }
227
228 void CertificateErrorReporter::SendSerializedRequest( 207 void CertificateErrorReporter::SendSerializedRequest(
229 const std::string& serialized_request) { 208 const std::string& serialized_request) {
230 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); 209 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_);
231 url_request->set_method("POST"); 210 url_request->set_method("POST");
232 211
233 scoped_ptr<net::UploadElementReader> reader( 212 scoped_ptr<net::UploadElementReader> reader(
234 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); 213 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request));
235 url_request->set_upload( 214 url_request->set_upload(
236 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); 215 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0));
237 216
238 net::HttpRequestHeaders headers; 217 net::HttpRequestHeaders headers;
239 headers.SetHeader(net::HttpRequestHeaders::kContentType, 218 headers.SetHeader(net::HttpRequestHeaders::kContentType,
240 "x-application/chrome-fraudulent-cert-report"); 219 "x-application/chrome-fraudulent-cert-report");
241 url_request->SetExtraRequestHeaders(headers); 220 url_request->SetExtraRequestHeaders(headers);
242 221
243 net::URLRequest* raw_url_request = url_request.get(); 222 net::URLRequest* raw_url_request = url_request.get();
244 inflight_requests_.insert(url_request.release()); 223 inflight_requests_.insert(url_request.release());
245 raw_url_request->Start(); 224 raw_url_request->Start();
246 } 225 }
247 226
248 void CertificateErrorReporter::BuildReport(const std::string& hostname,
249 const net::SSLInfo& ssl_info,
250 CertLoggerRequest* out_request) {
251 base::Time now = base::Time::Now();
252 out_request->set_time_usec(now.ToInternalValue());
253 out_request->set_hostname(hostname);
254
255 std::vector<std::string> pem_encoded_chain;
256 if (!ssl_info.cert->GetPEMEncodedChain(&pem_encoded_chain))
257 LOG(ERROR) << "Could not get PEM encoded chain.";
258
259 std::string* cert_chain = out_request->mutable_cert_chain();
260 for (size_t i = 0; i < pem_encoded_chain.size(); ++i)
261 *cert_chain += pem_encoded_chain[i];
262
263 out_request->add_pin(ssl_info.pinning_failure_log);
264 }
265
266 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { 227 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) {
267 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); 228 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request);
268 DCHECK(i != inflight_requests_.end()); 229 DCHECK(i != inflight_requests_.end());
269 scoped_ptr<net::URLRequest> url_request(*i); 230 scoped_ptr<net::URLRequest> url_request(*i);
270 inflight_requests_.erase(i); 231 inflight_requests_.erase(i);
271 } 232 }
272 233
273 } // namespace chrome_browser_net 234 } // namespace chrome_browser_net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698