OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <string> | 9 #include <string> |
10 #include <utility> | 10 #include <utility> |
(...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
106 // NOT intersect with the set of SPKIs in the TLS server's certificate | 106 // NOT intersect with the set of SPKIs in the TLS server's certificate |
107 // chain. | 107 // chain. |
108 HashValueVector bad_spki_hashes; | 108 HashValueVector bad_spki_hashes; |
109 | 109 |
110 // Are subdomains subject to this policy state? | 110 // Are subdomains subject to this policy state? |
111 bool include_subdomains; | 111 bool include_subdomains; |
112 | 112 |
113 // The domain which matched during a search for this DomainState entry. | 113 // The domain which matched during a search for this DomainState entry. |
114 // Updated by |GetDynamicDomainState| and |GetStaticDomainState|. | 114 // Updated by |GetDynamicDomainState| and |GetStaticDomainState|. |
115 std::string domain; | 115 std::string domain; |
| 116 |
| 117 // Optional; a uri-reference indicating where reports should be |
| 118 // sent when this pin is violated. |
| 119 std::string report_uri; |
116 }; | 120 }; |
117 | 121 |
118 // Takes a set of SubjectPublicKeyInfo |hashes| and returns true if: | 122 // Takes a set of SubjectPublicKeyInfo |hashes| and returns true if: |
119 // 1) |bad_static_spki_hashes| does not intersect |hashes|; AND | 123 // 1) |bad_static_spki_hashes| does not intersect |hashes|; AND |
120 // 2) Both |static_spki_hashes| and |dynamic_spki_hashes| are empty | 124 // 2) Both |static_spki_hashes| and |dynamic_spki_hashes| are empty |
121 // or at least one of them intersects |hashes|. | 125 // or at least one of them intersects |hashes|. |
122 // | 126 // |
123 // |{dynamic,static}_spki_hashes| contain trustworthy public key hashes, | 127 // |{dynamic,static}_spki_hashes| contain trustworthy public key hashes, |
124 // any one of which is sufficient to validate the certificate chain in | 128 // any one of which is sufficient to validate the certificate chain in |
125 // question. The public keys could be of a root CA, intermediate CA, or | 129 // question. The public keys could be of a root CA, intermediate CA, or |
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
247 // HSTS header (used for net-internals and unit tests). | 251 // HSTS header (used for net-internals and unit tests). |
248 void AddHSTS(const std::string& host, | 252 void AddHSTS(const std::string& host, |
249 const base::Time& expiry, | 253 const base::Time& expiry, |
250 bool include_subdomains); | 254 bool include_subdomains); |
251 | 255 |
252 // Adds explicitly-specified data as if it was processed from an | 256 // Adds explicitly-specified data as if it was processed from an |
253 // HPKP header (used for net-internals and unit tests). | 257 // HPKP header (used for net-internals and unit tests). |
254 void AddHPKP(const std::string& host, | 258 void AddHPKP(const std::string& host, |
255 const base::Time& expiry, | 259 const base::Time& expiry, |
256 bool include_subdomains, | 260 bool include_subdomains, |
257 const HashValueVector& hashes); | 261 const HashValueVector& hashes, |
| 262 const std::string& report_uri); |
258 | 263 |
259 // Returns true iff we have any static public key pins for the |host| and | 264 // Returns true iff we have any static public key pins for the |host| and |
260 // iff its set of required pins is the set we expect for Google | 265 // iff its set of required pins is the set we expect for Google |
261 // properties. | 266 // properties. |
262 // | 267 // |
263 // If |host| matches both an exact entry and is a subdomain of another | 268 // If |host| matches both an exact entry and is a subdomain of another |
264 // entry, the exact match determines the return value. | 269 // entry, the exact match determines the return value. |
265 static bool IsGooglePinnedProperty(const std::string& host); | 270 static bool IsGooglePinnedProperty(const std::string& host); |
266 | 271 |
267 // The maximum number of seconds for which we'll cache an HSTS request. | 272 // The maximum number of seconds for which we'll cache an HSTS request. |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
303 void AddHSTSInternal(const std::string& host, | 308 void AddHSTSInternal(const std::string& host, |
304 DomainState::UpgradeMode upgrade_mode, | 309 DomainState::UpgradeMode upgrade_mode, |
305 const base::Time& expiry, | 310 const base::Time& expiry, |
306 bool include_subdomains); | 311 bool include_subdomains); |
307 | 312 |
308 // Adds HPKP state to |host|. | 313 // Adds HPKP state to |host|. |
309 void AddHPKPInternal(const std::string& host, | 314 void AddHPKPInternal(const std::string& host, |
310 const base::Time& last_observed, | 315 const base::Time& last_observed, |
311 const base::Time& expiry, | 316 const base::Time& expiry, |
312 bool include_subdomains, | 317 bool include_subdomains, |
313 const HashValueVector& hashes); | 318 const HashValueVector& hashes, |
| 319 const std::string& report_uri); |
314 | 320 |
315 // Enable TransportSecurity for |host|. |state| supercedes any previous | 321 // Enable TransportSecurity for |host|. |state| supercedes any previous |
316 // state for the |host|, including static entries. | 322 // state for the |host|, including static entries. |
317 // | 323 // |
318 // The new state for |host| is persisted using the Delegate (if any). | 324 // The new state for |host| is persisted using the Delegate (if any). |
319 void EnableHost(const std::string& host, const DomainState& state); | 325 void EnableHost(const std::string& host, const DomainState& state); |
320 | 326 |
321 // The set of hosts that have enabled TransportSecurity. |sts.domain| and | 327 // The set of hosts that have enabled TransportSecurity. |sts.domain| and |
322 // |pkp.domain| will always be empty for a DomainState in this map; the domain | 328 // |pkp.domain| will always be empty for a DomainState in this map; the domain |
323 // comes from the map key instead. | 329 // comes from the map key instead. |
324 DomainStateMap enabled_hosts_; | 330 DomainStateMap enabled_hosts_; |
325 | 331 |
326 Delegate* delegate_; | 332 Delegate* delegate_; |
327 | 333 |
328 // True if static pins should be used. | 334 // True if static pins should be used. |
329 bool enable_static_pins_; | 335 bool enable_static_pins_; |
330 | 336 |
331 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 337 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
332 }; | 338 }; |
333 | 339 |
334 } // namespace net | 340 } // namespace net |
335 | 341 |
336 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 342 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |