| Index: net/http/transport_security_state.cc
|
| diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
|
| index c24fc1f500716fa1356c107b13814342e713db19..7921a1324323d7a115ce8c91ed6feec125c04aef 100644
|
| --- a/net/http/transport_security_state.cc
|
| +++ b/net/http/transport_security_state.cc
|
| @@ -519,6 +519,10 @@ bool TransportSecurityState::CheckPublicKeyPins(
|
| const std::string& host,
|
| bool is_issued_by_known_root,
|
| const HashValueVector& public_key_hashes,
|
| + uint16_t port,
|
| + const scoped_refptr<X509Certificate>& served_certificate_chain,
|
| + const scoped_refptr<X509Certificate>& validated_certificate_chain,
|
| + const PublicKeyPinReportStatus report_status,
|
| std::string* pinning_failure_log) {
|
| // Perform pin validation if, and only if, all these conditions obtain:
|
| //
|
| @@ -529,8 +533,9 @@ bool TransportSecurityState::CheckPublicKeyPins(
|
| return true;
|
| }
|
|
|
| - bool pins_are_valid =
|
| - CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log);
|
| + bool pins_are_valid = CheckPublicKeyPinsImpl(
|
| + host, public_key_hashes, port, served_certificate_chain,
|
| + validated_certificate_chain, report_status, pinning_failure_log);
|
| if (!pins_are_valid) {
|
| LOG(ERROR) << *pinning_failure_log;
|
| ReportUMAOnPinFailure(host);
|
| @@ -560,6 +565,12 @@ void TransportSecurityState::SetDelegate(
|
| delegate_ = delegate;
|
| }
|
|
|
| +void TransportSecurityState::SetReporter(
|
| + TransportSecurityState::Reporter* reporter) {
|
| + DCHECK(CalledOnValidThread());
|
| + reporter_ = reporter;
|
| +}
|
| +
|
| void TransportSecurityState::AddHSTSInternal(
|
| const std::string& host,
|
| TransportSecurityState::DomainState::UpgradeMode upgrade_mode,
|
| @@ -586,7 +597,8 @@ void TransportSecurityState::AddHPKPInternal(const std::string& host,
|
| const base::Time& last_observed,
|
| const base::Time& expiry,
|
| bool include_subdomains,
|
| - const HashValueVector& hashes) {
|
| + const HashValueVector& hashes,
|
| + const std::string& report_uri) {
|
| DCHECK(CalledOnValidThread());
|
|
|
| // Copy-and-modify the existing DomainState for this host (if any).
|
| @@ -601,6 +613,7 @@ void TransportSecurityState::AddHPKPInternal(const std::string& host,
|
| domain_state.pkp.expiry = expiry;
|
| domain_state.pkp.include_subdomains = include_subdomains;
|
| domain_state.pkp.spki_hashes = hashes;
|
| + domain_state.pkp.report_uri = report_uri;
|
| EnableHost(host, domain_state);
|
| }
|
|
|
| @@ -718,14 +731,17 @@ bool TransportSecurityState::AddHPKPHeader(const std::string& host,
|
| base::TimeDelta max_age;
|
| bool include_subdomains;
|
| HashValueVector spki_hashes;
|
| + std::string report_uri;
|
| +
|
| if (!ParseHPKPHeader(value, ssl_info.public_key_hashes, &max_age,
|
| - &include_subdomains, &spki_hashes)) {
|
| + &include_subdomains, &spki_hashes, &report_uri)) {
|
| return false;
|
| }
|
| // Handle max-age == 0.
|
| if (max_age.InSeconds() == 0)
|
| spki_hashes.clear();
|
| - AddHPKPInternal(host, now, now + max_age, include_subdomains, spki_hashes);
|
| + AddHPKPInternal(host, now, now + max_age, include_subdomains, spki_hashes,
|
| + report_uri);
|
| return true;
|
| }
|
|
|
| @@ -740,9 +756,11 @@ void TransportSecurityState::AddHSTS(const std::string& host,
|
| void TransportSecurityState::AddHPKP(const std::string& host,
|
| const base::Time& expiry,
|
| bool include_subdomains,
|
| - const HashValueVector& hashes) {
|
| + const HashValueVector& hashes,
|
| + const std::string& report_uri) {
|
| DCHECK(CalledOnValidThread());
|
| - AddHPKPInternal(host, base::Time::Now(), expiry, include_subdomains, hashes);
|
| + AddHPKPInternal(host, base::Time::Now(), expiry, include_subdomains, hashes,
|
| + report_uri);
|
| }
|
|
|
| // static
|
| @@ -785,10 +803,36 @@ bool TransportSecurityState::IsBuildTimely() {
|
| bool TransportSecurityState::CheckPublicKeyPinsImpl(
|
| const std::string& host,
|
| const HashValueVector& hashes,
|
| + uint16_t port,
|
| + const scoped_refptr<X509Certificate>& served_certificate_chain,
|
| + const scoped_refptr<X509Certificate>& validated_certificate_chain,
|
| + const PublicKeyPinReportStatus report_status,
|
| std::string* failure_log) {
|
| DomainState dynamic_state;
|
| - if (GetDynamicDomainState(host, &dynamic_state))
|
| - return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
|
| + if (GetDynamicDomainState(host, &dynamic_state)) {
|
| + bool result = dynamic_state.CheckPublicKeyPins(hashes, failure_log);
|
| +
|
| + if (result || !reporter_ ||
|
| + report_status == DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT)
|
| + return result;
|
| +
|
| + GURL report_uri;
|
| + std::string serialized_report;
|
| +
|
| + if (!reporter_->GetHPKPReportUri(dynamic_state.pkp, &report_uri))
|
| + return result;
|
| +
|
| + if (!reporter_->BuildHPKPReport(
|
| + host, port, dynamic_state.pkp.expiry,
|
| + dynamic_state.pkp.include_subdomains, dynamic_state.pkp.domain,
|
| + served_certificate_chain, validated_certificate_chain,
|
| + dynamic_state.pkp.spki_hashes, &serialized_report)) {
|
| + LOG(ERROR) << "Failed to build HPKP report";
|
| + return result;
|
| + }
|
| +
|
| + reporter_->SendHPKPReport(report_uri, serialized_report);
|
| + }
|
|
|
| DomainState static_state;
|
| if (GetStaticDomainState(host, &static_state))
|
|
|
Chromium Code Reviews
Issue 1211933005:
Initial (partial) implementation of HPKP violation reporting (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master