Index: net/http/transport_security_state.cc |
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc |
index c24fc1f500716fa1356c107b13814342e713db19..7921a1324323d7a115ce8c91ed6feec125c04aef 100644 |
--- a/net/http/transport_security_state.cc |
+++ b/net/http/transport_security_state.cc |
@@ -519,6 +519,10 @@ bool TransportSecurityState::CheckPublicKeyPins( |
const std::string& host, |
bool is_issued_by_known_root, |
const HashValueVector& public_key_hashes, |
+ uint16_t port, |
+ const scoped_refptr<X509Certificate>& served_certificate_chain, |
+ const scoped_refptr<X509Certificate>& validated_certificate_chain, |
+ const PublicKeyPinReportStatus report_status, |
std::string* pinning_failure_log) { |
// Perform pin validation if, and only if, all these conditions obtain: |
// |
@@ -529,8 +533,9 @@ bool TransportSecurityState::CheckPublicKeyPins( |
return true; |
} |
- bool pins_are_valid = |
- CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log); |
+ bool pins_are_valid = CheckPublicKeyPinsImpl( |
+ host, public_key_hashes, port, served_certificate_chain, |
+ validated_certificate_chain, report_status, pinning_failure_log); |
if (!pins_are_valid) { |
LOG(ERROR) << *pinning_failure_log; |
ReportUMAOnPinFailure(host); |
@@ -560,6 +565,12 @@ void TransportSecurityState::SetDelegate( |
delegate_ = delegate; |
} |
+void TransportSecurityState::SetReporter( |
+ TransportSecurityState::Reporter* reporter) { |
+ DCHECK(CalledOnValidThread()); |
+ reporter_ = reporter; |
+} |
+ |
void TransportSecurityState::AddHSTSInternal( |
const std::string& host, |
TransportSecurityState::DomainState::UpgradeMode upgrade_mode, |
@@ -586,7 +597,8 @@ void TransportSecurityState::AddHPKPInternal(const std::string& host, |
const base::Time& last_observed, |
const base::Time& expiry, |
bool include_subdomains, |
- const HashValueVector& hashes) { |
+ const HashValueVector& hashes, |
+ const std::string& report_uri) { |
DCHECK(CalledOnValidThread()); |
// Copy-and-modify the existing DomainState for this host (if any). |
@@ -601,6 +613,7 @@ void TransportSecurityState::AddHPKPInternal(const std::string& host, |
domain_state.pkp.expiry = expiry; |
domain_state.pkp.include_subdomains = include_subdomains; |
domain_state.pkp.spki_hashes = hashes; |
+ domain_state.pkp.report_uri = report_uri; |
EnableHost(host, domain_state); |
} |
@@ -718,14 +731,17 @@ bool TransportSecurityState::AddHPKPHeader(const std::string& host, |
base::TimeDelta max_age; |
bool include_subdomains; |
HashValueVector spki_hashes; |
+ std::string report_uri; |
+ |
if (!ParseHPKPHeader(value, ssl_info.public_key_hashes, &max_age, |
- &include_subdomains, &spki_hashes)) { |
+ &include_subdomains, &spki_hashes, &report_uri)) { |
return false; |
} |
// Handle max-age == 0. |
if (max_age.InSeconds() == 0) |
spki_hashes.clear(); |
- AddHPKPInternal(host, now, now + max_age, include_subdomains, spki_hashes); |
+ AddHPKPInternal(host, now, now + max_age, include_subdomains, spki_hashes, |
+ report_uri); |
return true; |
} |
@@ -740,9 +756,11 @@ void TransportSecurityState::AddHSTS(const std::string& host, |
void TransportSecurityState::AddHPKP(const std::string& host, |
const base::Time& expiry, |
bool include_subdomains, |
- const HashValueVector& hashes) { |
+ const HashValueVector& hashes, |
+ const std::string& report_uri) { |
DCHECK(CalledOnValidThread()); |
- AddHPKPInternal(host, base::Time::Now(), expiry, include_subdomains, hashes); |
+ AddHPKPInternal(host, base::Time::Now(), expiry, include_subdomains, hashes, |
+ report_uri); |
} |
// static |
@@ -785,10 +803,36 @@ bool TransportSecurityState::IsBuildTimely() { |
bool TransportSecurityState::CheckPublicKeyPinsImpl( |
const std::string& host, |
const HashValueVector& hashes, |
+ uint16_t port, |
+ const scoped_refptr<X509Certificate>& served_certificate_chain, |
+ const scoped_refptr<X509Certificate>& validated_certificate_chain, |
+ const PublicKeyPinReportStatus report_status, |
std::string* failure_log) { |
DomainState dynamic_state; |
- if (GetDynamicDomainState(host, &dynamic_state)) |
- return dynamic_state.CheckPublicKeyPins(hashes, failure_log); |
+ if (GetDynamicDomainState(host, &dynamic_state)) { |
+ bool result = dynamic_state.CheckPublicKeyPins(hashes, failure_log); |
+ |
+ if (result || !reporter_ || |
+ report_status == DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT) |
+ return result; |
+ |
+ GURL report_uri; |
+ std::string serialized_report; |
+ |
+ if (!reporter_->GetHPKPReportUri(dynamic_state.pkp, &report_uri)) |
+ return result; |
+ |
+ if (!reporter_->BuildHPKPReport( |
+ host, port, dynamic_state.pkp.expiry, |
+ dynamic_state.pkp.include_subdomains, dynamic_state.pkp.domain, |
+ served_certificate_chain, validated_certificate_chain, |
+ dynamic_state.pkp.spki_hashes, &serialized_report)) { |
+ LOG(ERROR) << "Failed to build HPKP report"; |
+ return result; |
+ } |
+ |
+ reporter_->SendHPKPReport(report_uri, serialized_report); |
+ } |
DomainState static_state; |
if (GetStaticDomainState(host, &static_state)) |