net/http/transport_security_reporter.cc - Issue 1212613004: Build and send HPKP violation reports

Side by Side Diff: net/http/transport_security_reporter.cc

Issue 1212613004: Build and send HPKP violation reports (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: combine GetHPKPReportUri() and BuildHPKPReport() into GetHPKPReport() Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/http/transport_security_reporter.h"

	6

	7 #include "base/base64.h"

	8 #include "base/json/json_writer.h"

	9 #include "base/strings/string_number_conversions.h"

	10 #include "base/strings/string_util.h"

	11 #include "base/time/time.h"

	12 #include "base/values.h"

	13 #include "net/ssl/ssl_info.h"

	14 #include "net/url_request/url_request_context.h"

	15 #include "url/gurl.h"

	16

	17 namespace {

	18

	19 scoped_ptr<base::ListValue> GetPEMEncodedChainAsList(

	20 const net::X509Certificate* cert_chain) {

	21 if (!cert_chain)

	22 return scoped_ptr<base::ListValue>(new base::ListValue());
	davidben 2015/07/22 21:36:42 You can also write return make_scoped_ptr(new ba You can also write return make_scoped_ptr(new base::ListValue()); which is a little shorter. estark 2015/07/23 00:03:57 Done. Show quoted text On 2015/07/22 21:36:42, David Benjamin wrote: > You can also write > return make_scoped_ptr(new base::ListValue()); > which is a little shorter. Done.
	23

	24 scoped_ptr<base::ListValue> result(new base::ListValue());

	25 std::vector<std::string> pem_encoded_chain;

	26 cert_chain->GetPEMEncodedChain(&pem_encoded_chain);

	27 for (std::string cert : pem_encoded_chain)
	davidben 2015/07/22 21:36:42 std::string -> const std::string& std::string -> const std::string& estark 2015/07/23 00:03:57 Done. Show quoted text On 2015/07/22 21:36:42, David Benjamin wrote: > std::string -> const std::string& Done.
	28 result->Append(scoped_ptr<base::Value>(new base::StringValue(cert)));
	davidben 2015/07/22 21:36:42 I think make_scoped_ptr will work here too. I think make_scoped_ptr will work here too. estark 2015/07/23 00:03:57 Done. Show quoted text On 2015/07/22 21:36:42, David Benjamin wrote: > I think make_scoped_ptr will work here too. Done.
	29

	30 return result.Pass();

	31 }

	32

	33 } // namespace

	34

	35 namespace net {

	36

	37 TransportSecurityReporter::TransportSecurityReporter(

	38 TransportSecurityState* state,

	39 scoped_ptr<CertificateReportSender> report_sender)

	40 : transport_security_state_(state), report_sender_(report_sender.Pass()) {

	41 transport_security_state_->SetReporter(this);

	42 }

	43

	44 TransportSecurityReporter::~TransportSecurityReporter() {

	45 transport_security_state_->SetReporter(nullptr);

	46 }

	47

	48 bool TransportSecurityReporter::GetHPKPReport(

	49 const std::string& hostname,

	50 const TransportSecurityState::PKPState& pkp_state,

	51 bool is_static_pin,

	52 uint16_t port,

	53 const X509Certificate* served_certificate_chain,

	54 const X509Certificate* validated_certificate_chain,

	55 GURL* report_uri,

	56 std::string* serialized_report) {

	57 // TODO(estark): keep track of reports already sent and rate-limit,

	58 // break loops

	59 if (pkp_state.report_uri.is_empty())

	60 return false;

	61

	62 base::DictionaryValue report;

	63 base::Time now = base::Time::Now();

	64 // TODO(estark): write times in RFC3339 format.

	65 report.SetString("date-time", base::Int64ToString(now.ToInternalValue()));
	davidben 2015/07/22 21:36:42 Here, you can just nab this code: https://code.goo Here, you can just nab this code: https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dow... (Otherwise, this is enough of spec deviation that we probably should have a bug on file and not ship without it. Would be unfortunate if the world needs to parse dates in different ways. Plus our ToInternalValue uses the Windows epoch, so that'll confuse everyone.) estark 2015/07/23 00:03:57 Done. (I just copied and pasted it -- not sure if Show quoted text On 2015/07/22 21:36:42, David Benjamin wrote: > Here, you can just nab this code: > https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/dow... > > (Otherwise, this is enough of spec deviation that we probably should have a bug > on file and not ship without it. Would be unfortunate if the world needs to > parse dates in different ways. Plus our ToInternalValue uses the Windows epoch, > so that'll confuse everyone.) Done. (I just copied and pasted it -- not sure if that's what you meant by nab it. I could maybe add it to base/time as a utility function?)
	66 report.SetString("hostname", hostname);

	67 report.SetInteger("port", port);

	68 report.SetString("effective-expiration-date",

	69 base::Int64ToString(pkp_state.expiry.ToInternalValue()));

	70 report.SetBoolean("include-subdomains", pkp_state.include_subdomains);

	71 report.SetString("noted-hostname", pkp_state.domain);

	72

	73 scoped_ptr<base::ListValue> served_certificate_chain_list =

	74 GetPEMEncodedChainAsList(served_certificate_chain);

	75 scoped_ptr<base::ListValue> validated_certificate_chain_list =

	76 GetPEMEncodedChainAsList(validated_certificate_chain);

	77 report.Set("served-certificate-chain", served_certificate_chain_list.Pass());

	78 report.Set("validated-certificate-chain",

	79 validated_certificate_chain_list.Pass());

	80

	81 scoped_ptr<base::ListValue> knownPinList(new base::ListValue());

	82 for (const auto& hash_value : pkp_state.spki_hashes) {

	83 std::string known_pin;

	84

	85 switch (hash_value.tag) {

	86 case HASH_VALUE_SHA1:

	87 known_pin += "pin-sha1=";

	88 break;

	89 case HASH_VALUE_SHA256:

	90 known_pin += "pin-sha256=";

	91 break;

	92 default:

	93 NOTREACHED();
	davidben 2015/07/22 21:36:43 Probably also want a return false; (Or perhaps Probably also want a return false; (Or perhaps we should just get rid of the HASH_VALUE_TAGS_COUNT. I'm not sure why it's there; it's never used. Then you could omit the default case and clang will yell if we miss one...) estark 2015/07/23 00:03:57 Done (the latter). Show quoted text On 2015/07/22 21:36:43, David Benjamin wrote: > Probably also want a > return false; > > (Or perhaps we should just get rid of the HASH_VALUE_TAGS_COUNT. I'm not sure > why it's there; it's never used. Then you could omit the default case and clang > will yell if we miss one...) Done (the latter).
	94 }

	95

	96 std::string base64_value;

	97 base::Base64Encode(

	98 base::StringPiece(reinterpret_cast<const char*>(hash_value.data()),

	99 hash_value.size()),

	100 &base64_value);

	101 known_pin += "\"" + base64_value + "\"";

	102

	103 knownPinList->Append(

	104 scoped_ptr<base::Value>(new base::StringValue(known_pin)));

	105 }

	106

	107 report.Set("known-pins", knownPinList.Pass());

	108

	109 if (!base::JSONWriter::Write(report, serialized_report)) {

	110 LOG(ERROR) << "Failed to serialize HPKP violation report.";

	111 return false;

	112 }

	113

	114 *report_uri = pkp_state.report_uri;

	115 return true;

	116 }

	117

	118 void TransportSecurityReporter::SendHPKPReport(const GURL& report_uri,

	119 const std::string& report) {

	120 report_sender_->Send(report_uri, report);

	121 }

	122 } // namespace net

OLD	NEW

« no previous file with comments | « net/http/transport_security_reporter.h ('k') | net/http/transport_security_state.h » ('j') | net/http/transport_security_state.h » ('J')