OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
11 #include <cryptohi.h> | 11 #include <cryptohi.h> |
12 #include <hasht.h> | 12 #include <hasht.h> |
13 #include <keyhi.h> | 13 #include <keyhi.h> |
14 #include <nspr.h> | 14 #include <nspr.h> |
15 #include <pk11pub.h> | 15 #include <pk11pub.h> |
16 #endif | 16 #endif |
17 | 17 |
18 #include <algorithm> | 18 #include <algorithm> |
19 | 19 |
20 #include "base/base64.h" | 20 #include "base/base64.h" |
21 #include "base/build_time.h" | 21 #include "base/build_time.h" |
22 #include "base/json/json_writer.h" | |
22 #include "base/logging.h" | 23 #include "base/logging.h" |
23 #include "base/memory/scoped_ptr.h" | 24 #include "base/memory/scoped_ptr.h" |
24 #include "base/metrics/histogram_macros.h" | 25 #include "base/metrics/histogram_macros.h" |
25 #include "base/metrics/sparse_histogram.h" | 26 #include "base/metrics/sparse_histogram.h" |
26 #include "base/sha1.h" | 27 #include "base/sha1.h" |
27 #include "base/strings/string_number_conversions.h" | 28 #include "base/strings/string_number_conversions.h" |
28 #include "base/strings/string_util.h" | 29 #include "base/strings/string_util.h" |
30 #include "base/strings/stringprintf.h" | |
29 #include "base/strings/utf_string_conversions.h" | 31 #include "base/strings/utf_string_conversions.h" |
30 #include "base/time/time.h" | 32 #include "base/time/time.h" |
31 #include "base/values.h" | 33 #include "base/values.h" |
32 #include "crypto/sha2.h" | 34 #include "crypto/sha2.h" |
33 #include "net/base/dns_util.h" | 35 #include "net/base/dns_util.h" |
36 #include "net/base/host_port_pair.h" | |
34 #include "net/cert/x509_cert_types.h" | 37 #include "net/cert/x509_cert_types.h" |
35 #include "net/cert/x509_certificate.h" | 38 #include "net/cert/x509_certificate.h" |
36 #include "net/http/http_security_headers.h" | 39 #include "net/http/http_security_headers.h" |
37 #include "net/ssl/ssl_info.h" | 40 #include "net/ssl/ssl_info.h" |
38 #include "url/gurl.h" | 41 #include "url/gurl.h" |
39 | 42 |
40 #if defined(USE_OPENSSL) | 43 #if defined(USE_OPENSSL) |
41 #include "crypto/openssl_util.h" | 44 #include "crypto/openssl_util.h" |
42 #endif | 45 #endif |
43 | 46 |
44 namespace net { | 47 namespace net { |
45 | 48 |
46 namespace { | 49 namespace { |
47 | 50 |
48 #include "net/http/transport_security_state_static.h" | 51 #include "net/http/transport_security_state_static.h" |
49 | 52 |
53 std::string TimeToISO8601(const base::Time& t) { | |
54 base::Time::Exploded exploded; | |
55 t.UTCExplode(&exploded); | |
56 return base::StringPrintf( | |
57 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, | |
58 exploded.day_of_month, exploded.hour, exploded.minute, exploded.second, | |
59 exploded.millisecond); | |
davidben
2015/07/24 20:42:55
[Verified RFC 3339 allows fractional seconds. I di
estark
2015/07/25 00:10:31
Acknowledged.
| |
60 } | |
61 | |
62 scoped_ptr<base::ListValue> GetPEMEncodedChainAsList( | |
63 const net::X509Certificate* cert_chain) { | |
64 if (!cert_chain) | |
65 return make_scoped_ptr(new base::ListValue()); | |
66 | |
67 scoped_ptr<base::ListValue> result(new base::ListValue()); | |
68 std::vector<std::string> pem_encoded_chain; | |
69 cert_chain->GetPEMEncodedChain(&pem_encoded_chain); | |
70 for (const std::string& cert : pem_encoded_chain) | |
71 result->Append(make_scoped_ptr(new base::StringValue(cert))); | |
72 | |
73 return result.Pass(); | |
74 } | |
75 | |
76 bool GetHPKPReport(const HostPortPair& host_port_pair, | |
77 const TransportSecurityState::PKPState& pkp_state, | |
78 const X509Certificate* served_certificate_chain, | |
79 const X509Certificate* validated_certificate_chain, | |
80 std::string* serialized_report) { | |
81 // TODO(estark): keep track of reports already sent and rate-limit, | |
82 // break loops | |
davidben
2015/07/24 20:42:55
You should probably talk to ttuttle@. Domain Relia
estark
2015/07/25 00:10:31
Acknowledged.
| |
83 if (pkp_state.report_uri.is_empty()) | |
84 return false; | |
85 | |
86 base::DictionaryValue report; | |
87 base::Time now = base::Time::Now(); | |
88 report.SetString("date-time", TimeToISO8601(now)); | |
89 report.SetString("hostname", host_port_pair.host()); | |
90 report.SetInteger("port", host_port_pair.port()); | |
91 report.SetString("effective-expiration-date", | |
92 TimeToISO8601(pkp_state.expiry)); | |
93 report.SetBoolean("include-subdomains", pkp_state.include_subdomains); | |
94 report.SetString("noted-hostname", pkp_state.domain); | |
95 | |
96 scoped_ptr<base::ListValue> served_certificate_chain_list = | |
97 GetPEMEncodedChainAsList(served_certificate_chain); | |
98 scoped_ptr<base::ListValue> validated_certificate_chain_list = | |
99 GetPEMEncodedChainAsList(validated_certificate_chain); | |
100 report.Set("served-certificate-chain", served_certificate_chain_list.Pass()); | |
101 report.Set("validated-certificate-chain", | |
102 validated_certificate_chain_list.Pass()); | |
103 | |
104 scoped_ptr<base::ListValue> known_pin_list(new base::ListValue()); | |
105 for (const auto& hash_value : pkp_state.spki_hashes) { | |
106 std::string known_pin; | |
107 | |
108 switch (hash_value.tag) { | |
109 case HASH_VALUE_SHA1: | |
110 known_pin += "pin-sha1="; | |
111 break; | |
112 case HASH_VALUE_SHA256: | |
113 known_pin += "pin-sha256="; | |
114 break; | |
115 } | |
116 | |
117 std::string base64_value; | |
118 base::Base64Encode( | |
119 base::StringPiece(reinterpret_cast<const char*>(hash_value.data()), | |
120 hash_value.size()), | |
121 &base64_value); | |
122 known_pin += "\"" + base64_value + "\""; | |
123 | |
124 known_pin_list->Append( | |
125 scoped_ptr<base::Value>(new base::StringValue(known_pin))); | |
126 } | |
127 | |
128 report.Set("known-pins", known_pin_list.Pass()); | |
129 | |
130 if (!base::JSONWriter::Write(report, serialized_report)) { | |
131 LOG(ERROR) << "Failed to serialize HPKP violation report."; | |
132 return false; | |
133 } | |
134 | |
135 return true; | |
136 } | |
137 | |
50 std::string HashesToBase64String(const HashValueVector& hashes) { | 138 std::string HashesToBase64String(const HashValueVector& hashes) { |
51 std::string str; | 139 std::string str; |
52 for (size_t i = 0; i != hashes.size(); ++i) { | 140 for (size_t i = 0; i != hashes.size(); ++i) { |
53 if (i != 0) | 141 if (i != 0) |
54 str += ","; | 142 str += ","; |
55 str += hashes[i].ToString(); | 143 str += hashes[i].ToString(); |
56 } | 144 } |
57 return str; | 145 return str; |
58 } | 146 } |
59 | 147 |
(...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
503 PKPState unused; | 591 PKPState unused; |
504 if (GetStaticDomainState(host, &static_sts_state, &unused) && | 592 if (GetStaticDomainState(host, &static_sts_state, &unused) && |
505 static_sts_state.ShouldUpgradeToSSL()) { | 593 static_sts_state.ShouldUpgradeToSSL()) { |
506 return true; | 594 return true; |
507 } | 595 } |
508 | 596 |
509 return false; | 597 return false; |
510 } | 598 } |
511 | 599 |
512 bool TransportSecurityState::CheckPublicKeyPins( | 600 bool TransportSecurityState::CheckPublicKeyPins( |
513 const std::string& host, | 601 const HostPortPair& host_port_pair, |
514 bool is_issued_by_known_root, | 602 bool is_issued_by_known_root, |
515 const HashValueVector& public_key_hashes, | 603 const HashValueVector& public_key_hashes, |
604 const X509Certificate* served_certificate_chain, | |
605 const X509Certificate* validated_certificate_chain, | |
606 const PublicKeyPinReportStatus report_status, | |
516 std::string* pinning_failure_log) { | 607 std::string* pinning_failure_log) { |
517 // Perform pin validation if, and only if, all these conditions obtain: | 608 // Perform pin validation if, and only if, all these conditions obtain: |
518 // | 609 // |
519 // * the server's certificate chain chains up to a known root (i.e. not a | 610 // * the server's certificate chain chains up to a known root (i.e. not a |
520 // user-installed trust anchor); and | 611 // user-installed trust anchor); and |
521 // * the server actually has public key pins. | 612 // * the server actually has public key pins. |
522 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { | 613 if (!is_issued_by_known_root || !HasPublicKeyPins(host_port_pair.host())) { |
523 return true; | 614 return true; |
524 } | 615 } |
525 | 616 |
526 bool pins_are_valid = | 617 bool pins_are_valid = CheckPublicKeyPinsImpl( |
527 CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log); | 618 host_port_pair, public_key_hashes, served_certificate_chain, |
619 validated_certificate_chain, report_status, pinning_failure_log); | |
528 if (!pins_are_valid) { | 620 if (!pins_are_valid) { |
529 LOG(ERROR) << *pinning_failure_log; | 621 LOG(ERROR) << *pinning_failure_log; |
530 ReportUMAOnPinFailure(host); | 622 ReportUMAOnPinFailure(host_port_pair.host()); |
531 } | 623 } |
532 | 624 |
533 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); | 625 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); |
534 return pins_are_valid; | 626 return pins_are_valid; |
535 } | 627 } |
536 | 628 |
537 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { | 629 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { |
538 PKPState dynamic_state; | 630 PKPState dynamic_state; |
539 if (GetDynamicPKPState(host, &dynamic_state)) | 631 if (GetDynamicPKPState(host, &dynamic_state)) |
540 return dynamic_state.HasPublicKeyPins(); | 632 return dynamic_state.HasPublicKeyPins(); |
541 | 633 |
542 STSState unused; | 634 STSState unused; |
543 PKPState static_pkp_state; | 635 PKPState static_pkp_state; |
544 if (GetStaticDomainState(host, &unused, &static_pkp_state)) { | 636 if (GetStaticDomainState(host, &unused, &static_pkp_state)) { |
545 if (static_pkp_state.HasPublicKeyPins()) | 637 if (static_pkp_state.HasPublicKeyPins()) |
546 return true; | 638 return true; |
547 } | 639 } |
548 | 640 |
549 return false; | 641 return false; |
550 } | 642 } |
551 | 643 |
552 void TransportSecurityState::SetDelegate( | 644 void TransportSecurityState::SetDelegate( |
553 TransportSecurityState::Delegate* delegate) { | 645 TransportSecurityState::Delegate* delegate) { |
554 DCHECK(CalledOnValidThread()); | 646 DCHECK(CalledOnValidThread()); |
555 delegate_ = delegate; | 647 delegate_ = delegate; |
556 } | 648 } |
557 | 649 |
650 void TransportSecurityState::SetReportSender( | |
651 TransportSecurityState::ReportSender* report_sender) { | |
652 DCHECK(CalledOnValidThread()); | |
653 report_sender_ = report_sender; | |
654 } | |
655 | |
558 void TransportSecurityState::AddHSTSInternal( | 656 void TransportSecurityState::AddHSTSInternal( |
559 const std::string& host, | 657 const std::string& host, |
560 TransportSecurityState::STSState::UpgradeMode upgrade_mode, | 658 TransportSecurityState::STSState::UpgradeMode upgrade_mode, |
561 const base::Time& expiry, | 659 const base::Time& expiry, |
562 bool include_subdomains) { | 660 bool include_subdomains) { |
563 DCHECK(CalledOnValidThread()); | 661 DCHECK(CalledOnValidThread()); |
564 | 662 |
565 STSState sts_state; | 663 STSState sts_state; |
566 sts_state.last_observed = base::Time::Now(); | 664 sts_state.last_observed = base::Time::Now(); |
567 sts_state.include_subdomains = include_subdomains; | 665 sts_state.include_subdomains = include_subdomains; |
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
806 #if defined(DONT_EMBED_BUILD_METADATA) && !defined(OFFICIAL_BUILD) | 904 #if defined(DONT_EMBED_BUILD_METADATA) && !defined(OFFICIAL_BUILD) |
807 return true; | 905 return true; |
808 #else | 906 #else |
809 const base::Time build_time = base::GetBuildTime(); | 907 const base::Time build_time = base::GetBuildTime(); |
810 // We consider built-in information to be timely for 10 weeks. | 908 // We consider built-in information to be timely for 10 weeks. |
811 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; | 909 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; |
812 #endif | 910 #endif |
813 } | 911 } |
814 | 912 |
815 bool TransportSecurityState::CheckPublicKeyPinsImpl( | 913 bool TransportSecurityState::CheckPublicKeyPinsImpl( |
816 const std::string& host, | 914 const HostPortPair& host_port_pair, |
817 const HashValueVector& hashes, | 915 const HashValueVector& hashes, |
916 const X509Certificate* served_certificate_chain, | |
917 const X509Certificate* validated_certificate_chain, | |
918 const PublicKeyPinReportStatus report_status, | |
818 std::string* failure_log) { | 919 std::string* failure_log) { |
819 PKPState dynamic_state; | 920 PKPState pkp_state; |
820 if (GetDynamicPKPState(host, &dynamic_state)) | 921 STSState unused; |
821 return dynamic_state.CheckPublicKeyPins(hashes, failure_log); | |
822 | 922 |
823 PKPState static_pkp_state; | 923 if (!GetDynamicPKPState(host_port_pair.host(), &pkp_state) && |
824 STSState unused; | 924 !GetStaticDomainState(host_port_pair.host(), &unused, &pkp_state)) { |
825 if (GetStaticDomainState(host, &unused, &static_pkp_state)) | 925 // HasPublicKeyPins should have returned true in order for this method |
826 return static_pkp_state.CheckPublicKeyPins(hashes, failure_log); | 926 // to have been called, so if we fall through to here, it's an error. |
davidben
2015/07/24 20:42:55
[This was there before, so no need to do anything
estark
2015/07/25 00:10:31
Acknowledged.
| |
927 return false; | |
928 } | |
827 | 929 |
828 // HasPublicKeyPins should have returned true in order for this method | 930 bool passed_pin_check = pkp_state.CheckPublicKeyPins(hashes, failure_log); |
davidben
2015/07/24 20:42:55
This might be slightly clearer as
if (pkp_state.
estark
2015/07/25 00:10:31
Done.
| |
829 // to have been called, so if we fall through to here, it's an error. | 931 |
830 return false; | 932 if (passed_pin_check || !report_sender_ || |
933 report_status != ENABLE_PIN_REPORTS || pkp_state.report_uri.is_empty()) | |
934 return passed_pin_check; | |
davidben
2015/07/24 20:42:55
Nit: IIRC, multi-line if's get curlies.
estark
2015/07/25 00:10:31
Done.
| |
935 | |
936 DCHECK(pkp_state.report_uri.is_valid()); | |
937 | |
938 std::string serialized_report; | |
939 | |
940 if (!GetHPKPReport(host_port_pair, pkp_state, served_certificate_chain, | |
941 validated_certificate_chain, &serialized_report)) { | |
942 return passed_pin_check; | |
943 } | |
944 | |
945 report_sender_->Send(pkp_state.report_uri, serialized_report); | |
946 | |
947 return passed_pin_check; | |
831 } | 948 } |
832 | 949 |
833 bool TransportSecurityState::GetStaticDomainState(const std::string& host, | 950 bool TransportSecurityState::GetStaticDomainState(const std::string& host, |
834 STSState* sts_state, | 951 STSState* sts_state, |
835 PKPState* pkp_state) const { | 952 PKPState* pkp_state) const { |
836 DCHECK(CalledOnValidThread()); | 953 DCHECK(CalledOnValidThread()); |
837 | 954 |
838 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; | 955 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; |
839 sts_state->include_subdomains = false; | 956 sts_state->include_subdomains = false; |
840 pkp_state->include_subdomains = false; | 957 pkp_state->include_subdomains = false; |
(...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1056 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1173 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1057 const TransportSecurityState& state) | 1174 const TransportSecurityState& state) |
1058 : iterator_(state.enabled_pkp_hosts_.begin()), | 1175 : iterator_(state.enabled_pkp_hosts_.begin()), |
1059 end_(state.enabled_pkp_hosts_.end()) { | 1176 end_(state.enabled_pkp_hosts_.end()) { |
1060 } | 1177 } |
1061 | 1178 |
1062 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1179 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1063 } | 1180 } |
1064 | 1181 |
1065 } // namespace | 1182 } // namespace |
OLD | NEW |