Send HPKP violation reports when a pin check fails

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
@@ skipping 501 matching lines @@
     return true;
   }
 
   return false;
 }
 
 bool TransportSecurityState::CheckPublicKeyPins(
     const std::string& host,
     bool is_issued_by_known_root,
     const HashValueVector& public_key_hashes,
+    uint16_t port,
+    const scoped_refptr<X509Certificate>& served_certificate_chain,
+    const scoped_refptr<X509Certificate>& validated_certificate_chain,
+    const PublicKeyPinReportStatus report_status,
     std::string* pinning_failure_log) {
   // Perform pin validation if, and only if, all these conditions obtain:
   //
   // * the server's certificate chain chains up to a known root (i.e. not a
   //   user-installed trust anchor); and
   // * the server actually has public key pins.
   if (!is_issued_by_known_root || !HasPublicKeyPins(host)) {
     return true;
   }
 
-  bool pins_are_valid =
-      CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log);
+  bool pins_are_valid = CheckPublicKeyPinsImpl(
+      host, public_key_hashes, port, served_certificate_chain,
+      validated_certificate_chain, report_status, pinning_failure_log);
   if (!pins_are_valid) {
     LOG(ERROR) << *pinning_failure_log;
     ReportUMAOnPinFailure(host);
   }
 
   UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid);
   return pins_are_valid;
 }
 
 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) {
@@ skipping 247 matching lines @@
 #else
   const base::Time build_time = base::GetBuildTime();
   // We consider built-in information to be timely for 10 weeks.
   return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 #endif
 }
 
 bool TransportSecurityState::CheckPublicKeyPinsImpl(
     const std::string& host,
     const HashValueVector& hashes,
+    uint16_t port,
+    const scoped_refptr<X509Certificate>& served_certificate_chain,
+    const scoped_refptr<X509Certificate>& validated_certificate_chain,
+    const PublicKeyPinReportStatus report_status,
     std::string* failure_log) {
   DomainState dynamic_state;
-  if (GetDynamicDomainState(host, &dynamic_state))
-    return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
+  if (GetDynamicDomainState(host, &dynamic_state)) {
+    bool result = dynamic_state.CheckPublicKeyPins(hashes, failure_log);
+
+    if (result || !reporter_ ||
+        report_status == DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT)
+      return result;
+
+    GURL report_uri;
+    std::string serialized_report;
+
+    if (!reporter_->GetHPKPReportUri(dynamic_state.pkp, &report_uri))
+      return result;
+
+    if (!reporter_->BuildHPKPReport(
+            host, port, dynamic_state.pkp.expiry,
+            dynamic_state.pkp.include_subdomains, dynamic_state.pkp.domain,
+            served_certificate_chain, validated_certificate_chain,
+            dynamic_state.pkp.spki_hashes, &serialized_report)) {
+      LOG(ERROR) << "Failed to build HPKP report";
+      return result;
+    }
+
+    reporter_->SendHPKPReport(report_uri, serialized_report);
+  }
 
   DomainState static_state;
   if (GetStaticDomainState(host, &static_state))
     return static_state.CheckPublicKeyPins(hashes, failure_log);
 
   // HasPublicKeyPins should have returned true in order for this method
   // to have been called, so if we fall through to here, it's an error.
   return false;
 }
 
@@ skipping 191 matching lines @@
 TransportSecurityState::DomainState::STSState::~STSState() {
 }
 
 TransportSecurityState::DomainState::PKPState::PKPState() {
 }
 
 TransportSecurityState::DomainState::PKPState::~PKPState() {
 }
 
 }  // namespace