Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(967)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_state.cc

Issue 1213783005: Send HPKP violation reports when a pin check fails (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/http/transport_security_state.h ('K') | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_unittest.cc » ('j') | net/http/transport_security_state_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 88c6ec321e9554efeebad5a4547bf96aa92c52df..7921a1324323d7a115ce8c91ed6feec125c04aef 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -519,6 +519,10 @@ bool TransportSecurityState::CheckPublicKeyPins(
const std::string& host,
bool is_issued_by_known_root,
const HashValueVector& public_key_hashes,
+ uint16_t port,
+ const scoped_refptr<X509Certificate>& served_certificate_chain,
+ const scoped_refptr<X509Certificate>& validated_certificate_chain,
+ const PublicKeyPinReportStatus report_status,
std::string* pinning_failure_log) {
// Perform pin validation if, and only if, all these conditions obtain:
//
@@ -529,8 +533,9 @@ bool TransportSecurityState::CheckPublicKeyPins(
return true;
}
- bool pins_are_valid =
- CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log);
+ bool pins_are_valid = CheckPublicKeyPinsImpl(
+ host, public_key_hashes, port, served_certificate_chain,
+ validated_certificate_chain, report_status, pinning_failure_log);
if (!pins_are_valid) {
LOG(ERROR) << *pinning_failure_log;
ReportUMAOnPinFailure(host);
@@ -798,10 +803,36 @@ bool TransportSecurityState::IsBuildTimely() {
bool TransportSecurityState::CheckPublicKeyPinsImpl(
const std::string& host,
const HashValueVector& hashes,
+ uint16_t port,
+ const scoped_refptr<X509Certificate>& served_certificate_chain,
+ const scoped_refptr<X509Certificate>& validated_certificate_chain,
+ const PublicKeyPinReportStatus report_status,
std::string* failure_log) {
DomainState dynamic_state;
- if (GetDynamicDomainState(host, &dynamic_state))
- return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
+ if (GetDynamicDomainState(host, &dynamic_state)) {
+ bool result = dynamic_state.CheckPublicKeyPins(hashes, failure_log);
+
+ if (result || !reporter_ ||
+ report_status == DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT)
+ return result;
+
+ GURL report_uri;
+ std::string serialized_report;
+
+ if (!reporter_->GetHPKPReportUri(dynamic_state.pkp, &report_uri))
+ return result;
+
+ if (!reporter_->BuildHPKPReport(
+ host, port, dynamic_state.pkp.expiry,
+ dynamic_state.pkp.include_subdomains, dynamic_state.pkp.domain,
+ served_certificate_chain, validated_certificate_chain,
+ dynamic_state.pkp.spki_hashes, &serialized_report)) {
+ LOG(ERROR) << "Failed to build HPKP report";
+ return result;
+ }
+
+ reporter_->SendHPKPReport(report_uri, serialized_report);
+ }
DomainState static_state;
if (GetStaticDomainState(host, &static_state))
« net/http/transport_security_state.h ('K') | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_unittest.cc » ('j') | net/http/transport_security_state_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698