Chromium Code Reviews Chromium Code Reviews
Issue 1267513003:
Add parsing for Public-Key-Pins-Report-Only header (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/base64.h" | 5 #include "base/base64.h" |
| 6 #include "base/basictypes.h" | 6 #include "base/basictypes.h" |
| 7 #include "base/strings/string_number_conversions.h" | 7 #include "base/strings/string_number_conversions.h" |
| 8 #include "base/strings/string_piece.h" | 8 #include "base/strings/string_piece.h" |
| 9 #include "base/strings/string_tokenizer.h" | 9 #include "base/strings/string_tokenizer.h" |
| 10 #include "base/strings/string_util.h" | 10 #include "base/strings/string_util.h" |
| 11 #include "net/http/http_security_headers.h" | 11 #include "net/http/http_security_headers.h" |
| 12 #include "net/http/http_util.h" | 12 #include "net/http/http_util.h" |
| 13 #include "url/gurl.h" | 13 #include "url/gurl.h" |
| 14 | 14 |
| 15 namespace net { | 15 namespace net { |
| 16 | 16 |
| 17 namespace { | 17 namespace { |
| 18 | 18 |
| 19 enum MaxAgeParsing { REQUIRE_MAX_AGE, DO_NOT_REQUIRE_MAX_AGE }; | |
| 20 | |
| 19 static_assert(kMaxHSTSAgeSecs <= kuint32max, "kMaxHSTSAgeSecs too large"); | 21 static_assert(kMaxHSTSAgeSecs <= kuint32max, "kMaxHSTSAgeSecs too large"); |
| 20 | 22 |
| 21 // MaxAgeToInt converts a string representation of a "whole number" of | 23 // MaxAgeToInt converts a string representation of a "whole number" of |
| 22 // seconds into a uint32. The string may contain an arbitrarily large number, | 24 // seconds into a uint32. The string may contain an arbitrarily large number, |
| 23 // which will be clipped to kMaxHSTSAgeSecs and which is guaranteed to fit | 25 // which will be clipped to kMaxHSTSAgeSecs and which is guaranteed to fit |
| 24 // within a 32-bit unsigned integer. False is returned on any parse error. | 26 // within a 32-bit unsigned integer. False is returned on any parse error. |
| 25 bool MaxAgeToInt(std::string::const_iterator begin, | 27 bool MaxAgeToInt(std::string::const_iterator begin, |
| 26 std::string::const_iterator end, | 28 std::string::const_iterator end, |
| 27 uint32* result) { | 29 uint32* result) { |
| 28 const base::StringPiece s(begin, end); | 30 const base::StringPiece s(begin, end); |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 111 | 113 |
| 112 HashValue hash(tag); | 114 HashValue hash(tag); |
| 113 if (decoded.size() != hash.size()) | 115 if (decoded.size() != hash.size()) |
| 114 return false; | 116 return false; |
| 115 | 117 |
| 116 memcpy(hash.data(), decoded.data(), hash.size()); | 118 memcpy(hash.data(), decoded.data(), hash.size()); |
| 117 hashes->push_back(hash); | 119 hashes->push_back(hash); |
| 118 return true; | 120 return true; |
| 119 } | 121 } |
| 120 | 122 |
| 123 bool ParseHPKPHeaderImpl(const std::string& value, | |
| 124 MaxAgeParsing max_age_status, | |
| 125 base::TimeDelta* max_age, | |
| 126 bool* include_subdomains, | |
| 127 HashValueVector* hashes, | |
| 128 GURL* report_uri) { | |
| 129 bool parsed_max_age = false; | |
| 130 bool include_subdomains_candidate = false; | |
| 131 uint32 max_age_candidate = 0; | |
| 132 GURL parsed_report_uri; | |
| 133 HashValueVector pins; | |
| 134 bool require_max_age = max_age_status == REQUIRE_MAX_AGE; | |
| 135 | |
| 136 HttpUtil::NameValuePairsIterator name_value_pairs( | |
| 137 value.begin(), value.end(), ';', | |
| 138 HttpUtil::NameValuePairsIterator::VALUES_OPTIONAL); | |
| 139 | |
| 140 while (name_value_pairs.GetNext()) { | |
| 141 if (base::LowerCaseEqualsASCII( | |
| 142 base::StringPiece(name_value_pairs.name_begin(), | |
| 143 name_value_pairs.name_end()), | |
| 144 "max-age")) { | |
| 145 if (!MaxAgeToInt(name_value_pairs.value_begin(), | |
| 146 name_value_pairs.value_end(), &max_age_candidate)) { | |
| 147 return false; | |
| 148 } | |
| 149 parsed_max_age = true; | |
| 150 } else if (base::LowerCaseEqualsASCII( | |
| 151 base::StringPiece(name_value_pairs.name_begin(), | |
| 152 name_value_pairs.name_end()), | |
| 153 "pin-sha1")) { | |
| 154 // Pins are always quoted. | |
| 155 if (!name_value_pairs.value_is_quoted() || | |
| 156 !ParseAndAppendPin(name_value_pairs.value_begin(), | |
| 157 name_value_pairs.value_end(), HASH_VALUE_SHA1, | |
| 158 &pins)) { | |
| 159 return false; | |
| 160 } | |
| 161 } else if (base::LowerCaseEqualsASCII( | |
| 162 base::StringPiece(name_value_pairs.name_begin(), | |
| 163 name_value_pairs.name_end()), | |
| 164 "pin-sha256")) { | |
| 165 // Pins are always quoted. | |
| 166 if (!name_value_pairs.value_is_quoted() || | |
| 167 !ParseAndAppendPin(name_value_pairs.value_begin(), | |
| 168 name_value_pairs.value_end(), HASH_VALUE_SHA256, | |
| 169 &pins)) { | |
| 170 return false; | |
| 171 } | |
| 172 } else if (base::LowerCaseEqualsASCII( | |
| 173 base::StringPiece(name_value_pairs.name_begin(), | |
| 174 name_value_pairs.name_end()), | |
| 175 "includesubdomains")) { | |
| 176 include_subdomains_candidate = true; | |
| 177 } else if (base::LowerCaseEqualsASCII( | |
| 178 base::StringPiece(name_value_pairs.name_begin(), | |
| 179 name_value_pairs.name_end()), | |
| 180 "report-uri")) { | |
| 181 // report-uris are always quoted. | |
| 182 if (!name_value_pairs.value_is_quoted()) | |
| 183 return false; | |
| 184 | |
| 185 parsed_report_uri = GURL(name_value_pairs.value()); | |
| 186 if (parsed_report_uri.is_empty() || !parsed_report_uri.is_valid()) | |
| 187 return false; | |
| 188 } else { | |
| 189 // Silently ignore unknown directives for forward compatibility. | |
| 190 } | |
| 191 } | |
| 192 | |
| 193 if (!name_value_pairs.valid()) | |
| 194 return false; | |
| 195 | |
| 196 if (!parsed_max_age && require_max_age) | |
| 197 return false; | |
| 198 | |
| 199 *max_age = base::TimeDelta::FromSeconds(max_age_candidate); | |
| 200 *include_subdomains = include_subdomains_candidate; | |
| 201 hashes->swap(pins); | |
| 202 *report_uri = parsed_report_uri; | |
| 203 | |
| 204 return true; | |
| 205 } | |
| 206 | |
| 121 } // namespace | 207 } // namespace |
| 122 | 208 |
| 123 // Parse the Strict-Transport-Security header, as currently defined in | 209 // Parse the Strict-Transport-Security header, as currently defined in |
| 124 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14: | 210 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14: |
| 125 // | 211 // |
| 126 // Strict-Transport-Security = "Strict-Transport-Security" ":" | 212 // Strict-Transport-Security = "Strict-Transport-Security" ":" |
| 127 // [ directive ] *( ";" [ directive ] ) | 213 // [ directive ] *( ";" [ directive ] ) |
| 128 // | 214 // |
| 129 // directive = directive-name [ "=" directive-value ] | 215 // directive = directive-name [ "=" directive-value ] |
| 130 // directive-name = token | 216 // directive-name = token |
| (...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 245 case START: | 331 case START: |
| 246 case AFTER_MAX_AGE_LABEL: | 332 case AFTER_MAX_AGE_LABEL: |
| 247 case AFTER_MAX_AGE_EQUALS: | 333 case AFTER_MAX_AGE_EQUALS: |
| 248 return false; | 334 return false; |
| 249 default: | 335 default: |
| 250 NOTREACHED(); | 336 NOTREACHED(); |
| 251 return false; | 337 return false; |
| 252 } | 338 } |
| 253 } | 339 } |
| 254 | 340 |
| 255 // "Public-Key-Pins[-Report-Only]" ":" | 341 // "Public-Key-Pins" ":" |
| 256 // "max-age" "=" delta-seconds ";" | 342 // "max-age" "=" delta-seconds ";" |
| 257 // "pin-" algo "=" base64 [ ";" ... ] | 343 // "pin-" algo "=" base64 [ ";" ... ] |
| 258 // [ ";" "includeSubdomains" ] | 344 // [ ";" "includeSubdomains" ] |
| 259 // [ ";" "report-uri" "=" uri-reference ] | 345 // [ ";" "report-uri" "=" uri-reference ] |
| 260 bool ParseHPKPHeader(const std::string& value, | 346 bool ParseHPKPHeader(const std::string& value, |
| 261 const HashValueVector& chain_hashes, | 347 const HashValueVector& chain_hashes, |
| 262 base::TimeDelta* max_age, | 348 base::TimeDelta* max_age, |
| 263 bool* include_subdomains, | 349 bool* include_subdomains, |
| 264 HashValueVector* hashes, | 350 HashValueVector* hashes, |
| 265 GURL* report_uri) { | 351 GURL* report_uri) { |
| 266 bool parsed_max_age = false; | 352 base::TimeDelta candidate_max_age; |
| 267 bool include_subdomains_candidate = false; | 353 bool candidate_include_subdomains; |
| 268 uint32 max_age_candidate = 0; | 354 HashValueVector candidate_hashes; |
| 269 GURL parsed_report_uri; | 355 GURL candidate_report_uri; |
|
davidben
2015/07/31 19:53:23
[Incidentally, this "candidate" silliness is why I
| |
| 270 HashValueVector pins; | |
| 271 | 356 |
| 272 HttpUtil::NameValuePairsIterator name_value_pairs( | 357 if (!ParseHPKPHeaderImpl(value, REQUIRE_MAX_AGE, &candidate_max_age, |
| 273 value.begin(), value.end(), ';', | 358 &candidate_include_subdomains, &candidate_hashes, |
| 274 HttpUtil::NameValuePairsIterator::VALUES_OPTIONAL); | 359 &candidate_report_uri)) { |
| 275 | 360 return false; |
| 276 while (name_value_pairs.GetNext()) { | |
| 277 if (base::LowerCaseEqualsASCII( | |
| 278 base::StringPiece(name_value_pairs.name_begin(), | |
| 279 name_value_pairs.name_end()), | |
| 280 "max-age")) { | |
| 281 if (!MaxAgeToInt(name_value_pairs.value_begin(), | |
| 282 name_value_pairs.value_end(), &max_age_candidate)) { | |
| 283 return false; | |
| 284 } | |
| 285 parsed_max_age = true; | |
| 286 } else if (base::LowerCaseEqualsASCII( | |
| 287 base::StringPiece(name_value_pairs.name_begin(), | |
| 288 name_value_pairs.name_end()), | |
| 289 "pin-sha1")) { | |
| 290 // Pins are always quoted. | |
| 291 if (!name_value_pairs.value_is_quoted() || | |
| 292 !ParseAndAppendPin(name_value_pairs.value_begin(), | |
| 293 name_value_pairs.value_end(), HASH_VALUE_SHA1, | |
| 294 &pins)) { | |
| 295 return false; | |
| 296 } | |
| 297 } else if (base::LowerCaseEqualsASCII( | |
| 298 base::StringPiece(name_value_pairs.name_begin(), | |
| 299 name_value_pairs.name_end()), | |
| 300 "pin-sha256")) { | |
| 301 // Pins are always quoted. | |
| 302 if (!name_value_pairs.value_is_quoted() || | |
| 303 !ParseAndAppendPin(name_value_pairs.value_begin(), | |
| 304 name_value_pairs.value_end(), HASH_VALUE_SHA256, | |
| 305 &pins)) { | |
| 306 return false; | |
| 307 } | |
| 308 } else if (base::LowerCaseEqualsASCII( | |
| 309 base::StringPiece(name_value_pairs.name_begin(), | |
| 310 name_value_pairs.name_end()), | |
| 311 "includesubdomains")) { | |
| 312 include_subdomains_candidate = true; | |
| 313 } else if (base::LowerCaseEqualsASCII( | |
| 314 base::StringPiece(name_value_pairs.name_begin(), | |
| 315 name_value_pairs.name_end()), | |
| 316 "report-uri")) { | |
| 317 // report-uris are always quoted. | |
| 318 if (!name_value_pairs.value_is_quoted()) | |
| 319 return false; | |
| 320 | |
| 321 parsed_report_uri = GURL(name_value_pairs.value()); | |
| 322 if (parsed_report_uri.is_empty() || !parsed_report_uri.is_valid()) | |
| 323 return false; | |
| 324 } else { | |
| 325 // Silently ignore unknown directives for forward compatibility. | |
| 326 } | |
| 327 } | 361 } |
| 328 | 362 |
| 329 if (!name_value_pairs.valid()) | 363 if (!IsPinListValid(candidate_hashes, chain_hashes)) |
| 330 return false; | 364 return false; |
| 331 | 365 |
| 332 if (!parsed_max_age) | 366 *max_age = candidate_max_age; |
| 333 return false; | 367 *include_subdomains = candidate_include_subdomains; |
| 334 | 368 hashes->swap(candidate_hashes); |
| 335 if (!IsPinListValid(pins, chain_hashes)) | 369 *report_uri = candidate_report_uri; |
| 336 return false; | |
| 337 | |
| 338 *max_age = base::TimeDelta::FromSeconds(max_age_candidate); | |
| 339 *include_subdomains = include_subdomains_candidate; | |
| 340 hashes->swap(pins); | |
| 341 *report_uri = parsed_report_uri; | |
| 342 | |
| 343 return true; | 370 return true; |
| 344 } | 371 } |
| 345 | 372 |
| 373 // "Public-Key-Pins-Report-Only" ":" | |
| 374 // [ "max-age" "=" delta-seconds ";" ] | |
| 375 // "pin-" algo "=" base64 [ ";" ... ] | |
| 376 // [ ";" "includeSubdomains" ] | |
| 377 // [ ";" "report-uri" "=" uri-reference ] | |
| 378 bool ParseHPKPReportOnlyHeader(const std::string& value, | |
| 379 bool* include_subdomains, | |
| 380 HashValueVector* hashes, | |
| 381 GURL* report_uri) { | |
| 382 // max-age and includeSubdomains are irrelevant for Report-Only | |
| 383 // headers. | |
|
davidben
2015/07/31 19:53:23
and includeSubdomains are -> is?
(Hrm. Looks like
estark
2015/07/31 20:29:47
Yeah, just fixed it here too.
| |
| 384 base::TimeDelta unused_max_age; | |
| 385 | |
| 386 return ParseHPKPHeaderImpl(value, DO_NOT_REQUIRE_MAX_AGE, &unused_max_age, | |
| 387 include_subdomains, hashes, report_uri); | |
| 388 } | |
| 389 | |
| 346 } // namespace net | 390 } // namespace net |
| OLD | NEW |
