Addition of Certificate Transparency details to Security panel of DevTools

content/child/web_url_loader_impl.cc

Index: content/child/web_url_loader_impl.cc
diff --git a/content/child/web_url_loader_impl.cc b/content/child/web_url_loader_impl.cc
index bf31e7fe9486d1c6a15c414a380961d1ebf6a179..85d6e134ab128096e82f6ffb6cccf3bbb907d1c1 100644
--- a/content/child/web_url_loader_impl.cc
+++ b/content/child/web_url_loader_impl.cc
@@ -6,6 +6,9 @@
 
 #include <stdint.h>
 #include <algorithm>
+#include <iomanip>
+#include <iostream>

[Eran Messeri, 2016/03/09 20:58:47]

Including iostream will introduce additional static initializers which will
break things - I encountered this exact issue in
https://codereview.chromium.org/1758823002/

[dwaxweiler, 2016/03/10 11:02:28]

Acknowledged.

+#include <sstream>
 #include <string>
 #include <utility>
 #include <vector>
@@ -44,6 +47,7 @@
 #include "net/base/net_errors.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/sct_status_flags.h"
+#include "net/cert/signed_certificate_timestamp.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
@@ -174,6 +178,90 @@ int GetInfoFromDataURL(const GURL& url,
   return net::OK;
 }
 
+const WebString HashAlgorithmToString(

[Eran Messeri, 2016/03/09 20:58:46]

Perhaps we can extract the function
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/ct_signed...
to a more accessible namespace? 

[dwaxweiler, 2016/03/10 11:02:27]

Acknowledged.

+  net::ct::DigitallySigned::HashAlgorithm hashAlgorithm) {
+  switch (hashAlgorithm) {
+  case net::ct::DigitallySigned::HASH_ALGO_NONE:
+    return "None / invalid";
+  case net::ct::DigitallySigned::HASH_ALGO_MD5:
+    return "MD5";
+  case net::ct::DigitallySigned::HASH_ALGO_SHA1:
+    return "SHA-1";
+  case net::ct::DigitallySigned::HASH_ALGO_SHA224:
+    return "SHA-224";
+  case net::ct::DigitallySigned::HASH_ALGO_SHA256:
+    return "SHA-256";
+  case net::ct::DigitallySigned::HASH_ALGO_SHA384:
+    return "SHA-384";
+  case net::ct::DigitallySigned::HASH_ALGO_SHA512:
+    return "SHA-512";
+  }
+  return "Unknown";
+}
+
+const WebString SignatureAlgorithmToString(

[Eran Messeri, 2016/03/09 20:58:47]

Same for
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/ct_signed...

[dwaxweiler, 2016/03/10 11:02:28]

Acknowledged.

+  net::ct::DigitallySigned::SignatureAlgorithm signatureAlgorithm) {
+  switch (signatureAlgorithm) {
+  case net::ct::DigitallySigned::SIG_ALGO_ANONYMOUS:
+    return "Unknown";
+  case net::ct::DigitallySigned::SIG_ALGO_RSA:
+    return "RSA";
+  case net::ct::DigitallySigned::SIG_ALGO_DSA:
+    return "DSA";
+  case net::ct::DigitallySigned::SIG_ALGO_ECDSA:
+    return "ECDSA";
+  }
+  return "Unknown";
+}
+
+const WebString OriginToString(

[Eran Messeri, 2016/03/09 20:58:47]

Same for
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/ct_signed...

[dwaxweiler, 2016/03/10 11:02:27]

Acknowledged.

+  net::ct::SignedCertificateTimestamp::Origin origin) {
+  switch (origin) {
+  case net::ct::SignedCertificateTimestamp::SCT_EMBEDDED:
+    return "Embedded";
+  case net::ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION:
+    return "TLS extension";
+  case net::ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE:
+    return "OCSP";
+  }
+  return "Unknown";
+}
+
+const WebString StatusToString(net::ct::SCTVerifyStatus status) {
+  switch (status) {
+  case net::ct::SCT_STATUS_LOG_UNKNOWN:
+    return "From unknown log";
+  case net::ct::SCT_STATUS_INVALID:
+    return "Invalid";
+  case net::ct::SCT_STATUS_OK:
+    return "Verified";
+  case net::ct::SCT_STATUS_NONE:
+    return "None";
+  }
+  return "Unknown";
+}
+
+const WebString VersionToString(
+  net::ct::SignedCertificateTimestamp::Version version) {
+  switch (version) {
+  case net::ct::SignedCertificateTimestamp::SCT_VERSION_1:
+    return "1";
+  }
+  return "Unknown";
+}
+
+std::string ByteToHex(const unsigned char *data, int length) {

[Eran Messeri, 2016/03/09 20:58:47]

How about using HexEncode in
https://code.google.com/p/chromium/codesearch#chromium/src/base/strings/strin...
?

[dwaxweiler, 2016/03/10 11:02:28]

Acknowledged.

+  std::stringstream stream;
+  for (int i = 0; i < length; ++i) {
+    stream << std::hex
+      << std::uppercase
+      << std::setw(2)
+      << std::setfill('0')
+      << (int)data[i];
+  }
+  return stream.str();
+}
+
 void SetSecurityStyleAndDetails(const GURL& url,
                                 const std::string& security_info,
                                 WebURLResponse* response,
@@ -249,8 +337,28 @@ void SetSecurityStyleAndDetails(const GURL& url,
   size_t num_invalid_scts = 0;
   size_t num_valid_scts = 0;
 
+  blink::WebURLResponse::SignedCertificateTimestampList sctList;
+
   SignedCertificateTimestampIDStatusList::iterator iter;
   for (iter = sct_list.begin(); iter < sct_list.end(); ++iter) {
+    // Extract SCT's details.

[Eran Messeri, 2016/03/09 21:04:35]

I think this is where you'd use the SignedCertificateTimestampStore's Retrieve
function
(https://code.google.com/p/chromium/codesearch#chromium/src/content/public/bro...)
to get a net::ct::SignedCertificateTimestamp instance (particularly, a
scoped_refptr to an existing one) which you'll use to fill in the
blink::WebURLResponse::SignedCertificateTimestamp.

[dwaxweiler, 2016/03/10 11:02:27]

I have thought of the SCT store too, but Retrieve() always returns false, i.e.
the SCTs could not be found and the scoped_refptr was not changed. In the class
description of SignedCertificateTimestampStore is mentioned "When stored,
SignedCertificateTimestamp objects are associated with a RenderProcessHost. If
all the RenderProcessHosts associated with the SCT have exited, the SCT is
removed from the store." Therefore, I suspect that the SCTs are not available
anymore. Related: https://bugs.chromium.org/p/chromium/issues/detail?id=592561

[Eran Messeri, 2016/03/14 18:27:26]

+lgarron - is that the reason pages have to be re-loaded after the Security
panel is opened in DevTools to provide connection-specific information?

+    blink::WebURLResponse::SignedCertificateTimestamp sct(
+      StatusToString(iter->status),
+      OriginToString(iter->origin),
+      VersionToString(iter->version),
+      WebString::fromUTF8(iter->logDescription),
+      WebString::fromUTF8(ByteToHex(
+        reinterpret_cast<const unsigned char*>(iter->logId.data()),
+        iter->logId.length())),
+      iter->timestamp,
+      HashAlgorithmToString(iter->signature.hash_algorithm),
+      SignatureAlgorithmToString(iter->signature.signature_algorithm),
+      WebString::fromUTF8(ByteToHex(
+        reinterpret_cast<const unsigned char*>(
+          iter->signature.signature_data.data()),
+        iter->signature.signature_data.length())));
+    sctList.push_back(sct);
+    // Count unknown, invalid and valid SCTs.
     switch (iter->status) {
       case net::ct::SCT_STATUS_LOG_UNKNOWN:
         num_unknown_scts++;
@@ -272,7 +380,8 @@ void SetSecurityStyleAndDetails(const GURL& url,
   blink::WebURLResponse::WebSecurityDetails webSecurityDetails(
       WebString::fromUTF8(protocol), WebString::fromUTF8(cipher),
       WebString::fromUTF8(key_exchange), WebString::fromUTF8(mac),
-      ssl_status.cert_id, num_unknown_scts, num_invalid_scts, num_valid_scts);
+      ssl_status.cert_id, num_unknown_scts, num_invalid_scts, num_valid_scts,
+      sctList);
 
   response->setSecurityDetails(webSecurityDetails);
 }