OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <map> | 10 #include <map> |
(...skipping 237 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
248 // Indicates whether or not a public key pin check should send a | 248 // Indicates whether or not a public key pin check should send a |
249 // report if a violation is detected. | 249 // report if a violation is detected. |
250 enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; | 250 enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; |
251 | 251 |
252 TransportSecurityState(); | 252 TransportSecurityState(); |
253 ~TransportSecurityState(); | 253 ~TransportSecurityState(); |
254 | 254 |
255 // These functions search for static and dynamic STS and PKP states, and | 255 // These functions search for static and dynamic STS and PKP states, and |
256 // invoke the functions of the same name on them. These functions are the | 256 // invoke the functions of the same name on them. These functions are the |
257 // primary public interface; direct access to STS and PKP states is best | 257 // primary public interface; direct access to STS and PKP states is best |
258 // left to tests. | 258 // left to tests. The caller needs to handle the optional pinning override |
| 259 // when is_issued_by_known_root is false. |
259 bool ShouldSSLErrorsBeFatal(const std::string& host); | 260 bool ShouldSSLErrorsBeFatal(const std::string& host); |
260 bool ShouldUpgradeToSSL(const std::string& host); | 261 bool ShouldUpgradeToSSL(const std::string& host); |
261 bool CheckPublicKeyPins(const HostPortPair& host_port_pair, | 262 bool CheckPublicKeyPins(const HostPortPair& host_port_pair, |
262 bool is_issued_by_known_root, | 263 bool is_issued_by_known_root, |
263 const HashValueVector& hashes, | 264 const HashValueVector& hashes, |
264 const X509Certificate* served_certificate_chain, | 265 const X509Certificate* served_certificate_chain, |
265 const X509Certificate* validated_certificate_chain, | 266 const X509Certificate* validated_certificate_chain, |
266 const PublicKeyPinReportStatus report_status, | 267 const PublicKeyPinReportStatus report_status, |
267 std::string* failure_log); | 268 std::string* failure_log); |
268 bool HasPublicKeyPins(const std::string& host); | 269 bool HasPublicKeyPins(const std::string& host); |
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
405 static void ReportUMAOnPinFailure(const std::string& host); | 406 static void ReportUMAOnPinFailure(const std::string& host); |
406 | 407 |
407 // IsBuildTimely returns true if the current build is new enough ensure that | 408 // IsBuildTimely returns true if the current build is new enough ensure that |
408 // built in security information (i.e. HSTS preloading and pinning | 409 // built in security information (i.e. HSTS preloading and pinning |
409 // information) is timely. | 410 // information) is timely. |
410 static bool IsBuildTimely(); | 411 static bool IsBuildTimely(); |
411 | 412 |
412 // Helper method for actually checking pins. | 413 // Helper method for actually checking pins. |
413 bool CheckPublicKeyPinsImpl( | 414 bool CheckPublicKeyPinsImpl( |
414 const HostPortPair& host_port_pair, | 415 const HostPortPair& host_port_pair, |
| 416 bool is_issued_by_known_root, |
415 const HashValueVector& hashes, | 417 const HashValueVector& hashes, |
416 const X509Certificate* served_certificate_chain, | 418 const X509Certificate* served_certificate_chain, |
417 const X509Certificate* validated_certificate_chain, | 419 const X509Certificate* validated_certificate_chain, |
418 const PublicKeyPinReportStatus report_status, | 420 const PublicKeyPinReportStatus report_status, |
419 std::string* failure_log); | 421 std::string* failure_log); |
420 | 422 |
421 // If a Delegate is present, notify it that the internal state has | 423 // If a Delegate is present, notify it that the internal state has |
422 // changed. | 424 // changed. |
423 void DirtyNotify(); | 425 void DirtyNotify(); |
424 | 426 |
(...skipping 20 matching lines...) Expand all Loading... |
445 | 447 |
446 // Returns true if a request to |host_port_pair| with the given | 448 // Returns true if a request to |host_port_pair| with the given |
447 // SubjectPublicKeyInfo |hashes| satisfies the pins in |pkp_state|, | 449 // SubjectPublicKeyInfo |hashes| satisfies the pins in |pkp_state|, |
448 // and false otherwise. If a violation is found and reporting is | 450 // and false otherwise. If a violation is found and reporting is |
449 // configured (i.e. there is a report URI in |pkp_state| and | 451 // configured (i.e. there is a report URI in |pkp_state| and |
450 // |report_status| says to), this method sends an HPKP violation | 452 // |report_status| says to), this method sends an HPKP violation |
451 // report containing |served_certificate_chain| and | 453 // report containing |served_certificate_chain| and |
452 // |validated_certificate_chain|. | 454 // |validated_certificate_chain|. |
453 bool CheckPinsAndMaybeSendReport( | 455 bool CheckPinsAndMaybeSendReport( |
454 const HostPortPair& host_port_pair, | 456 const HostPortPair& host_port_pair, |
| 457 bool is_issued_by_known_root, |
455 const TransportSecurityState::PKPState& pkp_state, | 458 const TransportSecurityState::PKPState& pkp_state, |
456 const HashValueVector& hashes, | 459 const HashValueVector& hashes, |
457 const X509Certificate* served_certificate_chain, | 460 const X509Certificate* served_certificate_chain, |
458 const X509Certificate* validated_certificate_chain, | 461 const X509Certificate* validated_certificate_chain, |
459 const TransportSecurityState::PublicKeyPinReportStatus report_status, | 462 const TransportSecurityState::PublicKeyPinReportStatus report_status, |
460 std::string* failure_log); | 463 std::string* failure_log); |
461 | 464 |
462 // Returns true and updates |*expect_ct_result| iff there is a static | 465 // Returns true and updates |*expect_ct_result| iff there is a static |
463 // (built-in) state for |host| with expect_ct=true. | 466 // (built-in) state for |host| with expect_ct=true. |
464 bool GetStaticExpectCTState(const std::string& host, | 467 bool GetStaticExpectCTState(const std::string& host, |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
499 // rate-limiting. | 502 // rate-limiting. |
500 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 503 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> |
501 sent_reports_cache_; | 504 sent_reports_cache_; |
502 | 505 |
503 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 506 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
504 }; | 507 }; |
505 | 508 |
506 } // namespace net | 509 } // namespace net |
507 | 510 |
508 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 511 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |