Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1112)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_state.cc

Issue 2016143002: Expose when PKP is bypassed in SSLInfo. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: optional nits Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/cert_verify_result.h ('K') | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_unittest.cc » ('j') | net/quic/crypto/proof_verifier_chromium_test.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 16217a0c022e9f2149c698e9b45e9b1e1b6ed9ec..c45851ebe2d3cec7cb58e5348b08cfe0229ec41f 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -664,18 +664,20 @@ bool TransportSecurityState::CheckPublicKeyPins(
const X509Certificate* validated_certificate_chain,
const PublicKeyPinReportStatus report_status,
std::string* pinning_failure_log) {
- // Perform pin validation if, and only if, all these conditions obtain:
- //
- // * the server's certificate chain chains up to a known root (i.e. not a
- // user-installed trust anchor); and
- // * the server actually has public key pins.
- if (!is_issued_by_known_root || !HasPublicKeyPins(host_port_pair.host())) {
+ // Perform pin validation only if the server actually has public key pins.
+ if (!HasPublicKeyPins(host_port_pair.host())) {
return true;
}
bool pins_are_valid = CheckPublicKeyPinsImpl(
- host_port_pair, public_key_hashes, served_certificate_chain,
- validated_certificate_chain, report_status, pinning_failure_log);
+ host_port_pair, is_issued_by_known_root, public_key_hashes,
+ served_certificate_chain, validated_certificate_chain, report_status,
+ pinning_failure_log);
+ // Don't track statistics when a local trust anchor would override the pinning
+ // anyway.
+ if (!is_issued_by_known_root) {
+ return pins_are_valid;
+ }
Ryan Sleevi 2016/06/09 19:17:32 STYLE: No braces on single-line conditionals
if (!pins_are_valid) {
LOG(ERROR) << *pinning_failure_log;
ReportUMAOnPinFailure(host_port_pair.host());
@@ -806,6 +808,7 @@ void TransportSecurityState::EnablePKPHost(const std::string& host,
bool TransportSecurityState::CheckPinsAndMaybeSendReport(
const HostPortPair& host_port_pair,
+ bool is_issued_by_known_root,
const TransportSecurityState::PKPState& pkp_state,
const HashValueVector& hashes,
const X509Certificate* served_certificate_chain,
@@ -815,7 +818,7 @@ bool TransportSecurityState::CheckPinsAndMaybeSendReport(
if (pkp_state.CheckPublicKeyPins(hashes, failure_log))
return true;
- if (!report_sender_ ||
+ if (!report_sender_ || !is_issued_by_known_root ||
report_status != TransportSecurityState::ENABLE_PIN_REPORTS ||
pkp_state.report_uri.is_empty()) {
return false;
@@ -1057,14 +1060,10 @@ bool TransportSecurityState::ProcessHPKPReportOnlyHeader(
pkp_state.report_uri = report_uri;
pkp_state.domain = DNSDomainToString(CanonicalizeHost(host_port_pair.host()));
- // Only perform pin validation if the cert chains up to a known root.
- if (!ssl_info.is_issued_by_known_root)
- return true;
-
CheckPinsAndMaybeSendReport(
- host_port_pair, pkp_state, ssl_info.public_key_hashes,
- ssl_info.unverified_cert.get(), ssl_info.cert.get(), ENABLE_PIN_REPORTS,
- &unused_failure_log);
+ host_port_pair, ssl_info.is_issued_by_known_root, pkp_state,
+ ssl_info.public_key_hashes, ssl_info.unverified_cert.get(),
+ ssl_info.cert.get(), ENABLE_PIN_REPORTS, &unused_failure_log);
return true;
}
@@ -1121,6 +1120,7 @@ bool TransportSecurityState::IsBuildTimely() {
bool TransportSecurityState::CheckPublicKeyPinsImpl(
const HostPortPair& host_port_pair,
+ bool is_issued_by_known_root,
const HashValueVector& hashes,
const X509Certificate* served_certificate_chain,
const X509Certificate* validated_certificate_chain,
@@ -1137,8 +1137,9 @@ bool TransportSecurityState::CheckPublicKeyPinsImpl(
}
return CheckPinsAndMaybeSendReport(
- host_port_pair, pkp_state, hashes, served_certificate_chain,
- validated_certificate_chain, report_status, failure_log);
+ host_port_pair, is_issued_by_known_root, pkp_state, hashes,
+ served_certificate_chain, validated_certificate_chain, report_status,
+ failure_log);
}
bool TransportSecurityState::GetStaticDomainState(const std::string& host,
« net/cert/cert_verify_result.h ('K') | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_unittest.cc » ('j') | net/quic/crypto/proof_verifier_chromium_test.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698