Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(189)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state.h

Issue 2040513003: Implement Expect-Staple (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Cleanup imports Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/expect_staple_report_unittest.cc ('K') | « net/cert/expect_staple_report_unittest.cc ('k') | net/http/transport_security_state.cc » ('j') | net/http/transport_security_state.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
7 7
8 #include <stdint.h> 8 #include <stdint.h>
9 9
10 #include <map> 10 #include <map>
11 #include <string> 11 #include <string>
12 #include <utility> 12 #include <utility>
13 #include <vector> 13 #include <vector>
14 14
15 #include "base/callback.h" 15 #include "base/callback.h"
16 #include "base/gtest_prod_util.h" 16 #include "base/gtest_prod_util.h"
17 #include "base/macros.h" 17 #include "base/macros.h"
18 #include "base/threading/non_thread_safe.h" 18 #include "base/threading/non_thread_safe.h"
19 #include "base/time/time.h" 19 #include "base/time/time.h"
20 #include "net/base/expiring_cache.h" 20 #include "net/base/expiring_cache.h"
21 #include "net/base/net_export.h" 21 #include "net/base/net_export.h"
22 #include "net/cert/x509_cert_types.h" 22 #include "net/cert/x509_cert_types.h"
23 #include "net/cert/x509_certificate.h" 23 #include "net/cert/x509_certificate.h"
24 #include "url/gurl.h" 24 #include "url/gurl.h"
25 25
26 class GURL; 26 class GURL;
27 27
28 namespace net { 28 namespace net {
29 29
30 class ExpectStapleReport;
30 class HostPortPair; 31 class HostPortPair;
31 class SSLInfo; 32 class SSLInfo;
32 33
33 // Tracks which hosts have enabled strict transport security and/or public 34 // Tracks which hosts have enabled strict transport security and/or public
34 // key pins. 35 // key pins.
35 // 36 //
36 // This object manages the in-memory store. Register a Delegate with 37 // This object manages the in-memory store. Register a Delegate with
37 // |SetDelegate| to persist the state to disk. 38 // |SetDelegate| to persist the state to disk.
38 // 39 //
39 // HTTP strict transport security (HSTS) is defined in 40 // HTTP strict transport security (HSTS) is defined in
(...skipping 338 matching lines...) Expand 10 before | Expand all | Expand 10 after
378 // 1. The header value is "preload", indicating that the site wants to 379 // 1. The header value is "preload", indicating that the site wants to
379 // be opted in to Expect CT. 380 // be opted in to Expect CT.
380 // 2. The given host is present on the Expect CT preload list with a 381 // 2. The given host is present on the Expect CT preload list with a
381 // valid report-uri, and the build is timely (i.e. preload list is fresh). 382 // valid report-uri, and the build is timely (i.e. preload list is fresh).
382 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. 383 // 3. |ssl_info| indicates that the connection violated the Expect CT policy.
383 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). 384 // 4. An Expect CT reporter has been provided with SetExpectCTReporter().
384 void ProcessExpectCTHeader(const std::string& value, 385 void ProcessExpectCTHeader(const std::string& value,
385 const HostPortPair& host_port_pair, 386 const HostPortPair& host_port_pair,
386 const SSLInfo& ssl_info); 387 const SSLInfo& ssl_info);
387 388
389 void CheckExpectStaple(const HostPortPair& host_port_pair,
svaldez 2016/06/16 11:14:38 Add comment about what this does.
dadrian 2016/06/16 19:20:18 Done.
390 const X509Certificate& verified_certificate,
391 const X509Certificate& unverified_certificate,
392 bool is_issued_by_known_root,
393 const base::Time& verify_time,
394 const base::TimeDelta& max_age,
395 const std::string& ocsp_response);
396
388 private: 397 private:
389 friend class TransportSecurityStateTest; 398 friend class TransportSecurityStateTest;
399 friend class ExpectStapleTest;
390 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); 400 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
391 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); 401 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
392 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); 402 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
393 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); 403 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader);
394 404
395 typedef std::map<std::string, STSState> STSStateMap; 405 typedef std::map<std::string, STSState> STSStateMap;
396 typedef std::map<std::string, PKPState> PKPStateMap; 406 typedef std::map<std::string, PKPState> PKPStateMap;
397 407
398 // Send an UMA report on pin validation failure, if the host is in a 408 // Send an UMA report on pin validation failure, if the host is in a
399 // statically-defined list of domains. 409 // statically-defined list of domains.
400 // 410 //
401 // TODO(palmer): This doesn't really belong here, and should be moved into 411 // TODO(palmer): This doesn't really belong here, and should be moved into
402 // the exactly one call site. This requires unifying |struct HSTSPreload| 412 // the exactly one call site. This requires unifying |struct HSTSPreload|
403 // (an implementation detail of this class) with a more generic 413 // (an implementation detail of this class) with a more generic
404 // representation of first-class DomainStates, and exposing the preloads 414 // representation of first-class DomainStates, and exposing the preloads
405 // to the caller with |GetStaticDomainState|. 415 // to the caller with |GetStaticDomainState|.
406 static void ReportUMAOnPinFailure(const std::string& host); 416 static void ReportUMAOnPinFailure(const std::string& host);
407 417
408 // IsBuildTimely returns true if the current build is new enough ensure that 418 // IsBuildTimely returns true if the current build is new enough ensure that
409 // built in security information (i.e. HSTS preloading and pinning 419 // built in security information (i.e. HSTS preloading and pinning
410 // information) is timely. 420 // information) is timely.
411 static bool IsBuildTimely(); 421 static bool IsBuildTimely();
412 422
423 // Helper method for serializing an ExpectStaple report.
424 static bool SerializeExpectStapleReport(
425 const HostPortPair& host_port_pair,
426 const X509Certificate& unverified_certificate,
427 bool is_issued_by_known_root,
428 const ExpectStapleReport& report,
429 std::string* serialized_report);
430
413 // Helper method for actually checking pins. 431 // Helper method for actually checking pins.
414 bool CheckPublicKeyPinsImpl( 432 bool CheckPublicKeyPinsImpl(
415 const HostPortPair& host_port_pair, 433 const HostPortPair& host_port_pair,
416 bool is_issued_by_known_root, 434 bool is_issued_by_known_root,
417 const HashValueVector& hashes, 435 const HashValueVector& hashes,
418 const X509Certificate* served_certificate_chain, 436 const X509Certificate* served_certificate_chain,
419 const X509Certificate* validated_certificate_chain, 437 const X509Certificate* validated_certificate_chain,
420 const PublicKeyPinReportStatus report_status, 438 const PublicKeyPinReportStatus report_status,
421 std::string* failure_log); 439 std::string* failure_log);
422 440
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after
502 // rate-limiting. 520 // rate-limiting.
503 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> 521 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
504 sent_reports_cache_; 522 sent_reports_cache_;
505 523
506 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); 524 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
507 }; 525 };
508 526
509 } // namespace net 527 } // namespace net
510 528
511 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ 529 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_
OLDNEW
« net/cert/expect_staple_report_unittest.cc ('K') | « net/cert/expect_staple_report_unittest.cc ('k') | net/http/transport_security_state.cc » ('j') | net/http/transport_security_state.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698