OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <map> | 10 #include <map> |
11 #include <string> | 11 #include <string> |
12 #include <utility> | 12 #include <utility> |
13 #include <vector> | 13 #include <vector> |
14 | 14 |
15 #include "base/callback.h" | 15 #include "base/callback.h" |
16 #include "base/gtest_prod_util.h" | 16 #include "base/gtest_prod_util.h" |
17 #include "base/macros.h" | 17 #include "base/macros.h" |
18 #include "base/threading/non_thread_safe.h" | 18 #include "base/threading/non_thread_safe.h" |
19 #include "base/time/time.h" | 19 #include "base/time/time.h" |
20 #include "net/base/expiring_cache.h" | 20 #include "net/base/expiring_cache.h" |
21 #include "net/base/net_export.h" | 21 #include "net/base/net_export.h" |
22 #include "net/cert/x509_cert_types.h" | 22 #include "net/cert/x509_cert_types.h" |
23 #include "net/cert/x509_certificate.h" | 23 #include "net/cert/x509_certificate.h" |
24 #include "url/gurl.h" | 24 #include "url/gurl.h" |
25 | 25 |
26 class GURL; | 26 class GURL; |
27 | 27 |
28 namespace net { | 28 namespace net { |
29 | 29 |
30 class ExpectStapleReport; | |
30 class HostPortPair; | 31 class HostPortPair; |
31 class SSLInfo; | 32 class SSLInfo; |
32 | 33 |
33 // Tracks which hosts have enabled strict transport security and/or public | 34 // Tracks which hosts have enabled strict transport security and/or public |
34 // key pins. | 35 // key pins. |
35 // | 36 // |
36 // This object manages the in-memory store. Register a Delegate with | 37 // This object manages the in-memory store. Register a Delegate with |
37 // |SetDelegate| to persist the state to disk. | 38 // |SetDelegate| to persist the state to disk. |
38 // | 39 // |
39 // HTTP strict transport security (HSTS) is defined in | 40 // HTTP strict transport security (HSTS) is defined in |
(...skipping 338 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
378 // 1. The header value is "preload", indicating that the site wants to | 379 // 1. The header value is "preload", indicating that the site wants to |
379 // be opted in to Expect CT. | 380 // be opted in to Expect CT. |
380 // 2. The given host is present on the Expect CT preload list with a | 381 // 2. The given host is present on the Expect CT preload list with a |
381 // valid report-uri, and the build is timely (i.e. preload list is fresh). | 382 // valid report-uri, and the build is timely (i.e. preload list is fresh). |
382 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. | 383 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. |
383 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). | 384 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). |
384 void ProcessExpectCTHeader(const std::string& value, | 385 void ProcessExpectCTHeader(const std::string& value, |
385 const HostPortPair& host_port_pair, | 386 const HostPortPair& host_port_pair, |
386 const SSLInfo& ssl_info); | 387 const SSLInfo& ssl_info); |
387 | 388 |
389 void CheckExpectStaple(const HostPortPair& host_port_pair, | |
svaldez
2016/06/16 11:14:38
Add comment about what this does.
dadrian
2016/06/16 19:20:18
Done.
| |
390 const X509Certificate& verified_certificate, | |
391 const X509Certificate& unverified_certificate, | |
392 bool is_issued_by_known_root, | |
393 const base::Time& verify_time, | |
394 const base::TimeDelta& max_age, | |
395 const std::string& ocsp_response); | |
396 | |
388 private: | 397 private: |
389 friend class TransportSecurityStateTest; | 398 friend class TransportSecurityStateTest; |
399 friend class ExpectStapleTest; | |
390 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); | 400 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
391 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); | 401 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
392 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); | 402 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
393 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); | 403 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); |
394 | 404 |
395 typedef std::map<std::string, STSState> STSStateMap; | 405 typedef std::map<std::string, STSState> STSStateMap; |
396 typedef std::map<std::string, PKPState> PKPStateMap; | 406 typedef std::map<std::string, PKPState> PKPStateMap; |
397 | 407 |
398 // Send an UMA report on pin validation failure, if the host is in a | 408 // Send an UMA report on pin validation failure, if the host is in a |
399 // statically-defined list of domains. | 409 // statically-defined list of domains. |
400 // | 410 // |
401 // TODO(palmer): This doesn't really belong here, and should be moved into | 411 // TODO(palmer): This doesn't really belong here, and should be moved into |
402 // the exactly one call site. This requires unifying |struct HSTSPreload| | 412 // the exactly one call site. This requires unifying |struct HSTSPreload| |
403 // (an implementation detail of this class) with a more generic | 413 // (an implementation detail of this class) with a more generic |
404 // representation of first-class DomainStates, and exposing the preloads | 414 // representation of first-class DomainStates, and exposing the preloads |
405 // to the caller with |GetStaticDomainState|. | 415 // to the caller with |GetStaticDomainState|. |
406 static void ReportUMAOnPinFailure(const std::string& host); | 416 static void ReportUMAOnPinFailure(const std::string& host); |
407 | 417 |
408 // IsBuildTimely returns true if the current build is new enough ensure that | 418 // IsBuildTimely returns true if the current build is new enough ensure that |
409 // built in security information (i.e. HSTS preloading and pinning | 419 // built in security information (i.e. HSTS preloading and pinning |
410 // information) is timely. | 420 // information) is timely. |
411 static bool IsBuildTimely(); | 421 static bool IsBuildTimely(); |
412 | 422 |
423 // Helper method for serializing an ExpectStaple report. | |
424 static bool SerializeExpectStapleReport( | |
425 const HostPortPair& host_port_pair, | |
426 const X509Certificate& unverified_certificate, | |
427 bool is_issued_by_known_root, | |
428 const ExpectStapleReport& report, | |
429 std::string* serialized_report); | |
430 | |
413 // Helper method for actually checking pins. | 431 // Helper method for actually checking pins. |
414 bool CheckPublicKeyPinsImpl( | 432 bool CheckPublicKeyPinsImpl( |
415 const HostPortPair& host_port_pair, | 433 const HostPortPair& host_port_pair, |
416 bool is_issued_by_known_root, | 434 bool is_issued_by_known_root, |
417 const HashValueVector& hashes, | 435 const HashValueVector& hashes, |
418 const X509Certificate* served_certificate_chain, | 436 const X509Certificate* served_certificate_chain, |
419 const X509Certificate* validated_certificate_chain, | 437 const X509Certificate* validated_certificate_chain, |
420 const PublicKeyPinReportStatus report_status, | 438 const PublicKeyPinReportStatus report_status, |
421 std::string* failure_log); | 439 std::string* failure_log); |
422 | 440 |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
502 // rate-limiting. | 520 // rate-limiting. |
503 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 521 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> |
504 sent_reports_cache_; | 522 sent_reports_cache_; |
505 | 523 |
506 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 524 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
507 }; | 525 }; |
508 | 526 |
509 } // namespace net | 527 } // namespace net |
510 | 528 |
511 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 529 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |