Implement Expect-Staple

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 #include <vector>
 
 #include "base/base64.h"
 #include "base/build_time.h"
 #include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/sha1.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "crypto/sha2.h"
 #include "net/base/host_port_pair.h"
 #include "net/cert/ct_policy_status.h"
+#include "net/cert/internal/parse_ocsp.h"
+#include "net/cert/ocsp_verify_result.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
 #include "net/dns/dns_util.h"
 #include "net/http/http_security_headers.h"
 #include "net/ssl/ssl_info.h"
 
 namespace net {
 
 namespace {
 
@@ skipping 110 matching lines @@
   report.SetString("effective-expiration-date",
                    TimeToISO8601(pkp_state.expiry));
   if (!base::JSONWriter::Write(report, serialized_report)) {
     LOG(ERROR) << "Failed to serialize HPKP violation report.";
     return false;
   }
 
   return true;
 }
 
+std::string OCSPCertStatusToString(OCSPCertStatus::Status status) {

[svaldez, 2016/06/23 14:03:15]

Possibly attach this to ocsp_verify_result?

[Ryan Sleevi, 2016/06/23 22:11:52]

I'm actually supportive of leaving it here, since these strings are meaningful
in the report-API sense, not just the C++ API sense

[Ryan Sleevi, 2016/06/23 22:11:52]

return "const char*" - don't force a string coercion unless the caller wants it
:)

+  switch (status) {
+    case OCSPCertStatus::Status::GOOD:
+      return "GOOD";
+    case OCSPCertStatus::Status::REVOKED:
+      return "REVOKED";
+    case OCSPCertStatus::Status::UNKNOWN:
+      return "UNKNOWN";
+  }
+  return "";
+}
+
 // Do not send a report over HTTPS to the same host that set the
 // pin. Such report URIs will result in loops. (A.com has a pinning
 // violation which results in a report being sent to A.com, which
 // results in a pinning violation which results in a report being sent
 // to A.com, etc.)
 bool IsReportUriValidForHost(const GURL& report_uri, const std::string& host) {
   return (report_uri.host_piece() != host ||
           !report_uri.SchemeIsCryptographic());
 }
 
@@ skipping 928 matching lines @@
   }
 
   ExpectCTState state;
   if (!GetStaticExpectCTState(host_port_pair.host(), &state))
     return;
 
   expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri,
                                         ssl_info);
 }
 
+void TransportSecurityState::CheckExpectStaple(
+    const HostPortPair& host_port_pair,
+    const X509Certificate& verified_certificate,
+    const X509Certificate& unverified_certificate,
+    bool is_issued_by_known_root,
+    const OCSPVerifyResult& ocsp_verify_result) {
+  DCHECK(CalledOnValidThread());
+  if (!enable_static_expect_staple_ || !report_sender_)
+    return;
+
+  // Don't check preload or send report if the staple was good.
+  if (ocsp_verify_result.cert_status.value_or(
+          OCSPCertStatus::Status::UNKNOWN) == OCSPCertStatus::Status::GOOD) {
+    return;
+  }
+
+  // Check to see if the host is preloaded.
+  ExpectStapleState expect_staple_state;
+  if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state))
+    return;
+
+  if (expect_staple_state.report_uri.is_empty())
+    return;
+
+  // Report failure.
+  std::string serialized_report;
+  if (!SerializeExpectStapleReport(host_port_pair, unverified_certificate,
+                                   is_issued_by_known_root, ocsp_verify_result,
+                                   &serialized_report)) {
+    return;
+  }
+  report_sender_->Send(expect_staple_state.report_uri, serialized_report);
+}
+
 // static
 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
   PreloadResult result;
   if (!DecodeHSTSPreload(host, &result) ||
       !result.has_pins) {
     return;
   }
 
   DCHECK(result.domain_id != DOMAIN_NOT_PINNED);
 
@@ skipping 26 matching lines @@
 
   // HasPublicKeyPins should have returned true in order for this method to have
   // been called.
   DCHECK(found_state);
   return CheckPinsAndMaybeSendReport(
       host_port_pair, is_issued_by_known_root, pkp_state, hashes,
       served_certificate_chain, validated_certificate_chain, report_status,
       failure_log);
 }
 
+// static
+bool TransportSecurityState::SerializeExpectStapleReport(
+    const HostPortPair& host_port_pair,
+    const X509Certificate& unverified_certificate,
+    bool is_issued_by_known_root,
+    const OCSPVerifyResult& ocsp_verify_result,
+    std::string* serialized_report) {
+  base::DictionaryValue report_dict;
+  report_dict.SetString("date-time", TimeToISO8601(base::Time::Now()));
+  report_dict.SetString("hostname", host_port_pair.host());
+  report_dict.SetInteger("port", host_port_pair.port());
+
+  // Add the list of each stapled OCSP response
+  std::unique_ptr<base::Value> ocsp_responses(new base::ListValue);
+  for (const auto& staple : ocsp_verify_result.stapled_responses) {
+    std::unique_ptr<base::DictionaryValue> response(new base::DictionaryValue);
+    response->SetBoolean("is-date-valid", staple.is_date_valid);
+    response->SetBoolean("is-correct-certificate",
+                         staple.is_correct_certificate);
+    response->SetString("status", OCSPCertStatusToString(staple.status));
+    base::ListValue* responses_list =
+        reinterpret_cast<base::ListValue*>(ocsp_responses.get());
+    responses_list->Append(std::move(response));
+  }
+  report_dict.Set("ocsp-responses", std::move(ocsp_responses));
+
+  // Only add the certificate chain to the report if its public
+  if (is_issued_by_known_root)
+    report_dict.Set("served-certificate-chain",
+                    GetPEMEncodedChainAsList(&unverified_certificate));
+
+  if (!base::JSONWriter::Write(report_dict, serialized_report)) {
+    LOG(ERROR) << "Failed to serialize Expect-Staple report";
+    return false;
+  }
+  return true;
+}
+
 bool TransportSecurityState::GetStaticDomainState(const std::string& host,
                                                   STSState* sts_state,
                                                   PKPState* pkp_state) const {
   DCHECK(CalledOnValidThread());
 
   sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS;
   sts_state->include_subdomains = false;
   pkp_state->include_subdomains = false;
 
   if (!IsBuildTimely())
@@ skipping 238 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace