Chromium Code Reviews Chromium Code Reviews
Issue 2040513003:
Implement Expect-Staple (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| 7 | 7 |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <map> | 10 #include <map> |
| 11 #include <string> | 11 #include <string> |
| 12 | 12 |
| 13 #include "base/callback.h" | 13 #include "base/callback.h" |
| 14 #include "base/gtest_prod_util.h" | 14 #include "base/gtest_prod_util.h" |
| 15 #include "base/macros.h" | 15 #include "base/macros.h" |
| 16 #include "base/threading/non_thread_safe.h" | 16 #include "base/threading/non_thread_safe.h" |
| 17 #include "base/time/time.h" | 17 #include "base/time/time.h" |
| 18 #include "net/base/expiring_cache.h" | 18 #include "net/base/expiring_cache.h" |
| 19 #include "net/base/hash_value.h" | 19 #include "net/base/hash_value.h" |
| 20 #include "net/base/net_export.h" | 20 #include "net/base/net_export.h" |
| 21 #include "net/cert/x509_cert_types.h" | |
| 22 #include "net/cert/x509_certificate.h" | |
|
Ryan Sleevi
2016/06/23 22:11:52
Don't introduce this headers
| |
| 21 #include "url/gurl.h" | 23 #include "url/gurl.h" |
| 22 | 24 |
| 23 namespace net { | 25 namespace net { |
| 24 | 26 |
| 25 class HostPortPair; | 27 class HostPortPair; |
| 28 class OCSPVerifyResult; | |
| 26 class SSLInfo; | 29 class SSLInfo; |
| 27 class X509Certificate; | 30 class X509Certificate; |
| 28 | 31 |
| 29 // Tracks which hosts have enabled strict transport security and/or public | 32 // Tracks which hosts have enabled strict transport security and/or public |
| 30 // key pins. | 33 // key pins. |
| 31 // | 34 // |
| 32 // This object manages the in-memory store. Register a Delegate with | 35 // This object manages the in-memory store. Register a Delegate with |
| 33 // |SetDelegate| to persist the state to disk. | 36 // |SetDelegate| to persist the state to disk. |
| 34 // | 37 // |
| 35 // HTTP strict transport security (HSTS) is defined in | 38 // HTTP strict transport security (HSTS) is defined in |
| (...skipping 345 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 381 // 1. The header value is "preload", indicating that the site wants to | 384 // 1. The header value is "preload", indicating that the site wants to |
| 382 // be opted in to Expect CT. | 385 // be opted in to Expect CT. |
| 383 // 2. The given host is present on the Expect CT preload list with a | 386 // 2. The given host is present on the Expect CT preload list with a |
| 384 // valid report-uri, and the build is timely (i.e. preload list is fresh). | 387 // valid report-uri, and the build is timely (i.e. preload list is fresh). |
| 385 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. | 388 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. |
| 386 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). | 389 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). |
| 387 void ProcessExpectCTHeader(const std::string& value, | 390 void ProcessExpectCTHeader(const std::string& value, |
| 388 const HostPortPair& host_port_pair, | 391 const HostPortPair& host_port_pair, |
| 389 const SSLInfo& ssl_info); | 392 const SSLInfo& ssl_info); |
| 390 | 393 |
| 394 // Checks to see if the given |host_port_pair| is in the Expect-Staple preload | |
| 395 // list. If the host is preloaded, this parses |ocsp_response|, validates | |
| 396 // it against |verified_certificate|, and ensures the OCSP response is valid | |
| 397 // at |verify_time| and is no older than |max_age|. If the OCSP response fails | |
| 398 // validation, this sends an Expect-Staple report to the preloaded report URI. | |
| 399 // The report will contain |unverified_certificate| iff | |
| 400 // |is_issued_by_known_root| is true. | |
|
svaldez
2016/06/23 14:03:15
Update comment.
| |
| 401 void CheckExpectStaple(const HostPortPair& host_port_pair, | |
| 402 const X509Certificate& verified_certificate, | |
| 403 const X509Certificate& unverified_certificate, | |
| 404 bool is_issued_by_known_root, | |
| 405 const OCSPVerifyResult& ocsp_verify_result); | |
| 406 | |
| 391 private: | 407 private: |
| 392 friend class TransportSecurityStateTest; | 408 friend class TransportSecurityStateTest; |
| 409 friend class ExpectStapleTest; | |
| 393 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); | 410 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
| 394 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); | 411 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
| 395 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); | 412 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
| 396 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); | 413 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); |
| 397 | 414 |
| 398 typedef std::map<std::string, STSState> STSStateMap; | 415 typedef std::map<std::string, STSState> STSStateMap; |
| 399 typedef std::map<std::string, PKPState> PKPStateMap; | 416 typedef std::map<std::string, PKPState> PKPStateMap; |
| 400 | 417 |
| 401 // Send an UMA report on pin validation failure, if the host is in a | 418 // Send an UMA report on pin validation failure, if the host is in a |
| 402 // statically-defined list of domains. | 419 // statically-defined list of domains. |
| 403 // | 420 // |
| 404 // TODO(palmer): This doesn't really belong here, and should be moved into | 421 // TODO(palmer): This doesn't really belong here, and should be moved into |
| 405 // the exactly one call site. This requires unifying |struct HSTSPreload| | 422 // the exactly one call site. This requires unifying |struct HSTSPreload| |
| 406 // (an implementation detail of this class) with a more generic | 423 // (an implementation detail of this class) with a more generic |
| 407 // representation of first-class DomainStates, and exposing the preloads | 424 // representation of first-class DomainStates, and exposing the preloads |
| 408 // to the caller with |GetStaticDomainState|. | 425 // to the caller with |GetStaticDomainState|. |
| 409 static void ReportUMAOnPinFailure(const std::string& host); | 426 static void ReportUMAOnPinFailure(const std::string& host); |
| 410 | 427 |
| 411 // IsBuildTimely returns true if the current build is new enough ensure that | 428 // IsBuildTimely returns true if the current build is new enough ensure that |
| 412 // built in security information (i.e. HSTS preloading and pinning | 429 // built in security information (i.e. HSTS preloading and pinning |
| 413 // information) is timely. | 430 // information) is timely. |
| 414 static bool IsBuildTimely(); | 431 static bool IsBuildTimely(); |
| 415 | 432 |
| 433 // Helper method for serializing an ExpectStaple report. | |
| 434 static bool SerializeExpectStapleReport( | |
| 435 const HostPortPair& host_port_pair, | |
| 436 const X509Certificate& unverified_certificate, | |
| 437 bool is_issued_by_known_root, | |
| 438 const OCSPVerifyResult& ocsp_verify_result, | |
| 439 std::string* serialized_report); | |
| 440 | |
| 416 // Helper method for actually checking pins. | 441 // Helper method for actually checking pins. |
| 417 PKPStatus CheckPublicKeyPinsImpl( | 442 PKPStatus CheckPublicKeyPinsImpl( |
| 418 const HostPortPair& host_port_pair, | 443 const HostPortPair& host_port_pair, |
| 419 bool is_issued_by_known_root, | 444 bool is_issued_by_known_root, |
| 420 const HashValueVector& hashes, | 445 const HashValueVector& hashes, |
| 421 const X509Certificate* served_certificate_chain, | 446 const X509Certificate* served_certificate_chain, |
| 422 const X509Certificate* validated_certificate_chain, | 447 const X509Certificate* validated_certificate_chain, |
| 423 const PublicKeyPinReportStatus report_status, | 448 const PublicKeyPinReportStatus report_status, |
| 424 std::string* failure_log); | 449 std::string* failure_log); |
| 425 | 450 |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 505 // rate-limiting. | 530 // rate-limiting. |
| 506 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 531 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> |
| 507 sent_reports_cache_; | 532 sent_reports_cache_; |
| 508 | 533 |
| 509 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 534 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
| 510 }; | 535 }; |
| 511 | 536 |
| 512 } // namespace net | 537 } // namespace net |
| 513 | 538 |
| 514 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 539 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| OLD | NEW |
