Implement Expect-Staple

net/http/transport_security_state.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 
 #include <stdint.h>
 
 #include <map>
@@ skipping 366 matching lines @@
   // 1. The header value is "preload", indicating that the site wants to
   // be opted in to Expect CT.
   // 2. The given host is present on the Expect CT preload list with a
   // valid report-uri, and the build is timely (i.e. preload list is fresh).
   // 3. |ssl_info| indicates that the connection violated the Expect CT policy.
   // 4. An Expect CT reporter has been provided with SetExpectCTReporter().
   void ProcessExpectCTHeader(const std::string& value,
                              const HostPortPair& host_port_pair,
                              const SSLInfo& ssl_info);
 
+  void CheckExpectStaple(const HostPortPair& host_port_pair,

[estark, 2016/06/09 21:24:14]

prob needs some documentation

Also (having not read anything else but this header file so far), why does this
method take an ExpectStapleState as the argument? That seems different than the
other similar functions, like CheckPublicKeyPins(0.

[dadrian, 2016/06/10 01:05:52]

It could probably just take the report URI.

+                         const ExpectStapleState& expect_state_state,
+                         const X509Certificate& certificate,
+                         const std::string& ocsp_response);
+
+  // Returns true and updates |*expect_staple_result| iff there is a static
+  // (built-in) state for |host| with expect_staple=true, or if |host| is a
+  // subdomain of another domain with expect_staple=true and
+  // include_subdomains_for_expect_staple=true.
+  bool GetStaticExpectStapleState(

[estark, 2016/06/09 21:24:15]

Why's this public when its compatriots (GetStaticExpectCTState, etc.) are
private?

[dadrian, 2016/06/10 01:05:53]

Because we only parse OCSP responses if the host is in the preload list.

[svaldez, 2016/06/13 14:03:04]

Would it make more sense to have CheckExpectStaple wrap a call to
GetStaticExpectStapleState, or have another wrapper around the combined call?

[dadrian, 2016/06/13 23:03:32]

Done.

+      const std::string& host,
+      ExpectStapleState* expect_staple_result) const;
+
  private:
   friend class TransportSecurityStateTest;
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
   FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader);
 
   typedef std::map<std::string, STSState> STSStateMap;
   typedef std::map<std::string, PKPState> PKPStateMap;
 
@@ skipping 60 matching lines @@
       const X509Certificate* served_certificate_chain,
       const X509Certificate* validated_certificate_chain,
       const TransportSecurityState::PublicKeyPinReportStatus report_status,
       std::string* failure_log);
 
   // Returns true and updates |*expect_ct_result| iff there is a static
   // (built-in) state for |host| with expect_ct=true.
   bool GetStaticExpectCTState(const std::string& host,
                               ExpectCTState* expect_ct_result) const;
 
-  // Returns true and updates |*expect_staple_result| iff there is a static
-  // (built-in) state for |host| with expect_staple=true, or if |host| is a
-  // subdomain of another domain with expect_staple=true and
-  // include_subdomains_for_expect_staple=true.
-  bool GetStaticExpectStapleState(
-      const std::string& host,
-      ExpectStapleState* expect_staple_result) const;
-
   // The sets of hosts that have enabled TransportSecurity. |domain| will always
   // be empty for a STSState or PKPState in these maps; the domain
   // comes from the map keys instead. In addition, |upgrade_mode| in the
   // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState
   // always returns true.
   STSStateMap enabled_sts_hosts_;
   PKPStateMap enabled_pkp_hosts_;
 
   Delegate* delegate_;
 
   ReportSender* report_sender_;
 
   // True if static pins should be used.
   bool enable_static_pins_;
 
   // True if static expect-CT state should be used.
   bool enable_static_expect_ct_;
 
+  ExpectCTReporter* expect_ct_reporter_;
+

[estark, 2016/06/09 21:24:15]

any reason for this change?

[dadrian, 2016/06/10 01:05:52]

No idea. I'll try to figure out where this came from.

[dadrian, 2016/06/13 23:03:32]

Just a formatting snafu. Reverted.

   // True if static expect-staple state should be used.
   bool enable_static_expect_staple_;
 
-  ExpectCTReporter* expect_ct_reporter_;
-
   // Keeps track of reports that have been sent recently for
   // rate-limiting.
   ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
       sent_reports_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };
 
 }  // namespace net
 
 #endif  // NET_HTTP_TRANSPORT_SECURITY_STATE_H_