OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <map> | 10 #include <map> |
11 #include <string> | 11 #include <string> |
12 #include <utility> | 12 #include <utility> |
13 #include <vector> | 13 #include <vector> |
14 | 14 |
15 #include "base/callback.h" | 15 #include "base/callback.h" |
16 #include "base/gtest_prod_util.h" | 16 #include "base/gtest_prod_util.h" |
17 #include "base/macros.h" | 17 #include "base/macros.h" |
18 #include "base/threading/non_thread_safe.h" | 18 #include "base/threading/non_thread_safe.h" |
19 #include "base/time/time.h" | 19 #include "base/time/time.h" |
20 #include "net/base/expiring_cache.h" | 20 #include "net/base/expiring_cache.h" |
21 #include "net/base/net_export.h" | 21 #include "net/base/net_export.h" |
22 #include "net/cert/ocsp_staple.h" | |
22 #include "net/cert/x509_cert_types.h" | 23 #include "net/cert/x509_cert_types.h" |
23 #include "net/cert/x509_certificate.h" | 24 #include "net/cert/x509_certificate.h" |
24 #include "url/gurl.h" | 25 #include "url/gurl.h" |
25 | 26 |
26 class GURL; | 27 class GURL; |
27 | 28 |
28 namespace net { | 29 namespace net { |
29 | 30 |
30 class HostPortPair; | 31 class HostPortPair; |
31 class SSLInfo; | 32 class SSLInfo; |
(...skipping 345 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
377 // 1. The header value is "preload", indicating that the site wants to | 378 // 1. The header value is "preload", indicating that the site wants to |
378 // be opted in to Expect CT. | 379 // be opted in to Expect CT. |
379 // 2. The given host is present on the Expect CT preload list with a | 380 // 2. The given host is present on the Expect CT preload list with a |
380 // valid report-uri, and the build is timely (i.e. preload list is fresh). | 381 // valid report-uri, and the build is timely (i.e. preload list is fresh). |
381 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. | 382 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. |
382 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). | 383 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). |
383 void ProcessExpectCTHeader(const std::string& value, | 384 void ProcessExpectCTHeader(const std::string& value, |
384 const HostPortPair& host_port_pair, | 385 const HostPortPair& host_port_pair, |
385 const SSLInfo& ssl_info); | 386 const SSLInfo& ssl_info); |
386 | 387 |
388 void CheckExpectStaple(const HostPortPair& host_port_pair, | |
389 const X509Certificate& verified_certificate, | |
390 const X509Certificate& unverified_certificate, | |
391 const base::Time& verify_time, | |
392 const base::TimeDelta& max_age, | |
393 const std::string& ocsp_response); | |
394 | |
387 private: | 395 private: |
388 friend class TransportSecurityStateTest; | 396 friend class TransportSecurityStateTest; |
397 friend class ExpectStapleTest; | |
389 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); | 398 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
390 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); | 399 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
391 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); | 400 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
392 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); | 401 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); |
393 | 402 |
394 typedef std::map<std::string, STSState> STSStateMap; | 403 typedef std::map<std::string, STSState> STSStateMap; |
395 typedef std::map<std::string, PKPState> PKPStateMap; | 404 typedef std::map<std::string, PKPState> PKPStateMap; |
396 | 405 |
397 // Send an UMA report on pin validation failure, if the host is in a | 406 // Send an UMA report on pin validation failure, if the host is in a |
398 // statically-defined list of domains. | 407 // statically-defined list of domains. |
399 // | 408 // |
400 // TODO(palmer): This doesn't really belong here, and should be moved into | 409 // TODO(palmer): This doesn't really belong here, and should be moved into |
401 // the exactly one call site. This requires unifying |struct HSTSPreload| | 410 // the exactly one call site. This requires unifying |struct HSTSPreload| |
402 // (an implementation detail of this class) with a more generic | 411 // (an implementation detail of this class) with a more generic |
403 // representation of first-class DomainStates, and exposing the preloads | 412 // representation of first-class DomainStates, and exposing the preloads |
404 // to the caller with |GetStaticDomainState|. | 413 // to the caller with |GetStaticDomainState|. |
405 static void ReportUMAOnPinFailure(const std::string& host); | 414 static void ReportUMAOnPinFailure(const std::string& host); |
406 | 415 |
407 // IsBuildTimely returns true if the current build is new enough ensure that | 416 // IsBuildTimely returns true if the current build is new enough ensure that |
408 // built in security information (i.e. HSTS preloading and pinning | 417 // built in security information (i.e. HSTS preloading and pinning |
409 // information) is timely. | 418 // information) is timely. |
410 static bool IsBuildTimely(); | 419 static bool IsBuildTimely(); |
411 | 420 |
421 // Helper method for serilizing an ExpectStaple report. | |
estark
2016/06/14 02:10:28
typo: serializing
dadrian
2016/06/14 18:40:01
Done.
| |
422 static bool SerializeExpectStapleReport( | |
423 const HostPortPair& host_port_pair, | |
424 const X509Certificate& unverified_certificate, | |
425 const ExpectStapleReport& report, | |
426 std::string* serialized_report); | |
427 | |
412 // Helper method for actually checking pins. | 428 // Helper method for actually checking pins. |
413 bool CheckPublicKeyPinsImpl( | 429 bool CheckPublicKeyPinsImpl( |
414 const HostPortPair& host_port_pair, | 430 const HostPortPair& host_port_pair, |
415 const HashValueVector& hashes, | 431 const HashValueVector& hashes, |
416 const X509Certificate* served_certificate_chain, | 432 const X509Certificate* served_certificate_chain, |
417 const X509Certificate* validated_certificate_chain, | 433 const X509Certificate* validated_certificate_chain, |
418 const PublicKeyPinReportStatus report_status, | 434 const PublicKeyPinReportStatus report_status, |
419 std::string* failure_log); | 435 std::string* failure_log); |
420 | 436 |
421 // If a Delegate is present, notify it that the internal state has | 437 // If a Delegate is present, notify it that the internal state has |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
465 ExpectCTState* expect_ct_result) const; | 481 ExpectCTState* expect_ct_result) const; |
466 | 482 |
467 // Returns true and updates |*expect_staple_result| iff there is a static | 483 // Returns true and updates |*expect_staple_result| iff there is a static |
468 // (built-in) state for |host| with expect_staple=true, or if |host| is a | 484 // (built-in) state for |host| with expect_staple=true, or if |host| is a |
469 // subdomain of another domain with expect_staple=true and | 485 // subdomain of another domain with expect_staple=true and |
470 // include_subdomains_for_expect_staple=true. | 486 // include_subdomains_for_expect_staple=true. |
471 bool GetStaticExpectStapleState( | 487 bool GetStaticExpectStapleState( |
472 const std::string& host, | 488 const std::string& host, |
473 ExpectStapleState* expect_staple_result) const; | 489 ExpectStapleState* expect_staple_result) const; |
474 | 490 |
475 // The sets of hosts that have enabled TransportSecurity. |domain| will always | 491 // The sets of hosts that have enabled TransportSecurity. |domain| will |
492 // always | |
estark
2016/06/14 02:10:28
unintentional?
dadrian
2016/06/14 18:40:01
Done.
| |
476 // be empty for a STSState or PKPState in these maps; the domain | 493 // be empty for a STSState or PKPState in these maps; the domain |
477 // comes from the map keys instead. In addition, |upgrade_mode| in the | 494 // comes from the map keys instead. In addition, |upgrade_mode| in the |
478 // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState | 495 // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState |
479 // always returns true. | 496 // always returns true. |
480 STSStateMap enabled_sts_hosts_; | 497 STSStateMap enabled_sts_hosts_; |
481 PKPStateMap enabled_pkp_hosts_; | 498 PKPStateMap enabled_pkp_hosts_; |
482 | 499 |
483 Delegate* delegate_; | 500 Delegate* delegate_; |
484 | 501 |
485 ReportSender* report_sender_; | 502 ReportSender* report_sender_; |
(...skipping 13 matching lines...) Expand all Loading... | |
499 // rate-limiting. | 516 // rate-limiting. |
500 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 517 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> |
501 sent_reports_cache_; | 518 sent_reports_cache_; |
502 | 519 |
503 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 520 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
504 }; | 521 }; |
505 | 522 |
506 } // namespace net | 523 } // namespace net |
507 | 524 |
508 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 525 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |