Implement Expect-Staple

net/http/transport_security_state.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 
 #include <stdint.h>
 
 #include <map>
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "base/callback.h"
 #include "base/gtest_prod_util.h"
 #include "base/macros.h"
 #include "base/threading/non_thread_safe.h"
 #include "base/time/time.h"
 #include "net/base/expiring_cache.h"
 #include "net/base/net_export.h"
+#include "net/cert/ocsp_staple.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
 #include "url/gurl.h"
 
 class GURL;
 
 namespace net {
 
 class HostPortPair;
 class SSLInfo;
@@ skipping 345 matching lines @@
   // 1. The header value is "preload", indicating that the site wants to
   // be opted in to Expect CT.
   // 2. The given host is present on the Expect CT preload list with a
   // valid report-uri, and the build is timely (i.e. preload list is fresh).
   // 3. |ssl_info| indicates that the connection violated the Expect CT policy.
   // 4. An Expect CT reporter has been provided with SetExpectCTReporter().
   void ProcessExpectCTHeader(const std::string& value,
                              const HostPortPair& host_port_pair,
                              const SSLInfo& ssl_info);
 
+  void CheckExpectStaple(const HostPortPair& host_port_pair,
+                         const X509Certificate& verified_certificate,
+                         const X509Certificate& unverified_certificate,
+                         const base::Time& verify_time,
+                         const base::TimeDelta& max_age,
+                         const std::string& ocsp_response);
+
  private:
   friend class TransportSecurityStateTest;
+  friend class ExpectStapleTest;
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
   FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader);
 
   typedef std::map<std::string, STSState> STSStateMap;
   typedef std::map<std::string, PKPState> PKPStateMap;
 
   // Send an UMA report on pin validation failure, if the host is in a
   // statically-defined list of domains.
   //
   // TODO(palmer): This doesn't really belong here, and should be moved into
   // the exactly one call site. This requires unifying |struct HSTSPreload|
   // (an implementation detail of this class) with a more generic
   // representation of first-class DomainStates, and exposing the preloads
   // to the caller with |GetStaticDomainState|.
   static void ReportUMAOnPinFailure(const std::string& host);
 
   // IsBuildTimely returns true if the current build is new enough ensure that
   // built in security information (i.e. HSTS preloading and pinning
   // information) is timely.
   static bool IsBuildTimely();
 
+  // Helper method for serilizing an ExpectStaple report.

[estark, 2016/06/14 02:10:28]

typo: serializing

[dadrian, 2016/06/14 18:40:01]

Done.

+  static bool SerializeExpectStapleReport(
+      const HostPortPair& host_port_pair,
+      const X509Certificate& unverified_certificate,
+      const ExpectStapleReport& report,
+      std::string* serialized_report);
+
   // Helper method for actually checking pins.
   bool CheckPublicKeyPinsImpl(
       const HostPortPair& host_port_pair,
       const HashValueVector& hashes,
       const X509Certificate* served_certificate_chain,
       const X509Certificate* validated_certificate_chain,
       const PublicKeyPinReportStatus report_status,
       std::string* failure_log);
 
   // If a Delegate is present, notify it that the internal state has
@@ skipping 43 matching lines @@
                               ExpectCTState* expect_ct_result) const;
 
   // Returns true and updates |*expect_staple_result| iff there is a static
   // (built-in) state for |host| with expect_staple=true, or if |host| is a
   // subdomain of another domain with expect_staple=true and
   // include_subdomains_for_expect_staple=true.
   bool GetStaticExpectStapleState(
       const std::string& host,
       ExpectStapleState* expect_staple_result) const;
 
-  // The sets of hosts that have enabled TransportSecurity. |domain| will always
+  // The sets of hosts that have enabled TransportSecurity. |domain| will
+  // always

[estark, 2016/06/14 02:10:28]

unintentional?

[dadrian, 2016/06/14 18:40:01]

Done.

   // be empty for a STSState or PKPState in these maps; the domain
   // comes from the map keys instead. In addition, |upgrade_mode| in the
   // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState
   // always returns true.
   STSStateMap enabled_sts_hosts_;
   PKPStateMap enabled_pkp_hosts_;
 
   Delegate* delegate_;
 
   ReportSender* report_sender_;
@@ skipping 13 matching lines @@
   // rate-limiting.
   ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
       sent_reports_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };
 
 }  // namespace net
 
 #endif  // NET_HTTP_TRANSPORT_SECURITY_STATE_H_