Implement Expect-Staple

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 
 #include "base/base64.h"
 #include "base/build_time.h"
 #include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/sha1.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "crypto/sha2.h"
 #include "net/base/host_port_pair.h"
 #include "net/cert/ct_policy_status.h"
+#include "net/cert/expect_staple_report.h"
+#include "net/cert/internal/parse_ocsp.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
 #include "net/dns/dns_util.h"
 #include "net/http/http_security_headers.h"
 #include "net/ssl/ssl_info.h"
 #include "url/gurl.h"
 
 namespace net {
 
 namespace {
@@ skipping 111 matching lines @@
   report.SetString("effective-expiration-date",
                    TimeToISO8601(pkp_state.expiry));
   if (!base::JSONWriter::Write(report, serialized_report)) {
     LOG(ERROR) << "Failed to serialize HPKP violation report.";
     return false;
   }
 
   return true;
 }
 
+std::string OCSPCertStatusToString(OCSPCertStatus::Status status) {
+  switch (status) {
+    case OCSPCertStatus::Status::GOOD:
+      return "GOOD";
+    case OCSPCertStatus::Status::REVOKED:
+      return "REVOKED";
+    case OCSPCertStatus::Status::UNKNOWN:
+      return "UNKNOWN";
+  }
+  return "";
+}
+
 // Do not send a report over HTTPS to the same host that set the
 // pin. Such report URIs will result in loops. (A.com has a pinning
 // violation which results in a report being sent to A.com, which
 // results in a pinning violation which results in a report being sent
 // to A.com, etc.)
 bool IsReportUriValidForHost(const GURL& report_uri, const std::string& host) {
   return (report_uri.host_piece() != host ||
           !report_uri.SchemeIsCryptographic());
 }
 
@@ skipping 922 matching lines @@
   }
 
   ExpectCTState state;
   if (!GetStaticExpectCTState(host_port_pair.host(), &state))
     return;
 
   expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri,
                                         ssl_info);
 }
 
+void TransportSecurityState::CheckExpectStaple(
+    const HostPortPair& host_port_pair,
+    const X509Certificate& verified_certificate,
+    const X509Certificate& unverified_certificate,
+    const base::Time& verify_time,
+    const base::TimeDelta& max_age,
+    const std::string& ocsp_response) {
+  DCHECK(CalledOnValidThread());
+  if (!enable_static_expect_staple_ || !report_sender_)
+    return;
+
+  // Check to see if the host is preloaded.
+  ExpectStapleState expect_staple_state;
+  if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state))
+    return;
+
+  if (expect_staple_state.report_uri.is_empty())
+    return;
+
+  // Check the stapled information.
+  std::unique_ptr<ExpectStapleReport> report =
+      ExpectStapleReport::FromRawOCSPResponse(ocsp_response, verify_time,
+                                              max_age, verified_certificate);
+
+  // Report on failure.
+  if (report->staple_error() == ExpectStapleReport::StapleError::OK)
+    return;
+  std::string serialized_report;
+  if (!SerializeExpectStapleReport(host_port_pair, unverified_certificate,
+                                   *report, &serialized_report))
+    return;
+  report_sender_->Send(expect_staple_state.report_uri, serialized_report);
+}
+
 // static
 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
   PreloadResult result;
   if (!DecodeHSTSPreload(host, &result) ||
       !result.has_pins) {
     return;
   }
 
   DCHECK(result.domain_id != DOMAIN_NOT_PINNED);
 
@@ skipping 25 matching lines @@
     // to have been called, so if we fall through to here, it's an error.
     return false;
   }
 
   return CheckPinsAndMaybeSendReport(
       host_port_pair, is_issued_by_known_root, pkp_state, hashes,
       served_certificate_chain, validated_certificate_chain, report_status,
       failure_log);
 }
 
+// static
+bool TransportSecurityState::SerializeExpectStapleReport(
+    const HostPortPair& host_port_pair,
+    const X509Certificate& unverified_certificate,
+    const ExpectStapleReport& report,
+    std::string* serialized_report) {
+  base::DictionaryValue report_dict;
+  report_dict.SetString("date-time", TimeToISO8601(report.verify_time()));
+  report_dict.SetString("hostname", host_port_pair.host());
+  report_dict.SetInteger("port", host_port_pair.port());
+
+  // Add the list of each stapled OCSP response
+  std::unique_ptr<base::Value> ocsp_responses(new base::ListValue);
+  for (const auto& staple : report.stapled_responses()) {
+    std::unique_ptr<base::DictionaryValue> response(new base::DictionaryValue);
+    response->SetBoolean("is-date-valid", staple.is_date_valid);
+    response->SetBoolean("is-correct-certificate",
+                         staple.is_correct_certificate);
+    response->SetString("status", OCSPCertStatusToString(staple.status));
+    base::ListValue* responses_list =
+        reinterpret_cast<base::ListValue*>(ocsp_responses.get());
+    responses_list->Append(std::move(response));
+  }
+  report_dict.Set("ocsp-responses", std::move(ocsp_responses));
+  report_dict.Set("served-certificate-chain",

[estark, 2016/06/15 02:38:37]

important note: only include this if |is_issued_by_known_root| is true (and
please add a unit test for that as well)

[dadrian, 2016/06/15 20:59:03]

Done.

+                  GetPEMEncodedChainAsList(&unverified_certificate));
+
+  if (!base::JSONWriter::Write(report_dict, serialized_report)) {
+    LOG(ERROR) << "Failed to serialize Expect-Staple report";
+    return false;
+  }
+  return true;
+}
+
 bool TransportSecurityState::GetStaticDomainState(const std::string& host,
                                                   STSState* sts_state,
                                                   PKPState* pkp_state) const {
   DCHECK(CalledOnValidThread());
 
   sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS;
   sts_state->include_subdomains = false;
   pkp_state->include_subdomains = false;
 
   if (!IsBuildTimely())
@@ skipping 246 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace