Implement Expect-Staple

net/http/transport_security_state.h

Index: net/http/transport_security_state.h
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index 14c080a4b65ae6e72f4a37f965dfa8974fc89dd1..11bbe8193b012e0ca50774cd3fc97d8235063651 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -198,6 +198,23 @@ class NET_EXPORT TransportSecurityState
     GURL report_uri;
   };
 
+  // An ExpectStapleState describes a site that expects valid OCSP information
+  // to be stapled to its certificate on every connection.
+  class NET_EXPORT ExpectStapleState {
+   public:
+    ExpectStapleState();
+    ~ExpectStapleState();
+
+    // The domain which matched during a search for this Expect-Staple entry
+    std::string domain;
+
+    // The URI reports are sent to if a valid OCSP response is not stapled
+    GURL report_uri;
+
+    // True if subdomains are subject to this policy
+    bool include_subdomains;
+  };
+
   // An interface for asynchronously sending HPKP violation reports.
   class NET_EXPORT ReportSender {
    public:
@@ -228,6 +245,19 @@ class NET_EXPORT TransportSecurityState
     virtual ~ExpectCTReporter() {}
   };
 
+  // An interface for building and asynchronously sending reports when a site
+  // expects to have sent a valid OCSP staple during a TLS handshake, but it
+  // wasn't supplied.
+  class NET_EXPORT ExpectStapleReporter {
+   public:
+    virtual void OnExpectStapleFailed(const net::HostPortPair& host_port_pair,
+                                      const GURL& report_uri,
+                                      const net::SSLInfo& ssl_info) = 0;
+
+   protected:
+    virtual ~ExpectStapleReporter() {}
+  };
+
   // Indicates whether or not a public key pin check should send a
   // report if a violation is detected.
   enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS };
@@ -261,6 +291,8 @@ class NET_EXPORT TransportSecurityState
 
   void SetExpectCTReporter(ExpectCTReporter* expect_ct_reporter);
 
+  void SetExpectStapleReporter(ExpectStapleReporter* expect_staple_reporter);
+
   // Clears all dynamic data (e.g. HSTS and HPKP data).
   //
   // Does NOT persist changes using the Delegate, as this function is only
@@ -367,6 +399,10 @@ class NET_EXPORT TransportSecurityState
                              const HostPortPair& host_port_pair,
                              const SSLInfo& ssl_info);
 
+  // TODO
+  void CheckExpectStaple(const HostPortPair& host_port_pair,
+                         const SSLInfo& ssl_info);
+
  private:
   friend class TransportSecurityStateTest;
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
@@ -447,6 +483,14 @@ class NET_EXPORT TransportSecurityState
   bool GetStaticExpectCTState(const std::string& host,
                               ExpectCTState* expect_ct_result) const;
 
+  // Returns true and updates |*expect_staple_result| iff there is a static
+  // (built-in) state for |host| with expect_staple=true, or if |host| is a
+  // subdomain of another domain with expect_staple=true and
+  // include_subdomains_for_expect_staple=true.
+  bool GetStaticExpectStapleState(
+      const std::string& host,
+      ExpectStapleState* expect_staple_result) const;
+
   // The sets of hosts that have enabled TransportSecurity. |domain| will always
   // be empty for a STSState or PKPState in these maps; the domain
   // comes from the map keys instead. In addition, |upgrade_mode| in the
@@ -467,6 +511,11 @@ class NET_EXPORT TransportSecurityState
 
   ExpectCTReporter* expect_ct_reporter_;
 
+  // True if static expect-staple state should be used.
+  bool enable_static_expect_staple_;
+
+  ExpectStapleReporter* expect_staple_reporter_;
+
   // Keeps track of reports that have been sent recently for
   // rate-limiting.
   ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>