Implement Expect-Staple

net/http/transport_security_state.cc

Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 1348528532ac6827825ac1a3aeee79c762673468..ada51bba277300acc46a39e2af205993dcb09b78 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -25,6 +25,8 @@
 #include "crypto/sha2.h"
 #include "net/base/host_port_pair.h"
 #include "net/cert/ct_policy_status.h"
+#include "net/cert/internal/parse_ocsp.h"
+#include "net/cert/ocsp_verify_result.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
 #include "net/dns/dns_util.h"
@@ -155,6 +157,18 @@ bool GetHPKPReport(const HostPortPair& host_port_pair,
   return true;
 }
 
+std::string OCSPCertStatusToString(OCSPCertStatus::Status status) {

[svaldez, 2016/06/23 14:03:15]

Possibly attach this to ocsp_verify_result?

[Ryan Sleevi, 2016/06/23 22:11:52]

I'm actually supportive of leaving it here, since these strings are meaningful
in the report-API sense, not just the C++ API sense

[Ryan Sleevi, 2016/06/23 22:11:52]

return "const char*" - don't force a string coercion unless the caller wants it
:)

+  switch (status) {
+    case OCSPCertStatus::Status::GOOD:
+      return "GOOD";
+    case OCSPCertStatus::Status::REVOKED:
+      return "REVOKED";
+    case OCSPCertStatus::Status::UNKNOWN:
+      return "UNKNOWN";
+  }
+  return "";
+}
+
 // Do not send a report over HTTPS to the same host that set the
 // pin. Such report URIs will result in loops. (A.com has a pinning
 // violation which results in a report being sent to A.com, which
@@ -1103,6 +1117,40 @@ void TransportSecurityState::ProcessExpectCTHeader(
                                         ssl_info);
 }
 
+void TransportSecurityState::CheckExpectStaple(
+    const HostPortPair& host_port_pair,
+    const X509Certificate& verified_certificate,
+    const X509Certificate& unverified_certificate,
+    bool is_issued_by_known_root,
+    const OCSPVerifyResult& ocsp_verify_result) {
+  DCHECK(CalledOnValidThread());
+  if (!enable_static_expect_staple_ || !report_sender_)
+    return;
+
+  // Don't check preload or send report if the staple was good.
+  if (ocsp_verify_result.cert_status.value_or(
+          OCSPCertStatus::Status::UNKNOWN) == OCSPCertStatus::Status::GOOD) {
+    return;
+  }
+
+  // Check to see if the host is preloaded.
+  ExpectStapleState expect_staple_state;
+  if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state))
+    return;
+
+  if (expect_staple_state.report_uri.is_empty())
+    return;
+
+  // Report failure.
+  std::string serialized_report;
+  if (!SerializeExpectStapleReport(host_port_pair, unverified_certificate,
+                                   is_issued_by_known_root, ocsp_verify_result,
+                                   &serialized_report)) {
+    return;
+  }
+  report_sender_->Send(expect_staple_state.report_uri, serialized_report);
+}
+
 // static
 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
   PreloadResult result;
@@ -1149,6 +1197,44 @@ TransportSecurityState::CheckPublicKeyPinsImpl(
       failure_log);
 }
 
+// static
+bool TransportSecurityState::SerializeExpectStapleReport(
+    const HostPortPair& host_port_pair,
+    const X509Certificate& unverified_certificate,
+    bool is_issued_by_known_root,
+    const OCSPVerifyResult& ocsp_verify_result,
+    std::string* serialized_report) {
+  base::DictionaryValue report_dict;
+  report_dict.SetString("date-time", TimeToISO8601(base::Time::Now()));
+  report_dict.SetString("hostname", host_port_pair.host());
+  report_dict.SetInteger("port", host_port_pair.port());
+
+  // Add the list of each stapled OCSP response
+  std::unique_ptr<base::Value> ocsp_responses(new base::ListValue);
+  for (const auto& staple : ocsp_verify_result.stapled_responses) {
+    std::unique_ptr<base::DictionaryValue> response(new base::DictionaryValue);
+    response->SetBoolean("is-date-valid", staple.is_date_valid);
+    response->SetBoolean("is-correct-certificate",
+                         staple.is_correct_certificate);
+    response->SetString("status", OCSPCertStatusToString(staple.status));
+    base::ListValue* responses_list =
+        reinterpret_cast<base::ListValue*>(ocsp_responses.get());
+    responses_list->Append(std::move(response));
+  }
+  report_dict.Set("ocsp-responses", std::move(ocsp_responses));
+
+  // Only add the certificate chain to the report if its public
+  if (is_issued_by_known_root)
+    report_dict.Set("served-certificate-chain",
+                    GetPEMEncodedChainAsList(&unverified_certificate));
+
+  if (!base::JSONWriter::Write(report_dict, serialized_report)) {
+    LOG(ERROR) << "Failed to serialize Expect-Staple report";
+    return false;
+  }
+  return true;
+}
+
 bool TransportSecurityState::GetStaticDomainState(const std::string& host,
                                                   STSState* sts_state,
                                                   PKPState* pkp_state) const {