Index: net/http/transport_security_state.cc |
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc |
index 1348528532ac6827825ac1a3aeee79c762673468..ada51bba277300acc46a39e2af205993dcb09b78 100644 |
--- a/net/http/transport_security_state.cc |
+++ b/net/http/transport_security_state.cc |
@@ -25,6 +25,8 @@ |
#include "crypto/sha2.h" |
#include "net/base/host_port_pair.h" |
#include "net/cert/ct_policy_status.h" |
+#include "net/cert/internal/parse_ocsp.h" |
+#include "net/cert/ocsp_verify_result.h" |
#include "net/cert/x509_cert_types.h" |
#include "net/cert/x509_certificate.h" |
#include "net/dns/dns_util.h" |
@@ -155,6 +157,18 @@ bool GetHPKPReport(const HostPortPair& host_port_pair, |
return true; |
} |
+std::string OCSPCertStatusToString(OCSPCertStatus::Status status) { |
svaldez
2016/06/23 14:03:15
Possibly attach this to ocsp_verify_result?
Ryan Sleevi
2016/06/23 22:11:52
I'm actually supportive of leaving it here, since
Ryan Sleevi
2016/06/23 22:11:52
return "const char*" - don't force a string coerci
|
+ switch (status) { |
+ case OCSPCertStatus::Status::GOOD: |
+ return "GOOD"; |
+ case OCSPCertStatus::Status::REVOKED: |
+ return "REVOKED"; |
+ case OCSPCertStatus::Status::UNKNOWN: |
+ return "UNKNOWN"; |
+ } |
+ return ""; |
+} |
+ |
// Do not send a report over HTTPS to the same host that set the |
// pin. Such report URIs will result in loops. (A.com has a pinning |
// violation which results in a report being sent to A.com, which |
@@ -1103,6 +1117,40 @@ void TransportSecurityState::ProcessExpectCTHeader( |
ssl_info); |
} |
+void TransportSecurityState::CheckExpectStaple( |
+ const HostPortPair& host_port_pair, |
+ const X509Certificate& verified_certificate, |
+ const X509Certificate& unverified_certificate, |
+ bool is_issued_by_known_root, |
+ const OCSPVerifyResult& ocsp_verify_result) { |
+ DCHECK(CalledOnValidThread()); |
+ if (!enable_static_expect_staple_ || !report_sender_) |
+ return; |
+ |
+ // Don't check preload or send report if the staple was good. |
+ if (ocsp_verify_result.cert_status.value_or( |
+ OCSPCertStatus::Status::UNKNOWN) == OCSPCertStatus::Status::GOOD) { |
+ return; |
+ } |
+ |
+ // Check to see if the host is preloaded. |
+ ExpectStapleState expect_staple_state; |
+ if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state)) |
+ return; |
+ |
+ if (expect_staple_state.report_uri.is_empty()) |
+ return; |
+ |
+ // Report failure. |
+ std::string serialized_report; |
+ if (!SerializeExpectStapleReport(host_port_pair, unverified_certificate, |
+ is_issued_by_known_root, ocsp_verify_result, |
+ &serialized_report)) { |
+ return; |
+ } |
+ report_sender_->Send(expect_staple_state.report_uri, serialized_report); |
+} |
+ |
// static |
void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { |
PreloadResult result; |
@@ -1149,6 +1197,44 @@ TransportSecurityState::CheckPublicKeyPinsImpl( |
failure_log); |
} |
+// static |
+bool TransportSecurityState::SerializeExpectStapleReport( |
+ const HostPortPair& host_port_pair, |
+ const X509Certificate& unverified_certificate, |
+ bool is_issued_by_known_root, |
+ const OCSPVerifyResult& ocsp_verify_result, |
+ std::string* serialized_report) { |
+ base::DictionaryValue report_dict; |
+ report_dict.SetString("date-time", TimeToISO8601(base::Time::Now())); |
+ report_dict.SetString("hostname", host_port_pair.host()); |
+ report_dict.SetInteger("port", host_port_pair.port()); |
+ |
+ // Add the list of each stapled OCSP response |
+ std::unique_ptr<base::Value> ocsp_responses(new base::ListValue); |
+ for (const auto& staple : ocsp_verify_result.stapled_responses) { |
+ std::unique_ptr<base::DictionaryValue> response(new base::DictionaryValue); |
+ response->SetBoolean("is-date-valid", staple.is_date_valid); |
+ response->SetBoolean("is-correct-certificate", |
+ staple.is_correct_certificate); |
+ response->SetString("status", OCSPCertStatusToString(staple.status)); |
+ base::ListValue* responses_list = |
+ reinterpret_cast<base::ListValue*>(ocsp_responses.get()); |
+ responses_list->Append(std::move(response)); |
+ } |
+ report_dict.Set("ocsp-responses", std::move(ocsp_responses)); |
+ |
+ // Only add the certificate chain to the report if its public |
+ if (is_issued_by_known_root) |
+ report_dict.Set("served-certificate-chain", |
+ GetPEMEncodedChainAsList(&unverified_certificate)); |
+ |
+ if (!base::JSONWriter::Write(report_dict, serialized_report)) { |
+ LOG(ERROR) << "Failed to serialize Expect-Staple report"; |
+ return false; |
+ } |
+ return true; |
+} |
+ |
bool TransportSecurityState::GetStaticDomainState(const std::string& host, |
STSState* sts_state, |
PKPState* pkp_state) const { |