Index: net/http/transport_security_state.h |
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h |
index 168e87985f315194d9971ef3d3d830b4af65f1fd..2ff1236ee1e33bf07cc46165c9b6758de7fc75d9 100644 |
--- a/net/http/transport_security_state.h |
+++ b/net/http/transport_security_state.h |
@@ -18,11 +18,14 @@ |
#include "net/base/expiring_cache.h" |
#include "net/base/hash_value.h" |
#include "net/base/net_export.h" |
+#include "net/cert/x509_cert_types.h" |
+#include "net/cert/x509_certificate.h" |
Ryan Sleevi
2016/06/23 22:11:52
Don't introduce this headers
|
#include "url/gurl.h" |
namespace net { |
class HostPortPair; |
+class OCSPVerifyResult; |
class SSLInfo; |
class X509Certificate; |
@@ -388,8 +391,22 @@ class NET_EXPORT TransportSecurityState |
const HostPortPair& host_port_pair, |
const SSLInfo& ssl_info); |
+ // Checks to see if the given |host_port_pair| is in the Expect-Staple preload |
+ // list. If the host is preloaded, this parses |ocsp_response|, validates |
+ // it against |verified_certificate|, and ensures the OCSP response is valid |
+ // at |verify_time| and is no older than |max_age|. If the OCSP response fails |
+ // validation, this sends an Expect-Staple report to the preloaded report URI. |
+ // The report will contain |unverified_certificate| iff |
+ // |is_issued_by_known_root| is true. |
svaldez
2016/06/23 14:03:15
Update comment.
|
+ void CheckExpectStaple(const HostPortPair& host_port_pair, |
+ const X509Certificate& verified_certificate, |
+ const X509Certificate& unverified_certificate, |
+ bool is_issued_by_known_root, |
+ const OCSPVerifyResult& ocsp_verify_result); |
+ |
private: |
friend class TransportSecurityStateTest; |
+ friend class ExpectStapleTest; |
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
@@ -413,6 +430,14 @@ class NET_EXPORT TransportSecurityState |
// information) is timely. |
static bool IsBuildTimely(); |
+ // Helper method for serializing an ExpectStaple report. |
+ static bool SerializeExpectStapleReport( |
+ const HostPortPair& host_port_pair, |
+ const X509Certificate& unverified_certificate, |
+ bool is_issued_by_known_root, |
+ const OCSPVerifyResult& ocsp_verify_result, |
+ std::string* serialized_report); |
+ |
// Helper method for actually checking pins. |
PKPStatus CheckPublicKeyPinsImpl( |
const HostPortPair& host_port_pair, |