Add the ability to send Expect-Staple reports.

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 #include <vector>
@@ skipping 619 matching lines @@
   bool found;
   if (!DecodeHSTSPreloadRaw(hostname, &found, out)) {
     DCHECK(false) << "Internal error in DecodeHSTSPreloadRaw for hostname "
                   << hostname;
     return false;
   }
 
   return found;
 }
 
+// Serializes an OCSPVerifyResult::ResponseStatus to a string enum, suitable for
+// the |response-status| field in an Expect-Staple report.
+std::string SerializeExpectStapleResponseStatus(
+    OCSPVerifyResult::ResponseStatus status) {
+  switch (status) {
+    case OCSPVerifyResult::MISSING:
+      return "MISSING";
+    case OCSPVerifyResult::PROVIDED:
+      return "PROVIDED";
+    case OCSPVerifyResult::ERROR_RESPONSE:
+      return "ERROR_RESPONSE";
+    case OCSPVerifyResult::BAD_PRODUCED_AT:
+      return "BAD_PRODUCED_AT";
+    case OCSPVerifyResult::NO_MATCHING_RESPONSE:
+      return "NO_MATCHING_RESPONSE";
+    case OCSPVerifyResult::INVALID_DATE:
+      return "INVALID_DATE";
+    case OCSPVerifyResult::PARSE_RESPONSE_ERROR:
+      return "PARSE_RESPONSE_ERROR";
+    case OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR:
+      return "PARSE_RESPONSE_DATA_ERROR";
+  }
+  return std::string();
+}
+
+// Serializes an OCSPRevocationStatus to a string enum, suitable for the
+// |cert-status| field in an Expect-Staple report.
+std::string SerializeExpectStapleRevocationStatus(
+    const OCSPRevocationStatus& status) {
+  switch (status) {
+    case OCSPRevocationStatus::GOOD:
+      return "GOOD";
+    case OCSPRevocationStatus::REVOKED:
+      return "REVOKED";
+    case OCSPRevocationStatus::UNKNOWN:
+      return "UNKNOWN";
+  }
+  return std::string();
+}
+
+bool SerializeExpectStapleReport(const HostPortPair& host_port_pair,
+                                 const SSLInfo& ssl_info,
+                                 const std::string& ocsp_response,
+                                 std::string* out_serialized_report) {
+  base::DictionaryValue report;
+  report.SetString("date-time", TimeToISO8601(base::Time::Now()));
+  report.SetString("hostname", host_port_pair.host());
+  report.SetInteger("port", host_port_pair.port());
+  report.SetString("response-status",
+                   SerializeExpectStapleResponseStatus(
+                       ssl_info.ocsp_result.response_status));
+
+  if (!ocsp_response.empty()) {
+    std::string encoded_ocsp_response;
+    base::Base64Encode(ocsp_response, &encoded_ocsp_response);
+    report.SetString("ocsp-response", encoded_ocsp_response);
+  }
+  if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED) {
+    report.SetString("cert-status",
+                     SerializeExpectStapleRevocationStatus(
+                         ssl_info.ocsp_result.revocation_status));
+  }
+  if (ssl_info.is_issued_by_known_root) {
+    report.Set("served-certificate-chain",
+               GetPEMEncodedChainAsList(ssl_info.unverified_cert.get()));
+    report.Set("validated-certificate-chain",
+               GetPEMEncodedChainAsList(ssl_info.cert.get()));
+  }
+
+  if (!base::JSONWriter::Write(report, out_serialized_report))
+    return false;
+  return true;
+}
+
 }  // namespace
 
 TransportSecurityState::TransportSecurityState()
     : enable_static_pins_(true),
       enable_static_expect_ct_(true),
       enable_static_expect_staple_(false),
       enable_pkp_bypass_for_local_trust_anchors_(true),
       sent_reports_cache_(kMaxHPKPReportCacheEntries) {
 // Static pinning is only enabled for official builds to make sure that
 // others don't end up with pins that cannot be easily updated.
@@ skipping 56 matching lines @@
 
   if (pin_validity == PKPStatus::VIOLATED) {
     LOG(ERROR) << *pinning_failure_log;
     ReportUMAOnPinFailure(host_port_pair.host());
   }
   UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess",
                         pin_validity == PKPStatus::OK);
   return pin_validity;
 }
 
+void TransportSecurityState::CheckExpectStaple(
+    const HostPortPair& host_port_pair,
+    const SSLInfo& ssl_info,
+    const std::string& ocsp_response) {
+  DCHECK(CalledOnValidThread());
+  if (!enable_static_expect_staple_ || !report_sender_)
+    return;
+
+  // Determine if the host is on the Expect-Staple preload list. If the build is
+  // not timely (i.e. the preload list is not fresh), this will fail and return
+  // false.
+  ExpectStapleState expect_staple_state;
+  if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state))
+    return;
+
+  // No report needed if a stapled OCSP response was provided.
+  if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED &&
+      ssl_info.ocsp_result.revocation_status == OCSPRevocationStatus::GOOD) {
+    return;
+  }
+
+  std::string serialized_report;
+  if (!SerializeExpectStapleReport(host_port_pair, ssl_info, ocsp_response,
+                                   &serialized_report)) {
+    return;
+  }
+  report_sender_->Send(expect_staple_state.report_uri, serialized_report);
+}
+
 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) {
   PKPState dynamic_state;
   if (GetDynamicPKPState(host, &dynamic_state))
     return dynamic_state.HasPublicKeyPins();
 
   STSState unused;
   PKPState static_pkp_state;
   if (GetStaticDomainState(host, &unused, &static_pkp_state)) {
     if (static_pkp_state.HasPublicKeyPins())
       return true;
@@ skipping 795 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace