net/http/transport_security_state.cc - Issue 2144693004: Add the ability to send Expect-Staple reports.

Side by Side Diff: net/http/transport_security_state.cc

Issue 2144693004: Add the ability to send Expect-Staple reports. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-verify-result

Patch Set: Compile after rebase Created 4 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/http/transport_security_state.h"	5 #include "net/http/transport_security_state.h"

6	6

7 #include <algorithm>	7 #include <algorithm>

8 #include <memory>	8 #include <memory>

9 #include <utility>	9 #include <utility>

10 #include <vector>	10 #include <vector>

(...skipping 619 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
630 bool found;	630 bool found;

631 if (!DecodeHSTSPreloadRaw(hostname, &found, out)) {	631 if (!DecodeHSTSPreloadRaw(hostname, &found, out)) {

632 DCHECK(false) << "Internal error in DecodeHSTSPreloadRaw for hostname "	632 DCHECK(false) << "Internal error in DecodeHSTSPreloadRaw for hostname "

633 << hostname;	633 << hostname;

634 return false;	634 return false;

635 }	635 }

636	636

637 return found;	637 return found;

638 }	638 }

639	639

	640 std::string ResponseStatusToString(OCSPVerifyResult::ResponseStatus status) {
	Ryan Sleevi 2016/07/19 00:02:49 Documentation needed :) For example, are these st Documentation needed :) For example, are these strings part of an API contract? For debugging purposes? Something else? dadrian 2016/07/19 18:48:39 Done. Show quoted text On 2016/07/19 00:02:49, Ryan Sleevi (extremely slow) wrote: > Documentation needed :) > > For example, are these strings part of an API contract? For debugging purposes? > Something else? Done.
	641 switch (status) {

	642 case OCSPVerifyResult::MISSING:

	643 return "MISSING";

	644 case OCSPVerifyResult::PROVIDED:

	645 return "PROVIDED";

	646 case OCSPVerifyResult::ERROR_RESPONSE:

	647 return "ERROR_RESPONSE";

	648 case OCSPVerifyResult::BAD_PRODUCED_AT:

	649 return "BAD_PRODUCED_AT";

	650 case OCSPVerifyResult::NO_MATCHING_RESPONSE:

	651 return "NO_MATCHING_RESPONSE";

	652 case OCSPVerifyResult::INVALID_DATE:

	653 return "INVALID_DATE";

	654 case OCSPVerifyResult::PARSE_RESPONSE_ERROR:

	655 return "PARSE_RESPONSE_ERROR";

	656 case OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR:

	657 return "PARSE_RESPONSE_DATA_ERROR";

	658 }

	659 return "";
	Ryan Sleevi 2016/07/19 00:02:49 return std::string() return std::string() dadrian 2016/07/19 18:48:39 Done. Show quoted text On 2016/07/19 00:02:49, Ryan Sleevi (extremely slow) wrote: > return std::string() Done.
	660 }

	661

	662 std::string RevocationStatusToString(const OCSPRevocationStatus& status) {

	663 switch (status) {

	664 case OCSPRevocationStatus::GOOD:

	665 return "GOOD";

	666 case OCSPRevocationStatus::REVOKED:

	667 return "REVOKED";

	668 case OCSPRevocationStatus::UNKNOWN:

	669 return "UNKNOWN";

	670 }
	Ryan Sleevi 2016/07/19 00:02:49 Why do you return "" on 659, but not return "" (or Why do you return "" on 659, but not return "" (or equivalent) here? You're either expecting that the compiler can't handle that you've enumerated all the values (which MSVC 2013 wasn't smart enough to realize), which explains 659, or you're expecting that it is (here)... would be good to be consistent dadrian 2016/07/19 00:18:54 I meant to do it this way---does MSVC 2015 catch t Show quoted text On 2016/07/19 00:02:49, Ryan Sleevi (extremely slow) wrote: > Why do you return "" on 659, but not return "" (or equivalent) here? > > You're either expecting that the compiler can't handle that you've enumerated > all the values (which MSVC 2013 wasn't smart enough to realize), which explains > 659, or you're expecting that it is (here)... would be good to be consistent I meant to do it this way---does MSVC 2015 catch this? Ryan Sleevi 2016/07/19 01:17:22 Right, I think all our compilers now handle know Show quoted text On 2016/07/19 00:18:54, dadrian wrote: > I meant to do it this way---does MSVC 2015 catch this? Right, I think all our compilers now handle knowing that this is unreachable (unless a new value is added, in which case, we want it to be a compile failure) dadrian 2016/07/19 18:48:39 Done. Show quoted text On 2016/07/19 01:17:22, Ryan Sleevi (extremely slow) wrote: > On 2016/07/19 00:18:54, dadrian wrote: > > I meant to do it this way---does MSVC 2015 catch this? > > Right, I think all our compilers now handle knowing that this is unreachable > (unless a new value is added, in which case, we want it to be a compile > failure) Done.
	671 }

	672

	673 bool SerializeExpectStapleReport(const HostPortPair& host_port_pair,

	674 const SSLInfo& ssl_info,

	675 const std::string& ocsp_response,

	676 std::string* out_serialized_report) {

	677 base::DictionaryValue report;

	678 report.SetString("date-time", TimeToISO8601(base::Time::Now()));

	679 report.SetString("hostname", host_port_pair.host());

	680 report.SetInteger("port", host_port_pair.port());

	681 report.SetString(

	682 "response-status",

	683 ResponseStatusToString(ssl_info.ocsp_result.response_status));

	684

	685 if (!ocsp_response.empty()) {

	686 std::string encoded_ocsp_response;

	687 base::Base64Encode(ocsp_response, &encoded_ocsp_response);

	688 report.SetString("ocsp-response", encoded_ocsp_response);

	689 }

	690 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED) {

	691 report.SetString(

	692 "cert-status",

	693 RevocationStatusToString(ssl_info.ocsp_result.revocation_status));

	694 }

	695 if (ssl_info.is_issued_by_known_root) {

	696 report.Set("served-certificate-chain",

	697 GetPEMEncodedChainAsList(ssl_info.unverified_cert.get()));

	698 report.Set("validated-certificate-chain",

	699 GetPEMEncodedChainAsList(ssl_info.cert.get()));

	700 }

	701

	702 if (!base::JSONWriter::Write(report, out_serialized_report))

	703 return false;

	704 return true;

	705 }

	706

640 } // namespace	707 } // namespace

641	708

642 TransportSecurityState::TransportSecurityState()	709 TransportSecurityState::TransportSecurityState()

643 : enable_static_pins_(true),	710 : enable_static_pins_(true),

644 enable_static_expect_ct_(true),	711 enable_static_expect_ct_(true),

645 enable_static_expect_staple_(false),	712 enable_static_expect_staple_(false),

646 enable_pkp_bypass_for_local_trust_anchors_(true),	713 enable_pkp_bypass_for_local_trust_anchors_(true),

647 sent_reports_cache_(kMaxHPKPReportCacheEntries) {	714 sent_reports_cache_(kMaxHPKPReportCacheEntries) {

648 // Static pinning is only enabled for official builds to make sure that	715 // Static pinning is only enabled for official builds to make sure that

649 // others don't end up with pins that cannot be easily updated.	716 // others don't end up with pins that cannot be easily updated.

(...skipping 558 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1208 }	1275 }

1209	1276

1210 ExpectCTState state;	1277 ExpectCTState state;

1211 if (!GetStaticExpectCTState(host_port_pair.host(), &state))	1278 if (!GetStaticExpectCTState(host_port_pair.host(), &state))

1212 return;	1279 return;

1213	1280

1214 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri,	1281 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri,

1215 ssl_info);	1282 ssl_info);

1216 }	1283 }

1217	1284

	1285 void TransportSecurityState::ProcessExpectStaple(

	1286 const HostPortPair& host_port_pair,

	1287 const SSLInfo& ssl_info,

	1288 const std::string& ocsp_response) {

	1289 DCHECK(CalledOnValidThread());

	1290 if (!enable_static_expect_staple_ \|\| !report_sender_)

	1291 return;

	1292

	1293 ExpectStapleState expect_staple_state;

	1294 if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state))

	1295 return;

	1296

	1297 // No report needed if a stapled OCSP response was provided.

	1298 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED &&

	1299 ssl_info.ocsp_result.revocation_status == OCSPRevocationStatus::GOOD) {

	1300 return;

	1301 }

	1302

	1303 std::string serialized_report;

	1304 if (!SerializeExpectStapleReport(host_port_pair, ssl_info, ocsp_response,

	1305 &serialized_report)) {

	1306 return;

	1307 }

	1308 report_sender_->Send(expect_staple_state.report_uri, serialized_report);

	1309 }

	1310

1218 // static	1311 // static

1219 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {	1312 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {

1220 PreloadResult result;	1313 PreloadResult result;

1221 if (!DecodeHSTSPreload(host, &result) \|\|	1314 if (!DecodeHSTSPreload(host, &result) \|\|

1222 !result.has_pins) {	1315 !result.has_pins) {

1223 return;	1316 return;

1224 }	1317 }

1225	1318

1226 DCHECK(result.domain_id != DOMAIN_NOT_PINNED);	1319 DCHECK(result.domain_id != DOMAIN_NOT_PINNED);

1227	1320

(...skipping 293 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1521 TransportSecurityState::PKPStateIterator::PKPStateIterator(	1614 TransportSecurityState::PKPStateIterator::PKPStateIterator(

1522 const TransportSecurityState& state)	1615 const TransportSecurityState& state)

1523 : iterator_(state.enabled_pkp_hosts_.begin()),	1616 : iterator_(state.enabled_pkp_hosts_.begin()),

1524 end_(state.enabled_pkp_hosts_.end()) {	1617 end_(state.enabled_pkp_hosts_.end()) {

1525 }	1618 }

1526	1619

1527 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {	1620 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {

1528 }	1621 }

1529	1622

1530 } // namespace	1623 } // namespace

OLD	NEW