Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(481)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state.h

Issue 2144693004: Add the ability to send Expect-Staple reports. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-verify-result
Patch Set: More test cleanups. Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/http/transport_security_state.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
7 7
8 #include <stdint.h> 8 #include <stdint.h>
9 9
10 #include <map> 10 #include <map>
(...skipping 285 matching lines...) Expand 10 before | Expand all | Expand 10 after
296 PKPStatus CheckPublicKeyPins( 296 PKPStatus CheckPublicKeyPins(
297 const HostPortPair& host_port_pair, 297 const HostPortPair& host_port_pair,
298 bool is_issued_by_known_root, 298 bool is_issued_by_known_root,
299 const HashValueVector& hashes, 299 const HashValueVector& hashes,
300 const X509Certificate* served_certificate_chain, 300 const X509Certificate* served_certificate_chain,
301 const X509Certificate* validated_certificate_chain, 301 const X509Certificate* validated_certificate_chain,
302 const PublicKeyPinReportStatus report_status, 302 const PublicKeyPinReportStatus report_status,
303 std::string* failure_log); 303 std::string* failure_log);
304 bool HasPublicKeyPins(const std::string& host); 304 bool HasPublicKeyPins(const std::string& host);
305 305
306 // Sends an Expect-Staple report containing the raw |ocsp_response| for
307 // |host_port_pair| if the following conditions are true:
308 // 1. Sending Expect-Staple reports is enabled (via
309 // |enable_static_expect_staple_|)
310 // 2. A report sender was provided via SetReportSender().
311 // 3. The build is timele (i.e. the preload list is fresh).
312 // 4. The given host is present on the Expect-Staple preload list.
313 // 5. |ssl_info| indicates the connection did not provide an OCSP response
314 // indicating a revocation status of GOOD.
315 void CheckExpectStaple(const HostPortPair& host_port_pair,
316 const SSLInfo& ssl_info,
317 const std::string& ocsp_response);
318
306 // Returns true if connections to |host|, using the validated certificate 319 // Returns true if connections to |host|, using the validated certificate
307 // |validated_certificate_chain|, are expected to be accompanied with 320 // |validated_certificate_chain|, are expected to be accompanied with
308 // valid Certificate Transparency information that complies with the 321 // valid Certificate Transparency information that complies with the
309 // connection's CTPolicyEnforcer. 322 // connection's CTPolicyEnforcer.
310 // 323 //
311 // The behavior may be further be altered by setting a RequireCTDelegate 324 // The behavior may be further be altered by setting a RequireCTDelegate
312 // via |SetRequireCTDelegate()|. 325 // via |SetRequireCTDelegate()|.
313 bool ShouldRequireCT(const std::string& host, 326 bool ShouldRequireCT(const std::string& host,
314 const X509Certificate* validated_certificate_chain, 327 const X509Certificate* validated_certificate_chain,
315 const HashValueVector& hashes); 328 const HashValueVector& hashes);
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after
442 // 1. The header value is "preload", indicating that the site wants to 455 // 1. The header value is "preload", indicating that the site wants to
443 // be opted in to Expect CT. 456 // be opted in to Expect CT.
444 // 2. The given host is present on the Expect CT preload list with a 457 // 2. The given host is present on the Expect CT preload list with a
445 // valid report-uri, and the build is timely (i.e. preload list is fresh). 458 // valid report-uri, and the build is timely (i.e. preload list is fresh).
446 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. 459 // 3. |ssl_info| indicates that the connection violated the Expect CT policy.
447 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). 460 // 4. An Expect CT reporter has been provided with SetExpectCTReporter().
448 void ProcessExpectCTHeader(const std::string& value, 461 void ProcessExpectCTHeader(const std::string& value,
449 const HostPortPair& host_port_pair, 462 const HostPortPair& host_port_pair,
450 const SSLInfo& ssl_info); 463 const SSLInfo& ssl_info);
451 464
465 // Sends an Expect-Staple report containing the raw |ocsp_response| for
466 // |host_port_pair| if the following conditions are true:
467 // 1. Sending Expect-Staple reports is enabled (via
468 // |enable_static_expect_staple_|)
469 // 2. A report sender was provided via SetReportSender().
470 // 3. The build is timele (i.e. the preload list is fresh).
471 // 4. The given host is present on the Expect-Staple preload list.
472 // 5. |ssl_info| indicates the connection did not provide an OCSP response
473 // indicating a revocation status of GOOD.
474 void CheckExpectStapleAndMaybeSendReport(const HostPortPair& host_port_pair,
Ryan Sleevi 2016/07/19 21:24:56 Leftover? :)
475 const SSLInfo& ssl_info,
476 const std::string& ocsp_response);
477
452 // For unit tests only; causes ShouldRequireCT() to return |*required| 478 // For unit tests only; causes ShouldRequireCT() to return |*required|
453 // by default (that is, unless a RequireCTDelegate overrides). Set to 479 // by default (that is, unless a RequireCTDelegate overrides). Set to
454 // nullptr to reset. 480 // nullptr to reset.
455 static void SetShouldRequireCTForTesting(bool* required); 481 static void SetShouldRequireCTForTesting(bool* required);
456 482
457 private: 483 private:
458 friend class TransportSecurityStateTest; 484 friend class TransportSecurityStateTest;
459 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); 485 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
460 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); 486 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
461 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); 487 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after
576 // rate-limiting. 602 // rate-limiting.
577 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> 603 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
578 sent_reports_cache_; 604 sent_reports_cache_;
579 605
580 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); 606 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
581 }; 607 };
582 608
583 } // namespace net 609 } // namespace net
584 610
585 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ 611 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_
OLDNEW
« no previous file with comments | « no previous file | net/http/transport_security_state.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698