Add the ability to send Expect-Staple reports.

net/http/transport_security_state.cc

Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index f33c2ec1d90436864f7a08718fb8709c2c8a90a3..37879a8490ffa885ccaa872e876c8aa4a0d3ab2a 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -637,6 +637,73 @@ bool DecodeHSTSPreload(const std::string& hostname, PreloadResult* out) {
   return found;
 }
 
+std::string ResponseStatusToString(OCSPVerifyResult::ResponseStatus status) {

[Ryan Sleevi, 2016/07/19 00:02:49]

Documentation needed :)

For example, are these strings part of an API contract? For debugging purposes?
Something else?

[dadrian, 2016/07/19 18:48:39]

Done.

+  switch (status) {
+    case OCSPVerifyResult::MISSING:
+      return "MISSING";
+    case OCSPVerifyResult::PROVIDED:
+      return "PROVIDED";
+    case OCSPVerifyResult::ERROR_RESPONSE:
+      return "ERROR_RESPONSE";
+    case OCSPVerifyResult::BAD_PRODUCED_AT:
+      return "BAD_PRODUCED_AT";
+    case OCSPVerifyResult::NO_MATCHING_RESPONSE:
+      return "NO_MATCHING_RESPONSE";
+    case OCSPVerifyResult::INVALID_DATE:
+      return "INVALID_DATE";
+    case OCSPVerifyResult::PARSE_RESPONSE_ERROR:
+      return "PARSE_RESPONSE_ERROR";
+    case OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR:
+      return "PARSE_RESPONSE_DATA_ERROR";
+  }
+  return "";

[Ryan Sleevi, 2016/07/19 00:02:49]

return std::string()

[dadrian, 2016/07/19 18:48:39]

Done.

+}
+
+std::string RevocationStatusToString(const OCSPRevocationStatus& status) {
+  switch (status) {
+    case OCSPRevocationStatus::GOOD:
+      return "GOOD";
+    case OCSPRevocationStatus::REVOKED:
+      return "REVOKED";
+    case OCSPRevocationStatus::UNKNOWN:
+      return "UNKNOWN";
+  }

[Ryan Sleevi, 2016/07/19 00:02:49]

Why do you return "" on 659, but not return "" (or equivalent) here?

You're either expecting that the compiler can't handle that you've enumerated
all the values (which MSVC 2013 wasn't smart enough to realize), which explains
659, or you're expecting that it is (here)... would be good to be consistent

[dadrian, 2016/07/19 00:18:54]

I meant to do it this way---does MSVC 2015 catch this?

[Ryan Sleevi, 2016/07/19 01:17:22]

Right, I *think* all our compilers now handle knowing that this is unreachable
(unless a new value is added, in which case, we *want* it to be a compile
failure)

[dadrian, 2016/07/19 18:48:39]

Done.

+}
+
+bool SerializeExpectStapleReport(const HostPortPair& host_port_pair,
+                                 const SSLInfo& ssl_info,
+                                 const std::string& ocsp_response,
+                                 std::string* out_serialized_report) {
+  base::DictionaryValue report;
+  report.SetString("date-time", TimeToISO8601(base::Time::Now()));
+  report.SetString("hostname", host_port_pair.host());
+  report.SetInteger("port", host_port_pair.port());
+  report.SetString(
+      "response-status",
+      ResponseStatusToString(ssl_info.ocsp_result.response_status));
+
+  if (!ocsp_response.empty()) {
+    std::string encoded_ocsp_response;
+    base::Base64Encode(ocsp_response, &encoded_ocsp_response);
+    report.SetString("ocsp-response", encoded_ocsp_response);
+  }
+  if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED) {
+    report.SetString(
+        "cert-status",
+        RevocationStatusToString(ssl_info.ocsp_result.revocation_status));
+  }
+  if (ssl_info.is_issued_by_known_root) {
+    report.Set("served-certificate-chain",
+               GetPEMEncodedChainAsList(ssl_info.unverified_cert.get()));
+    report.Set("validated-certificate-chain",
+               GetPEMEncodedChainAsList(ssl_info.cert.get()));
+  }
+
+  if (!base::JSONWriter::Write(report, out_serialized_report))
+    return false;
+  return true;
+}
+
 }  // namespace
 
 TransportSecurityState::TransportSecurityState()
@@ -1215,6 +1282,32 @@ void TransportSecurityState::ProcessExpectCTHeader(
                                         ssl_info);
 }
 
+void TransportSecurityState::ProcessExpectStaple(
+    const HostPortPair& host_port_pair,
+    const SSLInfo& ssl_info,
+    const std::string& ocsp_response) {
+  DCHECK(CalledOnValidThread());
+  if (!enable_static_expect_staple_ || !report_sender_)
+    return;
+
+  ExpectStapleState expect_staple_state;
+  if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state))
+    return;
+
+  // No report needed if a stapled OCSP response was provided.
+  if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED &&
+      ssl_info.ocsp_result.revocation_status == OCSPRevocationStatus::GOOD) {
+    return;
+  }
+
+  std::string serialized_report;
+  if (!SerializeExpectStapleReport(host_port_pair, ssl_info, ocsp_response,
+                                   &serialized_report)) {
+    return;
+  }
+  report_sender_->Send(expect_staple_state.report_uri, serialized_report);
+}
+
 // static
 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
   PreloadResult result;