Extend the webRequest.onCompleted event details object with TLS/SSL information

extensions/browser/api/web_request/web_request_event_details.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/web_request/web_request_event_details.h"
 
 #include "base/callback.h"
 #include "base/strings/string_number_conversions.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/resource_request_info.h"
 #include "content/public/common/child_process_host.h"
 #include "extensions/browser/api/web_request/upload_data_presenter.h"
 #include "extensions/browser/api/web_request/web_request_api_constants.h"
 #include "extensions/browser/api/web_request/web_request_api_helpers.h"
 #include "ipc/ipc_message.h"
 #include "net/base/auth.h"
 #include "net/base/upload_data_stream.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_response_headers.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
+#include "net/ssl/ssl_connection_status_flags.h"
 #include "net/url_request/url_request.h"
+#include "third_party/boringssl/src/include/openssl/ssl.h"
 
 using extension_web_request_api_helpers::ExtraInfoSpec;
 
 namespace helpers = extension_web_request_api_helpers;
 namespace keys = extension_web_request_api_constants;
 
 namespace extensions {
 
 WebRequestEventDetails::WebRequestEventDetails(const net::URLRequest* request,
                                                int extra_info_spec)
@@ skipping 197 matching lines @@
     : extra_info_spec_(0), render_process_id_(0), render_frame_id_(0) {}
 
 void WebRequestEventDetails::OnDeterminedFrameData(
     std::unique_ptr<WebRequestEventDetails> self,
     const DeterminedFrameDataCallback& callback,
     const ExtensionApiFrameIdMap::FrameData& frame_data) {
   SetFrameData(frame_data);
   callback.Run(std::move(self));
 }
 
+void WebRequestEventDetails::SetSSLInfo(const net::URLRequest* request) {
+  const net::SSLInfo ssl_info = request->ssl_info();
+  base::DictionaryValue* info_dict = new base::DictionaryValue();
+
+  const char* ssl_version;
+  net::SSLVersionToString(&ssl_version, net::SSLConnectionStatusToVersion(
+                                            ssl_info.connection_status));
+  if (strncmp(ssl_version, "?", 1) == 0)
+    ssl_version = "UNKNOWN";
+  info_dict->SetString(keys::kSSLVersionKey, ssl_version);
+
+  const SSL_CIPHER* cipher = SSL_get_cipher_by_value(
+      net::SSLConnectionStatusToCipherSuite(ssl_info.connection_status));
+  char* cipher_name = SSL_CIPHER_get_rfc_name(cipher);
+  if (cipher_name) {
+    std::string rfc_name = std::string(cipher_name);
+    OPENSSL_free(cipher_name);
+    info_dict->SetString(keys::kCipherSuiteKey, rfc_name);
+  }
+
+  base::DictionaryValue* built_dict = new base::DictionaryValue();
+  built_dict->SetBoolean(keys::kCertificateIssuedByKnownRootKey,
+                         ssl_info.is_issued_by_known_root);

[Ryan Sleevi, 2017/01/31 21:37:56]

I'm very concerned about exposing this (or any other non-issued by public roots)
to extensions, and think that will necessarily merit a very careful review from
privacy folks about exposing this to extensions and whether our current
permissions accurately reflect the sensitivity of this.

+  built_dict->Set(keys::kChainKey,
+                  helpers::ExtractCertificateChain(ssl_info.cert));
+
+  built_dict->SetBoolean(
+      keys::kCertificateValidKey,
+      ssl_info.is_valid() && !net::IsCertStatusError(ssl_info.cert_status));

[Ryan Sleevi, 2017/01/31 21:37:56]

I'm uncomfortable with us surfacing this as if it was an endorsement for
extensions to use. I'm also concerned because I don't believe we do surface
information about *invalid* certificates to extensions today.

+  if (net::IsCertStatusError(ssl_info.cert_status)) {
+    std::string error = net::ErrorToShortString(
+        net::MapCertStatusToNetError(ssl_info.cert_status));
+    built_dict->SetString(keys::kErrorKey, error);

[Ryan Sleevi, 2017/01/31 21:37:56]

This is an explicit non-goal; we do not want the error strings to be part of any
API surface, which necessarily this becomes part of.

We can/will change error strings, so exposing this detail represents a stronger
API contract than we want to expose from //net to extensions.

+  }
+
+  built_dict->SetBoolean(keys::kEVCertificateKey,
+                         (ssl_info.cert_status & net::CERT_STATUS_IS_EV));

[Ryan Sleevi, 2017/01/31 21:37:56]

Can you explain why this is necessary? This represents an API surface that we'd
have to maintain, when it's strongly desirable that this not be.

+
+  info_dict->Set(keys::kBuiltChainKey, built_dict);
+  info_dict->Set(keys::kSentChainKey,
+                 helpers::ExtractCertificateChain(ssl_info.unverified_cert));
+
+  dict_.Set(keys::kSSLInfoKey, info_dict);
+}
+
 }  // namespace extensions