Extend the webRequest.onCompleted event details object with TLS/SSL information

extensions/browser/api/web_request/web_request_event_details.cc

Index: extensions/browser/api/web_request/web_request_event_details.cc
diff --git a/extensions/browser/api/web_request/web_request_event_details.cc b/extensions/browser/api/web_request/web_request_event_details.cc
index d7a3e10c82713c857339ceb6b1323cfbc1f87b62..6bcff944df415fb38819169521aa78e2d60a70e7 100644
--- a/extensions/browser/api/web_request/web_request_event_details.cc
+++ b/extensions/browser/api/web_request/web_request_event_details.cc
@@ -18,7 +18,10 @@
 #include "net/base/upload_data_stream.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_response_headers.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
+#include "net/ssl/ssl_connection_status_flags.h"
 #include "net/url_request/url_request.h"
+#include "third_party/boringssl/src/include/openssl/ssl.h"
 
 using extension_web_request_api_helpers::ExtraInfoSpec;
 
@@ -236,4 +239,49 @@ void WebRequestEventDetails::OnDeterminedFrameData(
   callback.Run(std::move(self));
 }
 
+void WebRequestEventDetails::SetSSLInfo(const net::URLRequest* request) {
+  const net::SSLInfo ssl_info = request->ssl_info();
+  base::DictionaryValue* info_dict = new base::DictionaryValue();
+
+  const char* ssl_version;
+  net::SSLVersionToString(&ssl_version, net::SSLConnectionStatusToVersion(
+                                            ssl_info.connection_status));
+  if (strncmp(ssl_version, "?", 1) == 0)
+    ssl_version = "UNKNOWN";
+  info_dict->SetString(keys::kSSLVersionKey, ssl_version);
+
+  const SSL_CIPHER* cipher = SSL_get_cipher_by_value(
+      net::SSLConnectionStatusToCipherSuite(ssl_info.connection_status));
+  char* cipher_name = SSL_CIPHER_get_rfc_name(cipher);
+  if (cipher_name) {
+    std::string rfc_name = std::string(cipher_name);
+    OPENSSL_free(cipher_name);
+    info_dict->SetString(keys::kCipherSuiteKey, rfc_name);
+  }
+
+  base::DictionaryValue* built_dict = new base::DictionaryValue();
+  built_dict->SetBoolean(keys::kCertificateIssuedByKnownRootKey,
+                         ssl_info.is_issued_by_known_root);

[Ryan Sleevi, 2017/01/31 21:37:56]

I'm very concerned about exposing this (or any other non-issued by public roots)
to extensions, and think that will necessarily merit a very careful review from
privacy folks about exposing this to extensions and whether our current
permissions accurately reflect the sensitivity of this.

+  built_dict->Set(keys::kChainKey,
+                  helpers::ExtractCertificateChain(ssl_info.cert));
+
+  built_dict->SetBoolean(
+      keys::kCertificateValidKey,
+      ssl_info.is_valid() && !net::IsCertStatusError(ssl_info.cert_status));

[Ryan Sleevi, 2017/01/31 21:37:56]

I'm uncomfortable with us surfacing this as if it was an endorsement for
extensions to use. I'm also concerned because I don't believe we do surface
information about *invalid* certificates to extensions today.

+  if (net::IsCertStatusError(ssl_info.cert_status)) {
+    std::string error = net::ErrorToShortString(
+        net::MapCertStatusToNetError(ssl_info.cert_status));
+    built_dict->SetString(keys::kErrorKey, error);

[Ryan Sleevi, 2017/01/31 21:37:56]

This is an explicit non-goal; we do not want the error strings to be part of any
API surface, which necessarily this becomes part of.

We can/will change error strings, so exposing this detail represents a stronger
API contract than we want to expose from //net to extensions.

+  }
+
+  built_dict->SetBoolean(keys::kEVCertificateKey,
+                         (ssl_info.cert_status & net::CERT_STATUS_IS_EV));

[Ryan Sleevi, 2017/01/31 21:37:56]

Can you explain why this is necessary? This represents an API surface that we'd
have to maintain, when it's strongly desirable that this not be.

+
+  info_dict->Set(keys::kBuiltChainKey, built_dict);
+  info_dict->Set(keys::kSentChainKey,
+                 helpers::ExtractCertificateChain(ssl_info.unverified_cert));
+
+  dict_.Set(keys::kSSLInfoKey, info_dict);
+}
+
 }  // namespace extensions