Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(357)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state.cc

Issue 2420203003: Turn off Expect-Staple reporting for private roots (Closed)
Patch Set: test fixes Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/transport_security_state.h" 5 #include "net/http/transport_security_state.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <memory> 8 #include <memory>
9 #include <utility> 9 #include <utility>
10 #include <vector> 10 #include <vector>
(...skipping 663 matching lines...) Expand 10 before | Expand all | Expand 10 after
674 case OCSPRevocationStatus::UNKNOWN: 674 case OCSPRevocationStatus::UNKNOWN:
675 return "UNKNOWN"; 675 return "UNKNOWN";
676 } 676 }
677 return std::string(); 677 return std::string();
678 } 678 }
679 679
680 bool SerializeExpectStapleReport(const HostPortPair& host_port_pair, 680 bool SerializeExpectStapleReport(const HostPortPair& host_port_pair,
681 const SSLInfo& ssl_info, 681 const SSLInfo& ssl_info,
682 const std::string& ocsp_response, 682 const std::string& ocsp_response,
683 std::string* out_serialized_report) { 683 std::string* out_serialized_report) {
684 DCHECK(ssl_info.is_issued_by_known_root);
684 base::DictionaryValue report; 685 base::DictionaryValue report;
685 report.SetString("date-time", TimeToISO8601(base::Time::Now())); 686 report.SetString("date-time", TimeToISO8601(base::Time::Now()));
686 report.SetString("hostname", host_port_pair.host()); 687 report.SetString("hostname", host_port_pair.host());
687 report.SetInteger("port", host_port_pair.port()); 688 report.SetInteger("port", host_port_pair.port());
688 report.SetString("response-status", 689 report.SetString("response-status",
689 SerializeExpectStapleResponseStatus( 690 SerializeExpectStapleResponseStatus(
690 ssl_info.ocsp_result.response_status)); 691 ssl_info.ocsp_result.response_status));
691 692
692 if (!ocsp_response.empty()) { 693 if (!ocsp_response.empty()) {
693 std::string encoded_ocsp_response; 694 std::string encoded_ocsp_response;
694 base::Base64Encode(ocsp_response, &encoded_ocsp_response); 695 base::Base64Encode(ocsp_response, &encoded_ocsp_response);
695 report.SetString("ocsp-response", encoded_ocsp_response); 696 report.SetString("ocsp-response", encoded_ocsp_response);
696 } 697 }
697 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED) { 698 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED) {
698 report.SetString("cert-status", 699 report.SetString("cert-status",
699 SerializeExpectStapleRevocationStatus( 700 SerializeExpectStapleRevocationStatus(
700 ssl_info.ocsp_result.revocation_status)); 701 ssl_info.ocsp_result.revocation_status));
701 } 702 }
702 if (ssl_info.is_issued_by_known_root) { 703
703 report.Set("served-certificate-chain", 704 report.Set("served-certificate-chain",
704 GetPEMEncodedChainAsList(ssl_info.unverified_cert.get())); 705 GetPEMEncodedChainAsList(ssl_info.unverified_cert.get()));
705 report.Set("validated-certificate-chain", 706 report.Set("validated-certificate-chain",
706 GetPEMEncodedChainAsList(ssl_info.cert.get())); 707 GetPEMEncodedChainAsList(ssl_info.cert.get()));
707 }
708 708
709 if (!base::JSONWriter::Write(report, out_serialized_report)) 709 if (!base::JSONWriter::Write(report, out_serialized_report))
710 return false; 710 return false;
711 return true; 711 return true;
712 } 712 }
713 713
714 } // namespace 714 } // namespace
715 715
716 TransportSecurityState::TransportSecurityState() 716 TransportSecurityState::TransportSecurityState()
717 : enable_static_pins_(true), 717 : enable_static_pins_(true),
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after
785 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", 785 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess",
786 pin_validity == PKPStatus::OK); 786 pin_validity == PKPStatus::OK);
787 return pin_validity; 787 return pin_validity;
788 } 788 }
789 789
790 void TransportSecurityState::CheckExpectStaple( 790 void TransportSecurityState::CheckExpectStaple(
791 const HostPortPair& host_port_pair, 791 const HostPortPair& host_port_pair,
792 const SSLInfo& ssl_info, 792 const SSLInfo& ssl_info,
793 const std::string& ocsp_response) { 793 const std::string& ocsp_response) {
794 DCHECK(CalledOnValidThread()); 794 DCHECK(CalledOnValidThread());
795 if (!enable_static_expect_staple_ || !report_sender_) 795 if (!enable_static_expect_staple_ || !report_sender_ ||
796 !ssl_info.is_issued_by_known_root) {
796 return; 797 return;
798 }
797 799
798 // Determine if the host is on the Expect-Staple preload list. If the build is 800 // Determine if the host is on the Expect-Staple preload list. If the build is
799 // not timely (i.e. the preload list is not fresh), this will fail and return 801 // not timely (i.e. the preload list is not fresh), this will fail and return
800 // false. 802 // false.
801 ExpectStapleState expect_staple_state; 803 ExpectStapleState expect_staple_state;
802 if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state)) 804 if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state))
803 return; 805 return;
804 806
805 // No report needed if a stapled OCSP response was provided. 807 // No report needed if a stapled OCSP response was provided.
806 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED && 808 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED &&
(...skipping 850 matching lines...) Expand 10 before | Expand all | Expand 10 after
1657 TransportSecurityState::PKPStateIterator::PKPStateIterator( 1659 TransportSecurityState::PKPStateIterator::PKPStateIterator(
1658 const TransportSecurityState& state) 1660 const TransportSecurityState& state)
1659 : iterator_(state.enabled_pkp_hosts_.begin()), 1661 : iterator_(state.enabled_pkp_hosts_.begin()),
1660 end_(state.enabled_pkp_hosts_.end()) { 1662 end_(state.enabled_pkp_hosts_.end()) {
1661 } 1663 }
1662 1664
1663 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { 1665 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
1664 } 1666 }
1665 1667
1666 } // namespace 1668 } // namespace
OLDNEW
« no previous file with comments | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698