| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 663 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 674 case OCSPRevocationStatus::UNKNOWN: | 674 case OCSPRevocationStatus::UNKNOWN: |
| 675 return "UNKNOWN"; | 675 return "UNKNOWN"; |
| 676 } | 676 } |
| 677 return std::string(); | 677 return std::string(); |
| 678 } | 678 } |
| 679 | 679 |
| 680 bool SerializeExpectStapleReport(const HostPortPair& host_port_pair, | 680 bool SerializeExpectStapleReport(const HostPortPair& host_port_pair, |
| 681 const SSLInfo& ssl_info, | 681 const SSLInfo& ssl_info, |
| 682 const std::string& ocsp_response, | 682 const std::string& ocsp_response, |
| 683 std::string* out_serialized_report) { | 683 std::string* out_serialized_report) { |
| 684 DCHECK(ssl_info.is_issued_by_known_root); |
| 684 base::DictionaryValue report; | 685 base::DictionaryValue report; |
| 685 report.SetString("date-time", TimeToISO8601(base::Time::Now())); | 686 report.SetString("date-time", TimeToISO8601(base::Time::Now())); |
| 686 report.SetString("hostname", host_port_pair.host()); | 687 report.SetString("hostname", host_port_pair.host()); |
| 687 report.SetInteger("port", host_port_pair.port()); | 688 report.SetInteger("port", host_port_pair.port()); |
| 688 report.SetString("response-status", | 689 report.SetString("response-status", |
| 689 SerializeExpectStapleResponseStatus( | 690 SerializeExpectStapleResponseStatus( |
| 690 ssl_info.ocsp_result.response_status)); | 691 ssl_info.ocsp_result.response_status)); |
| 691 | 692 |
| 692 if (!ocsp_response.empty()) { | 693 if (!ocsp_response.empty()) { |
| 693 std::string encoded_ocsp_response; | 694 std::string encoded_ocsp_response; |
| 694 base::Base64Encode(ocsp_response, &encoded_ocsp_response); | 695 base::Base64Encode(ocsp_response, &encoded_ocsp_response); |
| 695 report.SetString("ocsp-response", encoded_ocsp_response); | 696 report.SetString("ocsp-response", encoded_ocsp_response); |
| 696 } | 697 } |
| 697 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED) { | 698 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED) { |
| 698 report.SetString("cert-status", | 699 report.SetString("cert-status", |
| 699 SerializeExpectStapleRevocationStatus( | 700 SerializeExpectStapleRevocationStatus( |
| 700 ssl_info.ocsp_result.revocation_status)); | 701 ssl_info.ocsp_result.revocation_status)); |
| 701 } | 702 } |
| 702 if (ssl_info.is_issued_by_known_root) { | 703 |
| 703 report.Set("served-certificate-chain", | 704 report.Set("served-certificate-chain", |
| 704 GetPEMEncodedChainAsList(ssl_info.unverified_cert.get())); | 705 GetPEMEncodedChainAsList(ssl_info.unverified_cert.get())); |
| 705 report.Set("validated-certificate-chain", | 706 report.Set("validated-certificate-chain", |
| 706 GetPEMEncodedChainAsList(ssl_info.cert.get())); | 707 GetPEMEncodedChainAsList(ssl_info.cert.get())); |
| 707 } | |
| 708 | 708 |
| 709 if (!base::JSONWriter::Write(report, out_serialized_report)) | 709 if (!base::JSONWriter::Write(report, out_serialized_report)) |
| 710 return false; | 710 return false; |
| 711 return true; | 711 return true; |
| 712 } | 712 } |
| 713 | 713 |
| 714 } // namespace | 714 } // namespace |
| 715 | 715 |
| 716 TransportSecurityState::TransportSecurityState() | 716 TransportSecurityState::TransportSecurityState() |
| 717 : enable_static_pins_(true), | 717 : enable_static_pins_(true), |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 785 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", | 785 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", |
| 786 pin_validity == PKPStatus::OK); | 786 pin_validity == PKPStatus::OK); |
| 787 return pin_validity; | 787 return pin_validity; |
| 788 } | 788 } |
| 789 | 789 |
| 790 void TransportSecurityState::CheckExpectStaple( | 790 void TransportSecurityState::CheckExpectStaple( |
| 791 const HostPortPair& host_port_pair, | 791 const HostPortPair& host_port_pair, |
| 792 const SSLInfo& ssl_info, | 792 const SSLInfo& ssl_info, |
| 793 const std::string& ocsp_response) { | 793 const std::string& ocsp_response) { |
| 794 DCHECK(CalledOnValidThread()); | 794 DCHECK(CalledOnValidThread()); |
| 795 if (!enable_static_expect_staple_ || !report_sender_) | 795 if (!enable_static_expect_staple_ || !report_sender_ || |
| 796 !ssl_info.is_issued_by_known_root) { |
| 796 return; | 797 return; |
| 798 } |
| 797 | 799 |
| 798 // Determine if the host is on the Expect-Staple preload list. If the build is | 800 // Determine if the host is on the Expect-Staple preload list. If the build is |
| 799 // not timely (i.e. the preload list is not fresh), this will fail and return | 801 // not timely (i.e. the preload list is not fresh), this will fail and return |
| 800 // false. | 802 // false. |
| 801 ExpectStapleState expect_staple_state; | 803 ExpectStapleState expect_staple_state; |
| 802 if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state)) | 804 if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state)) |
| 803 return; | 805 return; |
| 804 | 806 |
| 805 // No report needed if a stapled OCSP response was provided. | 807 // No report needed if a stapled OCSP response was provided. |
| 806 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED && | 808 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED && |
| (...skipping 850 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1657 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1659 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1658 const TransportSecurityState& state) | 1660 const TransportSecurityState& state) |
| 1659 : iterator_(state.enabled_pkp_hosts_.begin()), | 1661 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1660 end_(state.enabled_pkp_hosts_.end()) { | 1662 end_(state.enabled_pkp_hosts_.end()) { |
| 1661 } | 1663 } |
| 1662 | 1664 |
| 1663 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1665 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1664 } | 1666 } |
| 1665 | 1667 |
| 1666 } // namespace | 1668 } // namespace |
| OLD | NEW |