Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(764)

Unified Diff: net/http/transport_security_state.cc

Issue 2420203003: Turn off Expect-Staple reporting for private roots (Closed)
Patch Set: test fixes Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index a3f468d9a435b20e21ce0f1ab49f57205242fdd5..9ec992572ab7abcdad5b82da39a6f7eb2f1b5aba 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -681,6 +681,7 @@ bool SerializeExpectStapleReport(const HostPortPair& host_port_pair,
const SSLInfo& ssl_info,
const std::string& ocsp_response,
std::string* out_serialized_report) {
+ DCHECK(ssl_info.is_issued_by_known_root);
base::DictionaryValue report;
report.SetString("date-time", TimeToISO8601(base::Time::Now()));
report.SetString("hostname", host_port_pair.host());
@@ -699,12 +700,11 @@ bool SerializeExpectStapleReport(const HostPortPair& host_port_pair,
SerializeExpectStapleRevocationStatus(
ssl_info.ocsp_result.revocation_status));
}
- if (ssl_info.is_issued_by_known_root) {
- report.Set("served-certificate-chain",
- GetPEMEncodedChainAsList(ssl_info.unverified_cert.get()));
- report.Set("validated-certificate-chain",
- GetPEMEncodedChainAsList(ssl_info.cert.get()));
- }
+
+ report.Set("served-certificate-chain",
+ GetPEMEncodedChainAsList(ssl_info.unverified_cert.get()));
+ report.Set("validated-certificate-chain",
+ GetPEMEncodedChainAsList(ssl_info.cert.get()));
if (!base::JSONWriter::Write(report, out_serialized_report))
return false;
@@ -792,8 +792,10 @@ void TransportSecurityState::CheckExpectStaple(
const SSLInfo& ssl_info,
const std::string& ocsp_response) {
DCHECK(CalledOnValidThread());
- if (!enable_static_expect_staple_ || !report_sender_)
+ if (!enable_static_expect_staple_ || !report_sender_ ||
+ !ssl_info.is_issued_by_known_root) {
return;
+ }
// Determine if the host is on the Expect-Staple preload list. If the build is
// not timely (i.e. the preload list is not fresh), this will fail and return
« no previous file with comments | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698