OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <map> | 10 #include <map> |
11 #include <string> | 11 #include <string> |
12 | 12 |
13 #include "base/callback.h" | 13 #include "base/callback.h" |
14 #include "base/feature_list.h" | 14 #include "base/feature_list.h" |
15 #include "base/gtest_prod_util.h" | 15 #include "base/gtest_prod_util.h" |
16 #include "base/macros.h" | 16 #include "base/macros.h" |
17 #include "base/strings/string_piece.h" | 17 #include "base/strings/string_piece.h" |
18 #include "base/threading/non_thread_safe.h" | 18 #include "base/threading/non_thread_safe.h" |
19 #include "base/time/time.h" | 19 #include "base/time/time.h" |
20 #include "net/base/expiring_cache.h" | 20 #include "net/base/expiring_cache.h" |
21 #include "net/base/hash_value.h" | 21 #include "net/base/hash_value.h" |
22 #include "net/base/net_export.h" | 22 #include "net/base/net_export.h" |
23 #include "net/cert/signed_certificate_timestamp_and_status.h" | |
23 #include "net/http/transport_security_state_source.h" | 24 #include "net/http/transport_security_state_source.h" |
24 #include "url/gurl.h" | 25 #include "url/gurl.h" |
25 | 26 |
26 namespace net { | 27 namespace net { |
27 | 28 |
29 namespace ct { | |
30 enum class CertPolicyCompliance; | |
31 }; | |
32 | |
28 class HostPortPair; | 33 class HostPortPair; |
29 class SSLInfo; | 34 class SSLInfo; |
30 class X509Certificate; | 35 class X509Certificate; |
31 | 36 |
32 void NET_EXPORT_PRIVATE SetTransportSecurityStateSourceForTesting( | 37 void NET_EXPORT_PRIVATE SetTransportSecurityStateSourceForTesting( |
33 const TransportSecurityStateSource* source); | 38 const TransportSecurityStateSource* source); |
34 | 39 |
35 // Tracks which hosts have enabled strict transport security and/or public | 40 // Tracks which hosts have enabled strict transport security and/or public |
36 // key pins. | 41 // key pins. |
37 // | 42 // |
(...skipping 265 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
303 }; | 308 }; |
304 | 309 |
305 // An interface for building and asynchronously sending reports when a | 310 // An interface for building and asynchronously sending reports when a |
306 // site expects valid Certificate Transparency information but it | 311 // site expects valid Certificate Transparency information but it |
307 // wasn't supplied. | 312 // wasn't supplied. |
308 class NET_EXPORT ExpectCTReporter { | 313 class NET_EXPORT ExpectCTReporter { |
309 public: | 314 public: |
310 // Called when the host in |host_port_pair| has opted in to have | 315 // Called when the host in |host_port_pair| has opted in to have |
311 // reports about Expect CT policy violations sent to |report_uri|, | 316 // reports about Expect CT policy violations sent to |report_uri|, |
312 // and such a violation has occurred. | 317 // and such a violation has occurred. |
313 virtual void OnExpectCTFailed(const net::HostPortPair& host_port_pair, | 318 virtual void OnExpectCTFailed( |
314 const GURL& report_uri, | 319 const net::HostPortPair& host_port_pair, |
315 const net::SSLInfo& ssl_info) = 0; | 320 const GURL& report_uri, |
321 const X509Certificate* validated_certificate_chain, | |
322 const X509Certificate* served_certificate_chain, | |
323 const SignedCertificateTimestampAndStatusList& | |
324 signed_certificate_timestamps) = 0; | |
316 | 325 |
317 protected: | 326 protected: |
318 virtual ~ExpectCTReporter() {} | 327 virtual ~ExpectCTReporter() {} |
319 }; | 328 }; |
320 | 329 |
321 // Indicates whether or not a public key pin check should send a | 330 // Indicates whether or not a public key pin check should send a |
322 // report if a violation is detected. | 331 // report if a violation is detected. |
323 enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; | 332 enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; |
324 | 333 |
334 // Indicates whether or not an Expect-CT check should send a report if a | |
335 // violation is detected. | |
336 enum ExpectCTReportStatus { | |
337 ENABLE_EXPECT_CT_REPORTS, | |
338 DISABLE_EXPECT_CT_REPORTS | |
339 }; | |
340 | |
341 // Indicates whether a connection met CT requirements. | |
342 enum CTRequirementsStatus { | |
343 // CT was not required for the connection, or CT was required for the | |
344 // connection and valid Certificate Transparency information was provided. | |
345 CT_REQUIREMENTS_MET, | |
346 // CT was required for the connection but valid CT info was not provided. | |
347 CT_REQUIREMENTS_NOT_MET, | |
348 }; | |
349 | |
325 // Feature that controls whether Expect-CT HTTP headers are parsed, processed, | 350 // Feature that controls whether Expect-CT HTTP headers are parsed, processed, |
326 // and stored. | 351 // and stored. |
327 static const base::Feature kDynamicExpectCTFeature; | 352 static const base::Feature kDynamicExpectCTFeature; |
328 | 353 |
329 TransportSecurityState(); | 354 TransportSecurityState(); |
330 ~TransportSecurityState(); | 355 ~TransportSecurityState(); |
331 | 356 |
332 // These functions search for static and dynamic STS and PKP states, and | 357 // These functions search for static and dynamic STS and PKP states, and |
333 // invoke the functions of the same name on them. These functions are the | 358 // invoke the functions of the same name on them. These functions are the |
334 // primary public interface; direct access to STS and PKP states is best | 359 // primary public interface; direct access to STS and PKP states is best |
(...skipping 19 matching lines...) Expand all Loading... | |
354 // 3. The build is timely (i.e. the preload list is fresh). | 379 // 3. The build is timely (i.e. the preload list is fresh). |
355 // 4. The given host is present on the Expect-Staple preload list. | 380 // 4. The given host is present on the Expect-Staple preload list. |
356 // 5. |ssl_info| indicates the connection did not provide an OCSP response | 381 // 5. |ssl_info| indicates the connection did not provide an OCSP response |
357 // indicating a revocation status of GOOD. | 382 // indicating a revocation status of GOOD. |
358 // 6. The certificate chain in |ssl_info| chains to a known root. Reports | 383 // 6. The certificate chain in |ssl_info| chains to a known root. Reports |
359 // for OCSP responses behind MITM proxies are not useful to site owners. | 384 // for OCSP responses behind MITM proxies are not useful to site owners. |
360 void CheckExpectStaple(const HostPortPair& host_port_pair, | 385 void CheckExpectStaple(const HostPortPair& host_port_pair, |
361 const SSLInfo& ssl_info, | 386 const SSLInfo& ssl_info, |
362 base::StringPiece ocsp_response); | 387 base::StringPiece ocsp_response); |
363 | 388 |
364 // Returns true if connections to |host|, using the validated certificate | 389 // Returns CT_REQUIREMENTS_NOT)MET if a connection violates CT policy |
mattm
2017/05/05 06:59:02
CT_REQUIREMENTS_NOT_MET
estark
2017/05/05 15:15:12
Done.
| |
365 // |validated_certificate_chain|, are expected to be accompanied with | 390 // requirements: that is, if a connection to |host|, using the validated |
366 // valid Certificate Transparency information that complies with the | 391 // certificate |validated_certificate_chain|, is expected to be accompanied |
367 // connection's CTPolicyEnforcer. | 392 // with valid Certificate Transparency information that complies with the |
393 // connection's CTPolicyEnforcer and |cert_policy_compliance| indicates that | |
394 // the connection does not comply. | |
368 // | 395 // |
369 // The behavior may be further be altered by setting a RequireCTDelegate | 396 // The behavior may be further be altered by setting a RequireCTDelegate |
370 // via |SetRequireCTDelegate()|. | 397 // via |SetRequireCTDelegate()|. |
371 bool ShouldRequireCT(const std::string& host, | 398 // |
372 const X509Certificate* validated_certificate_chain, | 399 // This method checks Expect-CT state for |host| if |issued_by_known_root| is |
373 const HashValueVector& hashes); | 400 // true. If Expect-CT is configured for |host| and the connection is not |
401 // compliant and |report_status| is ENABLE_EXPECT_CT_REPORTS, then a report | |
402 // will be sent. | |
403 CTRequirementsStatus CheckCTRequirements( | |
404 const net::HostPortPair& host_port_pair, | |
405 bool is_issued_by_known_root, | |
406 const HashValueVector& public_key_hashes, | |
407 const X509Certificate* validated_certificate_chain, | |
408 const X509Certificate* served_certificate_chain, | |
409 const SignedCertificateTimestampAndStatusList& | |
410 signed_certificate_timestamps, | |
411 const ExpectCTReportStatus report_status, | |
412 ct::CertPolicyCompliance cert_policy_compliance); | |
374 | 413 |
375 // Assign a |Delegate| for persisting the transport security state. If | 414 // Assign a |Delegate| for persisting the transport security state. If |
376 // |NULL|, state will not be persisted. The caller retains | 415 // |NULL|, state will not be persisted. The caller retains |
377 // ownership of |delegate|. | 416 // ownership of |delegate|. |
378 // Note: This is only used for serializing/deserializing the | 417 // Note: This is only used for serializing/deserializing the |
379 // TransportSecurityState. | 418 // TransportSecurityState. |
380 void SetDelegate(Delegate* delegate); | 419 void SetDelegate(Delegate* delegate); |
381 | 420 |
382 void SetReportSender(ReportSenderInterface* report_sender); | 421 void SetReportSender(ReportSenderInterface* report_sender); |
383 | 422 |
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
520 // SetExpectCTReporter). | 559 // SetExpectCTReporter). |
521 // | 560 // |
522 // The header can also have the value "preload", indicating that the site | 561 // The header can also have the value "preload", indicating that the site |
523 // wants to opt-in to the static report-only version of Expect-CT. If the | 562 // wants to opt-in to the static report-only version of Expect-CT. If the |
524 // given host is present on the preload list and the build is timely and the | 563 // given host is present on the preload list and the build is timely and the |
525 // connection is not CT-compliant, then a report will be sent. | 564 // connection is not CT-compliant, then a report will be sent. |
526 void ProcessExpectCTHeader(const std::string& value, | 565 void ProcessExpectCTHeader(const std::string& value, |
527 const HostPortPair& host_port_pair, | 566 const HostPortPair& host_port_pair, |
528 const SSLInfo& ssl_info); | 567 const SSLInfo& ssl_info); |
529 | 568 |
530 // For unit tests only; causes ShouldRequireCT() to return |*required| | 569 // For unit tests only. Causes CheckCTRequirements() to return |
531 // by default (that is, unless a RequireCTDelegate overrides). Set to | 570 // CT_REQUIREMENTS_NOT_MET (if |*required| is true) or CT_REQUIREMENTS_MET (if |
532 // nullptr to reset. | 571 // |*required| is false) for non-compliant connections by default (that is, |
572 // unless a RequireCTDelegate overrides). Set to nullptr to reset. | |
533 static void SetShouldRequireCTForTesting(bool* required); | 573 static void SetShouldRequireCTForTesting(bool* required); |
534 | 574 |
535 private: | 575 private: |
536 friend class TransportSecurityStateTest; | 576 friend class TransportSecurityStateTest; |
537 friend class TransportSecurityStateStaticFuzzer; | 577 friend class TransportSecurityStateStaticFuzzer; |
538 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); | 578 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
539 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); | 579 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
540 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); | 580 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
541 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); | 581 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); |
542 | 582 |
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
655 // rate-limiting. | 695 // rate-limiting. |
656 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 696 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> |
657 sent_reports_cache_; | 697 sent_reports_cache_; |
658 | 698 |
659 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 699 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
660 }; | 700 }; |
661 | 701 |
662 } // namespace net | 702 } // namespace net |
663 | 703 |
664 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 704 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |