OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <map> | 10 #include <map> |
11 #include <string> | 11 #include <string> |
12 | 12 |
13 #include "base/callback.h" | 13 #include "base/callback.h" |
14 #include "base/feature_list.h" | 14 #include "base/feature_list.h" |
15 #include "base/gtest_prod_util.h" | 15 #include "base/gtest_prod_util.h" |
16 #include "base/macros.h" | 16 #include "base/macros.h" |
17 #include "base/strings/string_piece.h" | 17 #include "base/strings/string_piece.h" |
18 #include "base/threading/non_thread_safe.h" | 18 #include "base/threading/non_thread_safe.h" |
19 #include "base/time/time.h" | 19 #include "base/time/time.h" |
20 #include "net/base/expiring_cache.h" | 20 #include "net/base/expiring_cache.h" |
21 #include "net/base/hash_value.h" | 21 #include "net/base/hash_value.h" |
22 #include "net/base/net_export.h" | 22 #include "net/base/net_export.h" |
23 #include "net/cert/signed_certificate_timestamp_and_status.h" | |
23 #include "net/http/transport_security_state_source.h" | 24 #include "net/http/transport_security_state_source.h" |
24 #include "url/gurl.h" | 25 #include "url/gurl.h" |
25 | 26 |
26 namespace net { | 27 namespace net { |
27 | 28 |
29 namespace ct { | |
30 enum class CertPolicyCompliance; | |
31 }; | |
32 | |
28 class HostPortPair; | 33 class HostPortPair; |
29 class SSLInfo; | 34 class SSLInfo; |
30 class X509Certificate; | 35 class X509Certificate; |
31 | 36 |
32 void NET_EXPORT_PRIVATE SetTransportSecurityStateSourceForTesting( | 37 void NET_EXPORT_PRIVATE SetTransportSecurityStateSourceForTesting( |
33 const TransportSecurityStateSource* source); | 38 const TransportSecurityStateSource* source); |
34 | 39 |
35 // Tracks which hosts have enabled strict transport security and/or public | 40 // Tracks which hosts have enabled strict transport security and/or public |
36 // key pins. | 41 // key pins. |
37 // | 42 // |
(...skipping 265 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
303 }; | 308 }; |
304 | 309 |
305 // An interface for building and asynchronously sending reports when a | 310 // An interface for building and asynchronously sending reports when a |
306 // site expects valid Certificate Transparency information but it | 311 // site expects valid Certificate Transparency information but it |
307 // wasn't supplied. | 312 // wasn't supplied. |
308 class NET_EXPORT ExpectCTReporter { | 313 class NET_EXPORT ExpectCTReporter { |
309 public: | 314 public: |
310 // Called when the host in |host_port_pair| has opted in to have | 315 // Called when the host in |host_port_pair| has opted in to have |
311 // reports about Expect CT policy violations sent to |report_uri|, | 316 // reports about Expect CT policy violations sent to |report_uri|, |
312 // and such a violation has occurred. | 317 // and such a violation has occurred. |
313 virtual void OnExpectCTFailed(const net::HostPortPair& host_port_pair, | 318 virtual void OnExpectCTFailed( |
314 const GURL& report_uri, | 319 const net::HostPortPair& host_port_pair, |
315 const net::SSLInfo& ssl_info) = 0; | 320 const GURL& report_uri, |
321 const X509Certificate* validated_certificate_chain, | |
322 const X509Certificate* served_certificate_chain, | |
323 const SignedCertificateTimestampAndStatusList& | |
324 signed_certificate_timestamps) = 0; | |
316 | 325 |
317 protected: | 326 protected: |
318 virtual ~ExpectCTReporter() {} | 327 virtual ~ExpectCTReporter() {} |
319 }; | 328 }; |
320 | 329 |
321 // Indicates whether or not a public key pin check should send a | 330 // Indicates whether or not a public key pin check should send a |
322 // report if a violation is detected. | 331 // report if a violation is detected. |
323 enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; | 332 enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; |
324 | 333 |
334 // Indicates whether or not an Expect-CT check should send a report if a | |
335 // violation is detected. | |
336 enum ExpectCTReportStatus { | |
337 ENABLE_EXPECT_CT_REPORTS, | |
338 DISABLE_EXPECT_CT_REPORTS | |
339 }; | |
340 | |
325 // Feature that controls whether Expect-CT HTTP headers are parsed, processed, | 341 // Feature that controls whether Expect-CT HTTP headers are parsed, processed, |
326 // and stored. | 342 // and stored. |
327 static const base::Feature kDynamicExpectCTFeature; | 343 static const base::Feature kDynamicExpectCTFeature; |
328 | 344 |
329 TransportSecurityState(); | 345 TransportSecurityState(); |
330 ~TransportSecurityState(); | 346 ~TransportSecurityState(); |
331 | 347 |
332 // These functions search for static and dynamic STS and PKP states, and | 348 // These functions search for static and dynamic STS and PKP states, and |
333 // invoke the functions of the same name on them. These functions are the | 349 // invoke the functions of the same name on them. These functions are the |
334 // primary public interface; direct access to STS and PKP states is best | 350 // primary public interface; direct access to STS and PKP states is best |
(...skipping 19 matching lines...) Expand all Loading... | |
354 // 3. The build is timely (i.e. the preload list is fresh). | 370 // 3. The build is timely (i.e. the preload list is fresh). |
355 // 4. The given host is present on the Expect-Staple preload list. | 371 // 4. The given host is present on the Expect-Staple preload list. |
356 // 5. |ssl_info| indicates the connection did not provide an OCSP response | 372 // 5. |ssl_info| indicates the connection did not provide an OCSP response |
357 // indicating a revocation status of GOOD. | 373 // indicating a revocation status of GOOD. |
358 // 6. The certificate chain in |ssl_info| chains to a known root. Reports | 374 // 6. The certificate chain in |ssl_info| chains to a known root. Reports |
359 // for OCSP responses behind MITM proxies are not useful to site owners. | 375 // for OCSP responses behind MITM proxies are not useful to site owners. |
360 void CheckExpectStaple(const HostPortPair& host_port_pair, | 376 void CheckExpectStaple(const HostPortPair& host_port_pair, |
361 const SSLInfo& ssl_info, | 377 const SSLInfo& ssl_info, |
362 base::StringPiece ocsp_response); | 378 base::StringPiece ocsp_response); |
363 | 379 |
364 // Returns true if connections to |host|, using the validated certificate | 380 // Returns false if a connection violates CT policy requirements: that is, if |
365 // |validated_certificate_chain|, are expected to be accompanied with | 381 // a connection to |host|, using the validated certificate |
382 // |validated_certificate_chain|, is expected to be accompanied with | |
366 // valid Certificate Transparency information that complies with the | 383 // valid Certificate Transparency information that complies with the |
367 // connection's CTPolicyEnforcer. | 384 // connection's CTPolicyEnforcer and |cert_policy_compliance| indicates that |
385 // the connection does not comply. | |
368 // | 386 // |
369 // The behavior may be further be altered by setting a RequireCTDelegate | 387 // The behavior may be further be altered by setting a RequireCTDelegate |
370 // via |SetRequireCTDelegate()|. | 388 // via |SetRequireCTDelegate()|. |
371 bool ShouldRequireCT(const std::string& host, | 389 // |
372 const X509Certificate* validated_certificate_chain, | 390 // This method checks Expect-CT state for |host| if |issued_by_known_root| is |
373 const HashValueVector& hashes); | 391 // true. If Expect-CT is configured for |host| and the connection is not |
392 // compliant and |report_status| is ENABLE_EXPECT_CT_REPORTS, then a report | |
393 // will be sent. | |
394 bool CheckCTRequirements(const net::HostPortPair& host_port_pair, | |
395 bool is_issued_by_known_root, | |
396 const HashValueVector& public_key_hashes, | |
397 const X509Certificate* validated_certificate_chain, | |
398 const X509Certificate* served_certificate_chain, | |
399 const SignedCertificateTimestampAndStatusList& | |
400 signed_certificate_timestamps, | |
401 const ExpectCTReportStatus report_status, | |
402 ct::CertPolicyCompliance cert_policy_compliance); | |
374 | 403 |
375 // Assign a |Delegate| for persisting the transport security state. If | 404 // Assign a |Delegate| for persisting the transport security state. If |
376 // |NULL|, state will not be persisted. The caller retains | 405 // |NULL|, state will not be persisted. The caller retains |
377 // ownership of |delegate|. | 406 // ownership of |delegate|. |
378 // Note: This is only used for serializing/deserializing the | 407 // Note: This is only used for serializing/deserializing the |
379 // TransportSecurityState. | 408 // TransportSecurityState. |
380 void SetDelegate(Delegate* delegate); | 409 void SetDelegate(Delegate* delegate); |
381 | 410 |
382 void SetReportSender(ReportSenderInterface* report_sender); | 411 void SetReportSender(ReportSenderInterface* report_sender); |
383 | 412 |
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
520 // SetExpectCTReporter). | 549 // SetExpectCTReporter). |
521 // | 550 // |
522 // The header can also have the value "preload", indicating that the site | 551 // The header can also have the value "preload", indicating that the site |
523 // wants to opt-in to the static report-only version of Expect-CT. If the | 552 // wants to opt-in to the static report-only version of Expect-CT. If the |
524 // given host is present on the preload list and the build is timely and the | 553 // given host is present on the preload list and the build is timely and the |
525 // connection is not CT-compliant, then a report will be sent. | 554 // connection is not CT-compliant, then a report will be sent. |
526 void ProcessExpectCTHeader(const std::string& value, | 555 void ProcessExpectCTHeader(const std::string& value, |
527 const HostPortPair& host_port_pair, | 556 const HostPortPair& host_port_pair, |
528 const SSLInfo& ssl_info); | 557 const SSLInfo& ssl_info); |
529 | 558 |
530 // For unit tests only; causes ShouldRequireCT() to return |*required| | 559 // For unit tests only; causes CheckCTRequirements() to return |*required| |
mattm
2017/05/04 01:57:11
comment seems backwards now. (should require = tru
estark
2017/05/04 04:03:25
Fixed with new enum return value.
| |
531 // by default (that is, unless a RequireCTDelegate overrides). Set to | 560 // by default (that is, unless a RequireCTDelegate overrides). Set to |
532 // nullptr to reset. | 561 // nullptr to reset. |
533 static void SetShouldRequireCTForTesting(bool* required); | 562 static void SetShouldRequireCTForTesting(bool* required); |
534 | 563 |
535 private: | 564 private: |
536 friend class TransportSecurityStateTest; | 565 friend class TransportSecurityStateTest; |
537 friend class TransportSecurityStateStaticFuzzer; | 566 friend class TransportSecurityStateStaticFuzzer; |
538 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); | 567 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
539 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); | 568 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
540 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); | 569 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
655 // rate-limiting. | 684 // rate-limiting. |
656 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 685 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> |
657 sent_reports_cache_; | 686 sent_reports_cache_; |
658 | 687 |
659 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 688 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
660 }; | 689 }; |
661 | 690 |
662 } // namespace net | 691 } // namespace net |
663 | 692 |
664 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 693 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |