Check Expect-CT at connection setup

net/http/transport_security_state.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 
 #include <stdint.h>
 
 #include <map>
 #include <string>
 
 #include "base/callback.h"
 #include "base/feature_list.h"
 #include "base/gtest_prod_util.h"
 #include "base/macros.h"
 #include "base/strings/string_piece.h"
 #include "base/threading/non_thread_safe.h"
 #include "base/time/time.h"
 #include "net/base/expiring_cache.h"
 #include "net/base/hash_value.h"
 #include "net/base/net_export.h"
+#include "net/cert/signed_certificate_timestamp_and_status.h"
 #include "net/http/transport_security_state_source.h"
 #include "url/gurl.h"
 
 namespace net {
 
+namespace ct {
+enum class CertPolicyCompliance;
+};
+
 class HostPortPair;
 class SSLInfo;
 class X509Certificate;
 
 void NET_EXPORT_PRIVATE SetTransportSecurityStateSourceForTesting(
     const TransportSecurityStateSource* source);
 
 // Tracks which hosts have enabled strict transport security and/or public
 // key pins.
 //
@@ skipping 265 matching lines @@
   };
 
   // An interface for building and asynchronously sending reports when a
   // site expects valid Certificate Transparency information but it
   // wasn't supplied.
   class NET_EXPORT ExpectCTReporter {
    public:
     // Called when the host in |host_port_pair| has opted in to have
     // reports about Expect CT policy violations sent to |report_uri|,
     // and such a violation has occurred.
-    virtual void OnExpectCTFailed(const net::HostPortPair& host_port_pair,
-                                  const GURL& report_uri,
-                                  const net::SSLInfo& ssl_info) = 0;
+    virtual void OnExpectCTFailed(
+        const net::HostPortPair& host_port_pair,
+        const GURL& report_uri,
+        const X509Certificate* validated_certificate_chain,
+        const X509Certificate* served_certificate_chain,
+        const SignedCertificateTimestampAndStatusList&
+            signed_certificate_timestamps) = 0;
 
    protected:
     virtual ~ExpectCTReporter() {}
   };
 
   // Indicates whether or not a public key pin check should send a
   // report if a violation is detected.
   enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS };
 
+  // Indicates whether or not an Expect-CT check should send a report if a
+  // violation is detected.
+  enum ExpectCTReportStatus {
+    ENABLE_EXPECT_CT_REPORTS,
+    DISABLE_EXPECT_CT_REPORTS
+  };
+
   // Feature that controls whether Expect-CT HTTP headers are parsed, processed,
   // and stored.
   static const base::Feature kDynamicExpectCTFeature;
 
   TransportSecurityState();
   ~TransportSecurityState();
 
   // These functions search for static and dynamic STS and PKP states, and
   // invoke the functions of the same name on them. These functions are the
   // primary public interface; direct access to STS and PKP states is best
@@ skipping 19 matching lines @@
   // 3. The build is timely (i.e. the preload list is fresh).
   // 4. The given host is present on the Expect-Staple preload list.
   // 5. |ssl_info| indicates the connection did not provide an OCSP response
   //    indicating a revocation status of GOOD.
   // 6. The certificate chain in |ssl_info| chains to a known root. Reports
   //    for OCSP responses behind MITM proxies are not useful to site owners.
   void CheckExpectStaple(const HostPortPair& host_port_pair,
                          const SSLInfo& ssl_info,
                          base::StringPiece ocsp_response);
 
-  // Returns true if connections to |host|, using the validated certificate
-  // |validated_certificate_chain|, are expected to be accompanied with
+  // Returns false if a connection violates CT policy requirements: that is, if
+  // a connection to |host|, using the validated certificate
+  // |validated_certificate_chain|, is expected to be accompanied with
   // valid Certificate Transparency information that complies with the
-  // connection's CTPolicyEnforcer.
+  // connection's CTPolicyEnforcer and |cert_policy_compliance| indicates that
+  // the connection does not comply.
   //
   // The behavior may be further be altered by setting a RequireCTDelegate
   // via |SetRequireCTDelegate()|.
-  bool ShouldRequireCT(const std::string& host,
-                       const X509Certificate* validated_certificate_chain,
-                       const HashValueVector& hashes);
+  //
+  // This method checks Expect-CT state for |host| if |issued_by_known_root| is
+  // true. If Expect-CT is configured for |host| and the connection is not
+  // compliant and |report_status| is ENABLE_EXPECT_CT_REPORTS, then a report
+  // will be sent.
+  bool CheckCTRequirements(const net::HostPortPair& host_port_pair,
+                           bool is_issued_by_known_root,
+                           const HashValueVector& public_key_hashes,
+                           const X509Certificate* validated_certificate_chain,
+                           const X509Certificate* served_certificate_chain,
+                           const SignedCertificateTimestampAndStatusList&
+                               signed_certificate_timestamps,
+                           const ExpectCTReportStatus report_status,
+                           ct::CertPolicyCompliance cert_policy_compliance);
 
   // Assign a |Delegate| for persisting the transport security state. If
   // |NULL|, state will not be persisted. The caller retains
   // ownership of |delegate|.
   // Note: This is only used for serializing/deserializing the
   // TransportSecurityState.
   void SetDelegate(Delegate* delegate);
 
   void SetReportSender(ReportSenderInterface* report_sender);
 
@@ skipping 136 matching lines @@
   // SetExpectCTReporter).
   //
   // The header can also have the value "preload", indicating that the site
   // wants to opt-in to the static report-only version of Expect-CT. If the
   // given host is present on the preload list and the build is timely and the
   // connection is not CT-compliant, then a report will be sent.
   void ProcessExpectCTHeader(const std::string& value,
                              const HostPortPair& host_port_pair,
                              const SSLInfo& ssl_info);
 
-  // For unit tests only; causes ShouldRequireCT() to return |*required|
+  // For unit tests only; causes CheckCTRequirements() to return |*required|

[mattm, 2017/05/04 01:57:11]

comment seems backwards now. (should require = true implies CheckCTRequirements
should return false)

[estark, 2017/05/04 04:03:25]

Fixed with new enum return value.

   // by default (that is, unless a RequireCTDelegate overrides). Set to
   // nullptr to reset.
   static void SetShouldRequireCTForTesting(bool* required);
 
  private:
   friend class TransportSecurityStateTest;
   friend class TransportSecurityStateStaticFuzzer;
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
@@ skipping 114 matching lines @@
   // rate-limiting.
   ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
       sent_reports_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };
 
 }  // namespace net
 
 #endif  // NET_HTTP_TRANSPORT_SECURITY_STATE_H_