Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(150)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_state.h

Issue 2850033002: Check Expect-CT at connection setup (Closed)
Patch Set: fixes per mattm's comments Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc ('k') | net/http/transport_security_state.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state.h
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index f2d182c901031b6ed833c0f30a014c610d309048..295075983bb6dfd42fe595ebfff51211101df2e2 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -20,11 +20,16 @@
#include "net/base/expiring_cache.h"
#include "net/base/hash_value.h"
#include "net/base/net_export.h"
+#include "net/cert/signed_certificate_timestamp_and_status.h"
#include "net/http/transport_security_state_source.h"
#include "url/gurl.h"
namespace net {
+namespace ct {
+enum class CertPolicyCompliance;
+};
+
class HostPortPair;
class SSLInfo;
class X509Certificate;
@@ -310,9 +315,13 @@ class NET_EXPORT TransportSecurityState
// Called when the host in |host_port_pair| has opted in to have
// reports about Expect CT policy violations sent to |report_uri|,
// and such a violation has occurred.
- virtual void OnExpectCTFailed(const net::HostPortPair& host_port_pair,
- const GURL& report_uri,
- const net::SSLInfo& ssl_info) = 0;
+ virtual void OnExpectCTFailed(
+ const net::HostPortPair& host_port_pair,
+ const GURL& report_uri,
+ const X509Certificate* validated_certificate_chain,
+ const X509Certificate* served_certificate_chain,
+ const SignedCertificateTimestampAndStatusList&
+ signed_certificate_timestamps) = 0;
protected:
virtual ~ExpectCTReporter() {}
@@ -322,6 +331,22 @@ class NET_EXPORT TransportSecurityState
// report if a violation is detected.
enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS };
+ // Indicates whether or not an Expect-CT check should send a report if a
+ // violation is detected.
+ enum ExpectCTReportStatus {
+ ENABLE_EXPECT_CT_REPORTS,
+ DISABLE_EXPECT_CT_REPORTS
+ };
+
+ // Indicates whether a connection met CT requirements.
+ enum CTRequirementsStatus {
+ // CT was not required for the connection, or CT was required for the
+ // connection and valid Certificate Transparency information was provided.
+ CT_REQUIREMENTS_MET,
+ // CT was required for the connection but valid CT info was not provided.
+ CT_REQUIREMENTS_NOT_MET,
+ };
+
// Feature that controls whether Expect-CT HTTP headers are parsed, processed,
// and stored.
static const base::Feature kDynamicExpectCTFeature;
@@ -361,16 +386,30 @@ class NET_EXPORT TransportSecurityState
const SSLInfo& ssl_info,
base::StringPiece ocsp_response);
- // Returns true if connections to |host|, using the validated certificate
- // |validated_certificate_chain|, are expected to be accompanied with
- // valid Certificate Transparency information that complies with the
- // connection's CTPolicyEnforcer.
+ // Returns CT_REQUIREMENTS_NOT)MET if a connection violates CT policy
mattm 2017/05/05 06:59:02 CT_REQUIREMENTS_NOT_MET
estark 2017/05/05 15:15:12 Done.
+ // requirements: that is, if a connection to |host|, using the validated
+ // certificate |validated_certificate_chain|, is expected to be accompanied
+ // with valid Certificate Transparency information that complies with the
+ // connection's CTPolicyEnforcer and |cert_policy_compliance| indicates that
+ // the connection does not comply.
//
// The behavior may be further be altered by setting a RequireCTDelegate
// via |SetRequireCTDelegate()|.
- bool ShouldRequireCT(const std::string& host,
- const X509Certificate* validated_certificate_chain,
- const HashValueVector& hashes);
+ //
+ // This method checks Expect-CT state for |host| if |issued_by_known_root| is
+ // true. If Expect-CT is configured for |host| and the connection is not
+ // compliant and |report_status| is ENABLE_EXPECT_CT_REPORTS, then a report
+ // will be sent.
+ CTRequirementsStatus CheckCTRequirements(
+ const net::HostPortPair& host_port_pair,
+ bool is_issued_by_known_root,
+ const HashValueVector& public_key_hashes,
+ const X509Certificate* validated_certificate_chain,
+ const X509Certificate* served_certificate_chain,
+ const SignedCertificateTimestampAndStatusList&
+ signed_certificate_timestamps,
+ const ExpectCTReportStatus report_status,
+ ct::CertPolicyCompliance cert_policy_compliance);
// Assign a |Delegate| for persisting the transport security state. If
// |NULL|, state will not be persisted. The caller retains
@@ -527,9 +566,10 @@ class NET_EXPORT TransportSecurityState
const HostPortPair& host_port_pair,
const SSLInfo& ssl_info);
- // For unit tests only; causes ShouldRequireCT() to return |*required|
- // by default (that is, unless a RequireCTDelegate overrides). Set to
- // nullptr to reset.
+ // For unit tests only. Causes CheckCTRequirements() to return
+ // CT_REQUIREMENTS_NOT_MET (if |*required| is true) or CT_REQUIREMENTS_MET (if
+ // |*required| is false) for non-compliant connections by default (that is,
+ // unless a RequireCTDelegate overrides). Set to nullptr to reset.
static void SetShouldRequireCTForTesting(bool* required);
private:
« no previous file with comments | « chrome/browser/ssl/chrome_expect_ct_reporter_unittest.cc ('k') | net/http/transport_security_state.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698