Index: net/http/transport_security_state.cc |
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc |
index 4486954966631398bc9cc155e1b6435fa2138475..2c4f4449f5529e58ac83e8d5f480d5feca15c021 100644 |
--- a/net/http/transport_security_state.cc |
+++ b/net/http/transport_security_state.cc |
@@ -861,10 +861,31 @@ bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { |
} |
bool TransportSecurityState::ShouldRequireCT( |
- const std::string& hostname, |
+ const net::HostPortPair& host_port_pair, |
+ bool is_issued_by_known_root, |
+ const HashValueVector& public_key_hashes, |
const X509Certificate* validated_certificate_chain, |
- const HashValueVector& public_key_hashes) { |
+ const X509Certificate* served_certificate_chain, |
+ const SignedCertificateTimestampAndStatusList& |
+ signed_certificate_timestamps, |
+ const ExpectCTReportStatus report_status) { |
using CTRequirementLevel = RequireCTDelegate::CTRequirementLevel; |
+ std::string hostname = host_port_pair.host(); |
+ |
+ // Check Expect-CT first so that other CT requirements do not prevent |
+ // Expect-CT reports from being sent. |
+ ExpectCTState state; |
+ if (is_issued_by_known_root && IsDynamicExpectCTEnabled() && |
+ GetDynamicExpectCTState(hostname, &state)) { |
+ if (expect_ct_reporter_ && !state.report_uri.is_empty() && |
+ report_status == ENABLE_EXPECT_CT_REPORTS) { |
+ expect_ct_reporter_->OnExpectCTFailed( |
+ host_port_pair, state.report_uri, served_certificate_chain, |
+ validated_certificate_chain, signed_certificate_timestamps); |
+ } |
+ if (state.enforce) |
+ return true; |
+ } |
CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT; |
if (require_ct_delegate_) |
@@ -1413,8 +1434,9 @@ void TransportSecurityState::ProcessExpectCTHeader( |
return; |
ExpectCTState state; |
if (GetStaticExpectCTState(host_port_pair.host(), &state)) { |
- expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, |
- ssl_info); |
+ expect_ct_reporter_->OnExpectCTFailed( |
+ host_port_pair, state.report_uri, ssl_info.unverified_cert.get(), |
+ ssl_info.cert.get(), ssl_info.signed_certificate_timestamps); |
} |
return; |
} |
@@ -1447,8 +1469,9 @@ void TransportSecurityState::ProcessExpectCTHeader( |
// processing the header. |
if (expect_ct_reporter_ && !report_uri.is_empty() && |
!GetDynamicExpectCTState(host_port_pair.host(), &state)) { |
- expect_ct_reporter_->OnExpectCTFailed(host_port_pair, report_uri, |
- ssl_info); |
+ expect_ct_reporter_->OnExpectCTFailed( |
+ host_port_pair, report_uri, ssl_info.unverified_cert.get(), |
+ ssl_info.cert.get(), ssl_info.signed_certificate_timestamps); |
} |
return; |
} |