Index: net/http/transport_security_state.h |
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h |
index f2d182c901031b6ed833c0f30a014c610d309048..f9364e6c15682a8f29d022c33f4865924994ac65 100644 |
--- a/net/http/transport_security_state.h |
+++ b/net/http/transport_security_state.h |
@@ -20,11 +20,16 @@ |
#include "net/base/expiring_cache.h" |
#include "net/base/hash_value.h" |
#include "net/base/net_export.h" |
+#include "net/cert/signed_certificate_timestamp_and_status.h" |
#include "net/http/transport_security_state_source.h" |
#include "url/gurl.h" |
namespace net { |
+namespace ct { |
+enum class CertPolicyCompliance; |
+}; |
+ |
class HostPortPair; |
class SSLInfo; |
class X509Certificate; |
@@ -310,9 +315,13 @@ class NET_EXPORT TransportSecurityState |
// Called when the host in |host_port_pair| has opted in to have |
// reports about Expect CT policy violations sent to |report_uri|, |
// and such a violation has occurred. |
- virtual void OnExpectCTFailed(const net::HostPortPair& host_port_pair, |
- const GURL& report_uri, |
- const net::SSLInfo& ssl_info) = 0; |
+ virtual void OnExpectCTFailed( |
+ const net::HostPortPair& host_port_pair, |
+ const GURL& report_uri, |
+ const X509Certificate* validated_certificate_chain, |
+ const X509Certificate* served_certificate_chain, |
+ const SignedCertificateTimestampAndStatusList& |
+ signed_certificate_timestamps) = 0; |
protected: |
virtual ~ExpectCTReporter() {} |
@@ -322,6 +331,13 @@ class NET_EXPORT TransportSecurityState |
// report if a violation is detected. |
enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; |
+ // Indicates whether or not an Expect-CT check should send a report if a |
+ // violation is detected. |
+ enum ExpectCTReportStatus { |
+ ENABLE_EXPECT_CT_REPORTS, |
+ DISABLE_EXPECT_CT_REPORTS |
+ }; |
+ |
// Feature that controls whether Expect-CT HTTP headers are parsed, processed, |
// and stored. |
static const base::Feature kDynamicExpectCTFeature; |
@@ -361,16 +377,29 @@ class NET_EXPORT TransportSecurityState |
const SSLInfo& ssl_info, |
base::StringPiece ocsp_response); |
- // Returns true if connections to |host|, using the validated certificate |
- // |validated_certificate_chain|, are expected to be accompanied with |
+ // Returns false if a connection violates CT policy requirements: that is, if |
+ // a connection to |host|, using the validated certificate |
+ // |validated_certificate_chain|, is expected to be accompanied with |
// valid Certificate Transparency information that complies with the |
- // connection's CTPolicyEnforcer. |
+ // connection's CTPolicyEnforcer and |cert_policy_compliance| indicates that |
+ // the connection does not comply. |
// |
// The behavior may be further be altered by setting a RequireCTDelegate |
// via |SetRequireCTDelegate()|. |
- bool ShouldRequireCT(const std::string& host, |
- const X509Certificate* validated_certificate_chain, |
- const HashValueVector& hashes); |
+ // |
+ // This method checks Expect-CT state for |host| if |issued_by_known_root| is |
+ // true. If Expect-CT is configured for |host| and the connection is not |
+ // compliant and |report_status| is ENABLE_EXPECT_CT_REPORTS, then a report |
+ // will be sent. |
+ bool CheckCTRequirements(const net::HostPortPair& host_port_pair, |
+ bool is_issued_by_known_root, |
+ const HashValueVector& public_key_hashes, |
+ const X509Certificate* validated_certificate_chain, |
+ const X509Certificate* served_certificate_chain, |
+ const SignedCertificateTimestampAndStatusList& |
+ signed_certificate_timestamps, |
+ const ExpectCTReportStatus report_status, |
+ ct::CertPolicyCompliance cert_policy_compliance); |
// Assign a |Delegate| for persisting the transport security state. If |
// |NULL|, state will not be persisted. The caller retains |
@@ -527,7 +556,7 @@ class NET_EXPORT TransportSecurityState |
const HostPortPair& host_port_pair, |
const SSLInfo& ssl_info); |
- // For unit tests only; causes ShouldRequireCT() to return |*required| |
+ // For unit tests only; causes CheckCTRequirements() to return |*required| |
mattm
2017/05/04 01:57:11
comment seems backwards now. (should require = tru
estark
2017/05/04 04:03:25
Fixed with new enum return value.
|
// by default (that is, unless a RequireCTDelegate overrides). Set to |
// nullptr to reset. |
static void SetShouldRequireCTForTesting(bool* required); |