Add effective-expiration-date to Expect-CT reports

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <memory>
 #include <utility>
 #include <vector>
 
@@ skipping 873 matching lines @@
     return CT_REQUIREMENTS_MET;
   }
 
   // Check Expect-CT first so that other CT requirements do not prevent
   // Expect-CT reports from being sent.
   ExpectCTState state;
   if (is_issued_by_known_root && IsDynamicExpectCTEnabled() &&
       GetDynamicExpectCTState(hostname, &state)) {
     if (expect_ct_reporter_ && !state.report_uri.is_empty() &&
         report_status == ENABLE_EXPECT_CT_REPORTS) {
-      MaybeNotifyExpectCTFailed(
-          host_port_pair, state.report_uri, validated_certificate_chain,
-          served_certificate_chain, signed_certificate_timestamps);
+      MaybeNotifyExpectCTFailed(host_port_pair, state.report_uri, state.expiry,
+                                validated_certificate_chain,
+                                served_certificate_chain,
+                                signed_certificate_timestamps);
     }
     if (state.enforce)
       return CT_REQUIREMENTS_NOT_MET;
   }
 
   CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT;
   if (require_ct_delegate_)
     ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname);
   if (ct_required != CTRequirementLevel::DEFAULT)
     return (ct_required == CTRequirementLevel::REQUIRED
@@ skipping 294 matching lines @@
 
   expect_ct_state->domain = host.substr(result.hostname_offset);
   expect_ct_state->report_uri = GURL(
       g_hsts_source->expect_ct_report_uris[result.expect_ct_report_uri_id]);
   return true;
 }
 
 void TransportSecurityState::MaybeNotifyExpectCTFailed(
     const HostPortPair& host_port_pair,
     const GURL& report_uri,
+    base::Time expiration,
     const X509Certificate* validated_certificate_chain,
     const X509Certificate* served_certificate_chain,
     const SignedCertificateTimestampAndStatusList&
         signed_certificate_timestamps) {
   // Do not send repeated reports to the same host/port pair within
   // |kTimeToRememberReportsMins|. Theoretically, there could be scenarios in
   // which the same host/port generates different reports and it would be useful
   // to the server operator to receive those different reports, but such
   // scenarios are not expected to arise very often in practice.
   const std::string report_cache_key(host_port_pair.ToString());
   if (sent_expect_ct_reports_cache_.Get(report_cache_key,
                                         base::TimeTicks::Now())) {
     return;
   }
   sent_expect_ct_reports_cache_.Put(
       report_cache_key, true, base::TimeTicks::Now(),
       base::TimeTicks::Now() +
           base::TimeDelta::FromMinutes(kTimeToRememberReportsMins));
 
   expect_ct_reporter_->OnExpectCTFailed(
-      host_port_pair, report_uri, validated_certificate_chain,
+      host_port_pair, report_uri, expiration, validated_certificate_chain,
       served_certificate_chain, signed_certificate_timestamps);
 }
 
 bool TransportSecurityState::GetStaticExpectStapleState(
     const std::string& host,
     ExpectStapleState* expect_staple_state) const {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   if (!IsBuildTimely())
     return false;
@@ skipping 227 matching lines @@
       return;
     if (!ssl_info.is_issued_by_known_root)
       return;
     if (!ssl_info.ct_compliance_details_available)
       return;
     if (ssl_info.ct_cert_policy_compliance ==
         ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)
       return;
     ExpectCTState state;
     if (GetStaticExpectCTState(host_port_pair.host(), &state)) {
-      MaybeNotifyExpectCTFailed(host_port_pair, state.report_uri,
+      MaybeNotifyExpectCTFailed(host_port_pair, state.report_uri, base::Time(),
                                 ssl_info.cert.get(),
                                 ssl_info.unverified_cert.get(),
                                 ssl_info.signed_certificate_timestamps);
     }
     return;
   }
 
   // Otherwise, see if the site has sent a valid Expect-CT header to dynamically
   // turn on reporting and/or enforcement.
   if (!IsDynamicExpectCTEnabled())
@@ skipping 15 matching lines @@
     ExpectCTState state;
     // If an Expect-CT header is observed over a non-compliant connection, the
     // site owner should be notified about the misconfiguration. If the site was
     // already opted in to Expect-CT, this report would have been sent at
     // connection setup time. If the host is not already a noted Expect-CT host,
     // however, the lack of CT compliance would not have been evaluated/reported
     // at connection setup time, so it needs to be reported here while
     // processing the header.
     if (expect_ct_reporter_ && !report_uri.is_empty() &&
         !GetDynamicExpectCTState(host_port_pair.host(), &state)) {
-      MaybeNotifyExpectCTFailed(host_port_pair, report_uri, ssl_info.cert.get(),
+      MaybeNotifyExpectCTFailed(host_port_pair, report_uri, base::Time(),
+                                ssl_info.cert.get(),
                                 ssl_info.unverified_cert.get(),
                                 ssl_info.signed_certificate_timestamps);
     }
     return;
   }
   AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce,
                       report_uri);
 }
 
 // static
@@ skipping 316 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace net