| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ssl/chrome_expect_ct_reporter.h" | 5 #include "chrome/browser/ssl/chrome_expect_ct_reporter.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/base64.h" | 9 #include "base/base64.h" |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| 11 #include "base/feature_list.h" | 11 #include "base/feature_list.h" |
| 12 #include "base/json/json_writer.h" | 12 #include "base/json/json_writer.h" |
| 13 #include "base/memory/ptr_util.h" | 13 #include "base/memory/ptr_util.h" |
| 14 #include "base/metrics/histogram_macros.h" | 14 #include "base/metrics/histogram_macros.h" |
| 15 #include "base/metrics/sparse_histogram.h" | 15 #include "base/metrics/sparse_histogram.h" |
| 16 #include "base/strings/string_number_conversions.h" | 16 #include "base/strings/string_number_conversions.h" |
| 17 #include "base/strings/stringprintf.h" | 17 #include "base/strings/stringprintf.h" |
| 18 #include "base/values.h" | 18 #include "base/values.h" |
| 19 #include "chrome/common/chrome_features.h" | 19 #include "chrome/common/chrome_features.h" |
| 20 #include "net/cert/ct_serialization.h" |
| 20 #include "net/traffic_annotation/network_traffic_annotation.h" | 21 #include "net/traffic_annotation/network_traffic_annotation.h" |
| 21 #include "net/url_request/report_sender.h" | 22 #include "net/url_request/report_sender.h" |
| 22 | 23 |
| 23 namespace { | 24 namespace { |
| 24 | 25 |
| 25 std::string TimeToISO8601(const base::Time& t) { | 26 std::string TimeToISO8601(const base::Time& t) { |
| 26 base::Time::Exploded exploded; | 27 base::Time::Exploded exploded; |
| 27 t.UTCExplode(&exploded); | 28 t.UTCExplode(&exploded); |
| 28 return base::StringPrintf( | 29 return base::StringPrintf( |
| 29 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, | 30 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, |
| (...skipping 14 matching lines...) Expand all Loading... |
| 44 | 45 |
| 45 return result; | 46 return result; |
| 46 } | 47 } |
| 47 | 48 |
| 48 std::string SCTOriginToString( | 49 std::string SCTOriginToString( |
| 49 net::ct::SignedCertificateTimestamp::Origin origin) { | 50 net::ct::SignedCertificateTimestamp::Origin origin) { |
| 50 switch (origin) { | 51 switch (origin) { |
| 51 case net::ct::SignedCertificateTimestamp::SCT_EMBEDDED: | 52 case net::ct::SignedCertificateTimestamp::SCT_EMBEDDED: |
| 52 return "embedded"; | 53 return "embedded"; |
| 53 case net::ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION: | 54 case net::ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION: |
| 54 return "from-tls-extension"; | 55 return "tls-extension"; |
| 55 case net::ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE: | 56 case net::ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE: |
| 56 return "from-ocsp-response"; | 57 return "ocsp"; |
| 57 default: | 58 case net::ct::SignedCertificateTimestamp::SCT_ORIGIN_MAX: |
| 58 NOTREACHED(); | 59 NOTREACHED(); |
| 59 } | 60 } |
| 60 return ""; | 61 return ""; |
| 61 } | 62 } |
| 62 | 63 |
| 63 void AddUnknownSCT( | 64 void AddSCT(const net::SignedCertificateTimestampAndStatus& sct, |
| 64 const net::SignedCertificateTimestampAndStatus& sct_and_status, | 65 base::ListValue* list) { |
| 65 base::ListValue* list) { | |
| 66 std::unique_ptr<base::DictionaryValue> list_item(new base::DictionaryValue()); | 66 std::unique_ptr<base::DictionaryValue> list_item(new base::DictionaryValue()); |
| 67 list_item->SetString("origin", SCTOriginToString(sct_and_status.sct->origin)); | 67 // Chrome implements RFC6962, not 6962-bis, so the reports contain v1 SCTs. |
| 68 list_item->SetInteger("version", 1); |
| 69 std::string status; |
| 70 switch (sct.status) { |
| 71 case net::ct::SCT_STATUS_LOG_UNKNOWN: |
| 72 status = "unknown"; |
| 73 break; |
| 74 case net::ct::SCT_STATUS_INVALID_SIGNATURE: |
| 75 case net::ct::SCT_STATUS_INVALID_TIMESTAMP: |
| 76 status = "invalid"; |
| 77 break; |
| 78 case net::ct::SCT_STATUS_OK: |
| 79 status = "valid"; |
| 80 break; |
| 81 case net::ct::SCT_STATUS_NONE: |
| 82 NOTREACHED(); |
| 83 } |
| 84 list_item->SetString("status", status); |
| 85 list_item->SetString("source", SCTOriginToString(sct.sct->origin)); |
| 86 std::string serialized_sct; |
| 87 net::ct::EncodeSignedCertificateTimestamp(sct.sct, &serialized_sct); |
| 88 std::string encoded_serialized_sct; |
| 89 base::Base64Encode(serialized_sct, &encoded_serialized_sct); |
| 90 list_item->SetString("serialized_sct", encoded_serialized_sct); |
| 68 list->Append(std::move(list_item)); | 91 list->Append(std::move(list_item)); |
| 69 } | 92 } |
| 70 | 93 |
| 71 void AddInvalidSCT( | |
| 72 const net::SignedCertificateTimestampAndStatus& sct_and_status, | |
| 73 base::ListValue* list) { | |
| 74 std::unique_ptr<base::DictionaryValue> list_item(new base::DictionaryValue()); | |
| 75 list_item->SetString("origin", SCTOriginToString(sct_and_status.sct->origin)); | |
| 76 std::string log_id; | |
| 77 base::Base64Encode(sct_and_status.sct->log_id, &log_id); | |
| 78 list_item->SetString("id", log_id); | |
| 79 list->Append(std::move(list_item)); | |
| 80 } | |
| 81 | |
| 82 void AddValidSCT(const net::SignedCertificateTimestampAndStatus& sct_and_status, | |
| 83 base::ListValue* list) { | |
| 84 std::unique_ptr<base::DictionaryValue> list_item(new base::DictionaryValue()); | |
| 85 list_item->SetString("origin", SCTOriginToString(sct_and_status.sct->origin)); | |
| 86 | |
| 87 // The structure of the SCT object is defined in | |
| 88 // http://tools.ietf.org/html/rfc6962#section-4.1. | |
| 89 std::unique_ptr<base::DictionaryValue> sct(new base::DictionaryValue()); | |
| 90 sct->SetInteger("sct_version", sct_and_status.sct->version); | |
| 91 std::string log_id; | |
| 92 base::Base64Encode(sct_and_status.sct->log_id, &log_id); | |
| 93 sct->SetString("id", log_id); | |
| 94 base::TimeDelta timestamp = | |
| 95 sct_and_status.sct->timestamp - base::Time::UnixEpoch(); | |
| 96 sct->SetString("timestamp", base::Int64ToString(timestamp.InMilliseconds())); | |
| 97 std::string extensions; | |
| 98 base::Base64Encode(sct_and_status.sct->extensions, &extensions); | |
| 99 sct->SetString("extensions", extensions); | |
| 100 std::string signature; | |
| 101 base::Base64Encode(sct_and_status.sct->signature.signature_data, &signature); | |
| 102 sct->SetString("signature", signature); | |
| 103 | |
| 104 list_item->Set("sct", std::move(sct)); | |
| 105 list->Append(std::move(list_item)); | |
| 106 } | |
| 107 | |
| 108 // Records an UMA histogram of the net errors when Expect CT reports | 94 // Records an UMA histogram of the net errors when Expect CT reports |
| 109 // fail to send. | 95 // fail to send. |
| 110 void RecordUMAOnFailure(const GURL& report_uri, | 96 void RecordUMAOnFailure(const GURL& report_uri, |
| 111 int net_error, | 97 int net_error, |
| 112 int http_response_code) { | 98 int http_response_code) { |
| 113 UMA_HISTOGRAM_SPARSE_SLOWLY("SSL.ExpectCTReportFailure2", -net_error); | 99 UMA_HISTOGRAM_SPARSE_SLOWLY("SSL.ExpectCTReportFailure2", -net_error); |
| 114 } | 100 } |
| 115 | 101 |
| 116 constexpr net::NetworkTrafficAnnotationTag kTrafficAnnotation = | 102 constexpr net::NetworkTrafficAnnotationTag kTrafficAnnotation = |
| 117 net::DefineNetworkTrafficAnnotation("chrome_expect_ct_reporter", R"( | 103 net::DefineNetworkTrafficAnnotation("chrome_expect_ct_reporter", R"( |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 154 const net::X509Certificate* validated_certificate_chain, | 140 const net::X509Certificate* validated_certificate_chain, |
| 155 const net::X509Certificate* served_certificate_chain, | 141 const net::X509Certificate* served_certificate_chain, |
| 156 const net::SignedCertificateTimestampAndStatusList& | 142 const net::SignedCertificateTimestampAndStatusList& |
| 157 signed_certificate_timestamps) { | 143 signed_certificate_timestamps) { |
| 158 if (report_uri.is_empty()) | 144 if (report_uri.is_empty()) |
| 159 return; | 145 return; |
| 160 | 146 |
| 161 if (!base::FeatureList::IsEnabled(features::kExpectCTReporting)) | 147 if (!base::FeatureList::IsEnabled(features::kExpectCTReporting)) |
| 162 return; | 148 return; |
| 163 | 149 |
| 164 base::DictionaryValue report; | 150 base::DictionaryValue outer_report; |
| 165 report.SetString("hostname", host_port_pair.host()); | 151 base::DictionaryValue* report = outer_report.SetDictionary( |
| 166 report.SetInteger("port", host_port_pair.port()); | 152 "expect-ct-report", base::MakeUnique<base::DictionaryValue>()); |
| 167 report.SetString("date-time", TimeToISO8601(base::Time::Now())); | 153 report->SetString("hostname", host_port_pair.host()); |
| 168 report.SetString("effective-expiration-date", TimeToISO8601(expiration)); | 154 report->SetInteger("port", host_port_pair.port()); |
| 169 report.Set("served-certificate-chain", | 155 report->SetString("date-time", TimeToISO8601(base::Time::Now())); |
| 170 GetPEMEncodedChainAsList(served_certificate_chain)); | 156 report->SetString("effective-expiration-date", TimeToISO8601(expiration)); |
| 171 report.Set("validated-certificate-chain", | 157 report->Set("served-certificate-chain", |
| 172 GetPEMEncodedChainAsList(validated_certificate_chain)); | 158 GetPEMEncodedChainAsList(served_certificate_chain)); |
| 159 report->Set("validated-certificate-chain", |
| 160 GetPEMEncodedChainAsList(validated_certificate_chain)); |
| 173 | 161 |
| 174 std::unique_ptr<base::ListValue> unknown_scts(new base::ListValue()); | 162 std::unique_ptr<base::ListValue> scts(new base::ListValue()); |
| 175 std::unique_ptr<base::ListValue> invalid_scts(new base::ListValue()); | |
| 176 std::unique_ptr<base::ListValue> valid_scts(new base::ListValue()); | |
| 177 | |
| 178 for (const auto& sct_and_status : signed_certificate_timestamps) { | 163 for (const auto& sct_and_status : signed_certificate_timestamps) { |
| 179 switch (sct_and_status.status) { | 164 AddSCT(sct_and_status, scts.get()); |
| 180 case net::ct::SCT_STATUS_LOG_UNKNOWN: | |
| 181 AddUnknownSCT(sct_and_status, unknown_scts.get()); | |
| 182 break; | |
| 183 case net::ct::SCT_STATUS_INVALID_SIGNATURE: | |
| 184 case net::ct::SCT_STATUS_INVALID_TIMESTAMP: | |
| 185 AddInvalidSCT(sct_and_status, invalid_scts.get()); | |
| 186 break; | |
| 187 case net::ct::SCT_STATUS_OK: | |
| 188 AddValidSCT(sct_and_status, valid_scts.get()); | |
| 189 break; | |
| 190 default: | |
| 191 NOTREACHED(); | |
| 192 } | |
| 193 } | 165 } |
| 194 | 166 report->Set("scts", std::move(scts)); |
| 195 report.Set("unknown-scts", std::move(unknown_scts)); | |
| 196 report.Set("invalid-scts", std::move(invalid_scts)); | |
| 197 report.Set("valid-scts", std::move(valid_scts)); | |
| 198 | 167 |
| 199 std::string serialized_report; | 168 std::string serialized_report; |
| 200 if (!base::JSONWriter::Write(report, &serialized_report)) { | 169 if (!base::JSONWriter::Write(outer_report, &serialized_report)) { |
| 201 LOG(ERROR) << "Failed to serialize Expect CT report"; | 170 LOG(ERROR) << "Failed to serialize Expect CT report"; |
| 202 return; | 171 return; |
| 203 } | 172 } |
| 204 | 173 |
| 205 UMA_HISTOGRAM_BOOLEAN("SSL.ExpectCTReportSendingAttempt", true); | 174 UMA_HISTOGRAM_BOOLEAN("SSL.ExpectCTReportSendingAttempt", true); |
| 206 | 175 |
| 207 report_sender_->Send(report_uri, "application/json; charset=utf-8", | 176 report_sender_->Send(report_uri, "application/json; charset=utf-8", |
| 208 serialized_report, base::Callback<void()>(), | 177 serialized_report, base::Callback<void()>(), |
| 209 base::Bind(RecordUMAOnFailure)); | 178 base::Bind(RecordUMAOnFailure)); |
| 210 } | 179 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2957063005:
Reland of Update SCT serialization format in Expect-CT reports (Closed)
