Remember user decisions on invalid certificates behind a flag

chrome/browser/ssl/chrome_ssl_host_state_decisions.cc

+// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/chrome_ssl_host_state_decisions.h"
+
+#include "base/base64.h"
+#include "base/command_line.h"
+#include "base/logging.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/time/default_clock.h"
+#include "base/time/time.h"
+#include "chrome/browser/content_settings/host_content_settings_map.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/common/content_settings_types.h"
+#include "url/gurl.h"
+
+namespace {
+
+// This is a helper function that returns the length of time before a
+// certificate decision expires based on the command line flags. Returns a value
+// in seconds, where a value of 0 specifically indicates that decisions should
+// not be remembered after the current session has ended (but should be
+// remembered indefinitely as long as the session does not end), which is the
+// "old" style of certificate decision memory.

[felt, 2014/07/07 22:26:39]

Might you want to use -1 instead of 0 for the "default"/old case? One could
imagine that a policy of 0 should mean it expires at the end of the current day.

[jww, 2014/07/08 17:35:41]

I'm not sure I understand. The number is in seconds, so my impression would be
that, if anything, "0 seconds" would mean "no memory at all," it seems to make
more sense to me to repurpose it as "don't remember after the session ends."

[felt, 2014/07/08 17:52:49]

I agree, 0 seconds means "no memory at all." But here it means "remember
indefinitely until session ends", which seems like the opposite of "no memory at
all."

[jww, 2014/07/08 23:49:01]

Fair enough. I've changed this to your suggestion.

+int64 GetExpirationDelta() {
+  if (!CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kRememberCertErrorDecisions))
+    return 0;
+
+  std::string switch_value =
+      CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+          switches::kRememberCertErrorDecisions);
+  // If the expiration is set to 0, that means cert proceed decisions should
+  // never expire, until a restart of the profile.
+  int64 expiration_delta;
+  if (!base::StringToInt64(switch_value, &expiration_delta)) {

[felt, 2014/07/07 22:26:39]

should this be a DCHECK?

[jww, 2014/07/08 17:35:41]

I don't think so. A user can manually specify a command line flag that is
invalid (e.g. has letters in it), and I don't think Chrome should fail on an
assert, even in Debug. Also, this is the pattern I've seen elsewhere.

+    LOG(ERROR) << "Failed to parse the certificate error decision "
+               << "memory length: " << switch_value;
+  }
+
+  return expiration_delta;
+}
+
+const char kSSLCertDecisionCertErrorMapKey[] = "cert_exceptions_map";
+const char kSSLCertDecisionExpirationTimeKey[] = "decision_expiration_time";
+const char kSSLCertDecisionVersionKey[] = "version";
+const int kDefaultSSLCertDecisionVersion = 1;
+
+std::string GetKey(net::X509Certificate* cert, net::CertStatus error) {
+  net::SHA1HashValue fingerprint = cert->fingerprint();
+  std::string base64_fingerprint;
+  base::Base64Encode(
+      base::StringPiece(reinterpret_cast<const char*>(fingerprint.data),
+                        sizeof(fingerprint.data)),
+      &base64_fingerprint);
+  return base::UintToString(error) + base64_fingerprint;
+}
+
+}  // namespace
+
+// This helper function gets the dictionary of certificate fingerprints to
+// errors of certificates that have been accepted by the user from the content
+// dictionary that has been passed in. The returned pointer is owned by the the
+// argument dict that is passed in.
+//
+// If create_entries is set to |false|, GetValidCertDecisionsDict will return
+// NULL if there is anything invalid about the setting, such as an invalid
+// version or invalid value types (in addition to there not be any values in the
+// dictionary). If create_entries is set to |true|, if no dictionary is found or
+// the decisions are expired, a new dictionary will be created

[felt, 2014/07/07 22:26:39]

why do you need to support both cases for |create_entries|?

[jww, 2014/07/08 17:35:41]

There are two uses of GetValidCertDecisionsDict. The first is a simple query of
the policy, and if the entry is missing, that just means that no judgement has
been rendered, thus we don't want to create a new entry for the dictionary. The
second case is when we're changing the cert policy. In that case, we don't
necessarily already have an entry, but we definitely want to create one a new
one. The two cases are identical in that they are fetching a dictionary that we
want to look at or modify properties of. The only difference is that, in one
case, if it doesn't exist, we want to create a new one, and the other we just
want to know that it doesn't exist.

+base::DictionaryValue* ChromeSSLHostStateDecisions::GetValidCertDecisionsDict(
+    base::DictionaryValue* dict,
+    bool create_entries) {
+  // Extract the version of the certificate decision structure from the content
+  // setting.
+  int version;
+  bool success = dict->GetInteger(kSSLCertDecisionVersionKey, &version);
+  if (!success) {
+    if (!create_entries)
+      return NULL;
+
+    dict->SetInteger(kSSLCertDecisionVersionKey,
+                     kDefaultSSLCertDecisionVersion);
+    version = kDefaultSSLCertDecisionVersion;
+  }
+
+  // If the version is somehow a newer version than Chrome can handle, there's
+  // really nothing to do other than fail silently and pretend it doesn't exist
+  // (or is malformed).
+  if (version > kDefaultSSLCertDecisionVersion)
+    return NULL;
+
+  // Extract the certificate decision's expiration time from the content
+  // setting. If there is no expiration time, that means it should never expire
+  // and it should resest only at session restart, so skip all of the expiration
+  // checks.
+  bool expired = false;
+  double decision_expiration_dbl;
+  base::Time now = clock_->Now();
+  base::Time decision_expiration;
+  if (dict->HasKey(kSSLCertDecisionExpirationTimeKey)) {
+    success = dict->GetDouble(kSSLCertDecisionExpirationTimeKey,
+                              &decision_expiration_dbl);
+    decision_expiration = base::Time::FromDoubleT(decision_expiration_dbl);
+  }
+
+  // Check if the user certificate decision has expired. If it has expired, and
+  // create_entries is |false|, treat the entry as if it doesn't exist and
+  // return |NULL|. If it has expired, and create_entries is |true|, set the
+  // entry's expiration date to the current time plus the expiration time delta.
+  // Also, set expired to |true| which will force the create of a new dictionary
+  // in the dictionary extraction pass. None of this should be done if
+  // expiration happens on session end (i.e. the expiration delta is 0).
+  if (defaultSSLCertDecisionExpirationDelta_.InSeconds() > 0 &&
+      decision_expiration < now) {
+    if (!create_entries)
+      return NULL;
+
+    expired = true;
+
+    // If defaultSSLCertDecisionExpirationDelta_ is 0, that means that decisions
+    // should never expire. Thus, in that case, no key should be set.
+    if (defaultSSLCertDecisionExpirationDelta_.InSeconds() != 0) {
+      base::Time expiration_time = now + defaultSSLCertDecisionExpirationDelta_;
+      dict->SetDouble(kSSLCertDecisionExpirationTimeKey,
+                      expiration_time.ToDoubleT());
+    }
+  }
+
+  // Extract the map of certificate fingerprints to errors from the setting.
+  base::DictionaryValue* cert_error_dict;  // Owned by dict
+  if (expired ||
+      !dict->GetDictionary(kSSLCertDecisionCertErrorMapKey, &cert_error_dict)) {
+    if (!create_entries)
+      return NULL;
+
+    cert_error_dict = new base::DictionaryValue();
+    // dict takes ownership of cert_error_dict
+    dict->Set(kSSLCertDecisionCertErrorMapKey, cert_error_dict);
+  }
+
+  return cert_error_dict;
+}
+
+// If defaultSSLCertDecisionExpirationDelta_ is 0, that means that all invalid
+// certificate proceed decisions should be forgotten when the session ends. At
+// attempt is made in the destructor to remove the entries, but in the case that
+// things didn't shut down cleanly, on start, Clear is called to guarantee a
+// clean state.
+ChromeSSLHostStateDecisions::ChromeSSLHostStateDecisions(Profile* profile)
+    : clock_(new base::DefaultClock()),
+      defaultSSLCertDecisionExpirationDelta_(
+          base::TimeDelta::FromSeconds(GetExpirationDelta())),
+      profile_(profile) {
+  if (defaultSSLCertDecisionExpirationDelta_.InSeconds() == 0)
+    Clear();
+}
+
+ChromeSSLHostStateDecisions::~ChromeSSLHostStateDecisions() {
+  if (defaultSSLCertDecisionExpirationDelta_.InSeconds() == 0)
+    Clear();
+}
+
+void ChromeSSLHostStateDecisions::DenyCert(const GURL& url,
+                                           net::X509Certificate* cert,
+                                           net::CertStatus error) {
+  ChangeCertPolicy(url, cert, error, net::CertPolicy::DENIED);
+}
+
+void ChromeSSLHostStateDecisions::AllowCert(const GURL& url,
+                                            net::X509Certificate* cert,
+                                            net::CertStatus error) {
+  ChangeCertPolicy(url, cert, error, net::CertPolicy::ALLOWED);
+}
+
+void ChromeSSLHostStateDecisions::Clear() {
+  profile_->GetHostContentSettingsMap()->ClearSettingsForOneType(
+      CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS);
+}
+
+net::CertPolicy::Judgment ChromeSSLHostStateDecisions::QueryPolicy(
+    const GURL& url,
+    net::X509Certificate* cert,
+    net::CertStatus error) {
+  HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
+  scoped_ptr<base::Value> value(map->GetWebsiteSetting(
+      url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, "", NULL));
+
+  DCHECK(value.get());
+
+  if (!value->IsType(base::Value::TYPE_DICTIONARY))
+    return net::CertPolicy::UNKNOWN;
+
+  base::DictionaryValue* dict;  // Owned by value
+  int policy_decision;          // Owned by dict
+  bool success = value->GetAsDictionary(&dict);
+  DCHECK(success);
+
+  // First, check that the version of the dictionary of decisions is a version
+  // that is known. Otherwise, fail.
+  base::DictionaryValue* cert_error_dict;  // Owned by value
+  cert_error_dict = GetValidCertDecisionsDict(dict, false);
+  if (!cert_error_dict)
+    return net::CertPolicy::UNKNOWN;
+
+  success = cert_error_dict->GetIntegerWithoutPathExpansion(GetKey(cert, error),
+                                                            &policy_decision);
+
+  if (!success)
+    return net::CertPolicy::Judgment::UNKNOWN;
+
+  return static_cast<net::CertPolicy::Judgment>(policy_decision);
+}
+
+void ChromeSSLHostStateDecisions::RevokeAllowAndDenyPreferences(
+    const GURL& url) {
+  const ContentSettingsPattern pattern =
+      ContentSettingsPattern::FromURLNoWildcard(url);
+  HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
+
+  map->SetWebsiteSetting(
+      pattern, pattern, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, "", NULL);
+}
+
+bool ChromeSSLHostStateDecisions::HasAllowedOrDeniedCert(const GURL& url) {
+  const ContentSettingsPattern pattern =
+      ContentSettingsPattern::FromURLNoWildcard(url);
+  HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
+
+  scoped_ptr<base::Value> value(map->GetWebsiteSetting(
+      url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, "", NULL));
+
+  if (!value->IsType(base::Value::TYPE_DICTIONARY))
+    return false;
+
+  base::DictionaryValue* dict;  // Owned by value
+  bool success = value->GetAsDictionary(&dict);
+  DCHECK(success);
+
+  for (base::DictionaryValue::Iterator it(*dict); !it.IsAtEnd(); it.Advance()) {
+    int policy_decision;  // Owned by dict
+    success = it.value().GetAsInteger(&policy_decision);
+    if (success && (static_cast<net::CertPolicy::Judgment>(policy_decision) !=
+                    net::CertPolicy::UNKNOWN))
+      return true;
+  }
+
+  return false;
+}
+
+void ChromeSSLHostStateDecisions::ChangeCertPolicy(
+    const GURL& url,
+    net::X509Certificate* cert,
+    net::CertStatus error,
+    net::CertPolicy::Judgment judgment) {
+  const ContentSettingsPattern pattern =
+      ContentSettingsPattern::FromURLNoWildcard(url);
+  HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
+  scoped_ptr<base::Value> value(map->GetWebsiteSetting(
+      url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, "", NULL));
+
+  if (!value->IsType(base::Value::TYPE_DICTIONARY))
+    value.reset(new base::DictionaryValue());
+
+  base::DictionaryValue* dict;
+  bool success = value->GetAsDictionary(&dict);
+  DCHECK(success);
+
+  base::DictionaryValue* cert_dict = GetValidCertDecisionsDict(dict, true);
+  // If a a valid certificate dictionary cannot be extracted from the content
+  // setting, that means it's in an unknown format. Unfortunately, there's
+  // nothing to be done in that case, so a silent fail is the only option.
+  if (!cert_dict)
+    return;
+
+  dict->SetIntegerWithoutPathExpansion(kSSLCertDecisionVersionKey,
+                                       kDefaultSSLCertDecisionVersion);
+  cert_dict->SetIntegerWithoutPathExpansion(GetKey(cert, error), judgment);
+
+  // The map takes ownership of the value, so it is released in the call to
+  // SetWebsiteSetting.
+  map->SetWebsiteSetting(pattern,
+                         pattern,
+                         CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
+                         "",
+                         value.release());
+}