Centralize the logic for checking public key pins

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
@@ skipping 66 matching lines @@
              HashValueVector* out) {
   HashValue hash(HASH_VALUE_SHA1);
   memcpy(hash.data(), sha1_hash, hash.size());
   out->push_back(hash);
   return true;
 }
 
 }  // namespace
 
 TransportSecurityState::TransportSecurityState()
-  : delegate_(NULL) {
+    : delegate_(NULL),
+      enable_static_pinning_(true) {
+  // Static pinning is only enabled for official builds to make sure that
+  // others don't end up with pins that cannot be easily updated.
+#if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS)
+  enable_static_pinning_ = false;
+#endif
   DCHECK(CalledOnValidThread());
 }
 
 TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state)
     : iterator_(state.enabled_hosts_.begin()),
       end_(state.enabled_hosts_.end()) {
 }
 
 TransportSecurityState::Iterator::~Iterator() {}
 
@@ skipping 13 matching lines @@
 
   DomainState static_state;
   if (GetStaticDomainState(host, sni_enabled, &static_state) &&
       static_state.ShouldUpgradeToSSL()) {
       return true;
   }
 
   return false;
 }
 
-bool TransportSecurityState::CheckPublicKeyPins(const std::string& host,
-                                                bool sni_enabled,
-                                                const HashValueVector& hashes,
-                                                std::string* failure_log) {
+bool TransportSecurityState::CheckPublicKeyPins(
+    const std::string& host,
+    bool sni_available,
+    bool is_issued_by_known_root,
+    const HashValueVector& public_key_hashes,
+    std::string* pinning_failure_log) {
+  // Perform pin validation if, and only if, all these conditions obtain:
+  //
+  // * the server's certificate chain chains up to a known root (i.e. not a
+  //   user-installed trust anchor); and
+  // * the build is recent (very old builds should fail open so that users
+  //   have some chance to recover).
+  //
+  if (!is_issued_by_known_root ||
+      !TransportSecurityState::IsBuildTimely() ||

[wtc, 2014/08/07 22:51:44]

Nit: omit "TransportSecurityState::"

[Ryan Hamilton, 2014/08/07 23:19:04]

Done.

+      !HasPublicKeyPins(host, sni_available)) {
+    return true;
+  }
+
+  bool pins_are_valid = CheckPublicKeyPinsImpl(host,
+                                               sni_available,
+                                               public_key_hashes,
+                                               pinning_failure_log);
+  if (!pins_are_valid) {
+    LOG(ERROR) << *pinning_failure_log;
+    ReportUMAOnPinFailure(host);
+  }
+
+  UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid);
+  return pins_are_valid;
+}
+
+bool TransportSecurityState::CheckPublicKeyPinsImpl(

[Ryan Sleevi, 2014/08/07 22:19:07]

So, I know you did this for the diff, but move this function in the .cc to match
the ordering in the .h before committing.

[Ryan Hamilton, 2014/08/07 22:49:39]

Will do. I'll leave it here until I get an LGTM so other reviewers do not have
to read the diffs, but I'll move before landing.

+    const std::string& host,
+    bool sni_enabled,
+    const HashValueVector& hashes,
+    std::string* failure_log) {
   DomainState dynamic_state;
   if (GetDynamicDomainState(host, &dynamic_state))
     return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
 
   DomainState static_state;
-  if (GetStaticDomainState(host, sni_enabled, &static_state) &&
-      static_state.CheckPublicKeyPins(hashes, failure_log)) {
-      return true;
-  }
+  if (GetStaticDomainState(host, sni_enabled, &static_state))
+    return static_state.CheckPublicKeyPins(hashes, failure_log);
 
+  // HasPublicKeyPins should have returned true in order for this method
+  // to have been called, so if we fall through to here, it's an error.
   return false;
 }
 
 bool TransportSecurityState::HasPublicKeyPins(const std::string& host,
                                               bool sni_enabled) {
   DomainState dynamic_state;
   if (GetDynamicDomainState(host, &dynamic_state))
     return dynamic_state.HasPublicKeyPins();
 
   DomainState static_state;
@@ skipping 579 matching lines @@
   if (sni_enabled) {
     entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
                            kNumPreloadedSNISTS);
     if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
       return true;
   }
 
   return false;
 }
 
-// static
-void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
+void TransportSecurityState::ReportUMAOnPinFailure(
+    const std::string& host)  const{
   std::string canonicalized_host = CanonicalizeHost(host);
 
   const struct HSTSPreload* entry =
       GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
 
   if (!entry) {
     entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
                            kNumPreloadedSNISTS);
   }
 
   if (!entry) {
     // We don't care to report pin failures for dynamic pins.
     return;
   }
 
   DCHECK(entry);
   DCHECK(entry->pins.required_hashes);
   DCHECK(entry->second_level_domain_name != DOMAIN_NOT_PINNED);
 
   UMA_HISTOGRAM_ENUMERATION("Net.PublicKeyPinFailureDomain",
                             entry->second_level_domain_name, DOMAIN_NUM_EVENTS);
 }
 
-// static
-bool TransportSecurityState::IsBuildTimely() {
+bool TransportSecurityState::IsBuildTimely() const {
   const base::Time build_time = base::GetBuildTime();
   // We consider built-in information to be timely for 10 weeks.
   return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 }
 
 bool TransportSecurityState::GetStaticDomainState(const std::string& host,
                                                   bool sni_enabled,
                                                   DomainState* out) const {
   DCHECK(CalledOnValidThread());
 
+  if (!enable_static_pinning_)
+    return false;
+
   const std::string canonicalized_host = CanonicalizeHost(host);
 
   out->sts.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
   out->sts.include_subdomains = false;
   out->pkp.include_subdomains = false;
 
   const bool is_build_timely = IsBuildTimely();
 
   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
     std::string host_sub_chunk(&canonicalized_host[i],
@@ skipping 120 matching lines @@
   return pkp.spki_hashes.size() > 0 || pkp.bad_spki_hashes.size() > 0;
 }
 
 TransportSecurityState::DomainState::PKPState::PKPState() {
 }
 
 TransportSecurityState::DomainState::PKPState::~PKPState() {
 }
 
 }  // namespace