OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/net/chrome_fraudulent_certificate_reporter.h" | 5 #include "chrome/browser/net/chrome_fraudulent_certificate_reporter.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 | 8 |
9 #include "base/base64.h" | 9 #include "base/base64.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
11 #include "base/profiler/scoped_tracker.h" | 11 #include "base/profiler/scoped_tracker.h" |
12 #include "base/stl_util.h" | 12 #include "base/stl_util.h" |
13 #include "base/time/time.h" | 13 #include "base/time/time.h" |
14 #include "chrome/browser/net/cert_logger.pb.h" | 14 #include "chrome/browser/net/cert_logger.pb.h" |
15 #include "net/base/elements_upload_data_stream.h" | 15 #include "net/base/elements_upload_data_stream.h" |
16 #include "net/base/load_flags.h" | 16 #include "net/base/load_flags.h" |
17 #include "net/base/request_priority.h" | 17 #include "net/base/request_priority.h" |
18 #include "net/base/upload_bytes_element_reader.h" | 18 #include "net/base/upload_bytes_element_reader.h" |
19 #include "net/cert/x509_certificate.h" | 19 #include "net/cert/x509_certificate.h" |
20 #include "net/ssl/ssl_info.h" | 20 #include "net/ssl/ssl_info.h" |
21 #include "net/url_request/url_request_context.h" | 21 #include "net/url_request/url_request_context.h" |
22 | 22 |
23 namespace chrome_browser_net { | 23 namespace chrome_browser_net { |
24 | 24 |
25 // TODO(palmer): Switch to HTTPS when the error handling delegate is more | 25 // TODO(palmer): Switch to HTTPS when the error handling delegate is more |
26 // sophisticated. Ultimately we plan to attempt the report on many transports. | 26 // sophisticated. Ultimately we plan to attempt the report on many transports. |
27 static const char kFraudulentCertificateUploadEndpoint[] = | 27 static const char kFraudulentCertificateUploadEndpoint[] = |
28 "http://clients3.google.com/log_cert_error"; | 28 "http://clients3.google.com/log_cert_error"; |
29 | 29 |
30 static const char kInvalidCertificateChainUploadEndpoint[] = ""; | |
31 | |
30 ChromeFraudulentCertificateReporter::ChromeFraudulentCertificateReporter( | 32 ChromeFraudulentCertificateReporter::ChromeFraudulentCertificateReporter( |
31 net::URLRequestContext* request_context) | 33 net::URLRequestContext* request_context) |
32 : request_context_(request_context), | 34 : request_context_(request_context), |
33 upload_url_(kFraudulentCertificateUploadEndpoint) { | 35 pinning_violation_upload_url_(kFraudulentCertificateUploadEndpoint), |
36 invalid_chain_upload_url_(kInvalidCertificateChainUploadEndpoint) { | |
34 } | 37 } |
35 | 38 |
36 ChromeFraudulentCertificateReporter::~ChromeFraudulentCertificateReporter() { | 39 ChromeFraudulentCertificateReporter::~ChromeFraudulentCertificateReporter() { |
37 STLDeleteElements(&inflight_requests_); | 40 STLDeleteElements(&inflight_requests_); |
38 } | 41 } |
39 | 42 |
40 static std::string BuildReport(const std::string& hostname, | 43 static std::string BuildReport(const std::string& hostname, |
41 const net::SSLInfo& ssl_info) { | 44 const net::SSLInfo& ssl_info) { |
42 CertLoggerRequest request; | 45 CertLoggerRequest request; |
43 base::Time now = base::Time::Now(); | 46 base::Time now = base::Time::Now(); |
(...skipping 10 matching lines...) Expand all Loading... | |
54 | 57 |
55 request.add_pin(ssl_info.pinning_failure_log); | 58 request.add_pin(ssl_info.pinning_failure_log); |
56 | 59 |
57 std::string out; | 60 std::string out; |
58 request.SerializeToString(&out); | 61 request.SerializeToString(&out); |
59 return out; | 62 return out; |
60 } | 63 } |
61 | 64 |
62 scoped_ptr<net::URLRequest> | 65 scoped_ptr<net::URLRequest> |
63 ChromeFraudulentCertificateReporter::CreateURLRequest( | 66 ChromeFraudulentCertificateReporter::CreateURLRequest( |
64 net::URLRequestContext* context) { | 67 net::URLRequestContext* context, |
68 const GURL& upload_url) { | |
65 scoped_ptr<net::URLRequest> request = | 69 scoped_ptr<net::URLRequest> request = |
66 context->CreateRequest(upload_url_, net::DEFAULT_PRIORITY, this, NULL); | 70 context->CreateRequest(upload_url, net::DEFAULT_PRIORITY, this, NULL); |
67 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | | 71 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | |
68 net::LOAD_DO_NOT_SAVE_COOKIES); | 72 net::LOAD_DO_NOT_SAVE_COOKIES); |
69 return request.Pass(); | 73 return request.Pass(); |
70 } | 74 } |
71 | 75 |
72 void ChromeFraudulentCertificateReporter::SendReport( | 76 void ChromeFraudulentCertificateReporter::SendPinningViolationReport( |
73 const std::string& hostname, | 77 const std::string& hostname, |
74 const net::SSLInfo& ssl_info) { | 78 const net::SSLInfo& ssl_info) { |
75 // We do silent/automatic reporting ONLY for Google properties. For other | 79 // We do silent/automatic reporting ONLY for Google properties. For other |
76 // domains (when we start supporting that), we will ask for user permission. | 80 // domains (when we start supporting that), we will ask for user permission. |
77 if (!net::TransportSecurityState::IsGooglePinnedProperty(hostname)) { | 81 if (!net::TransportSecurityState::IsGooglePinnedProperty(hostname)) { |
78 return; | 82 return; |
79 } | 83 } |
80 | 84 |
81 std::string report = BuildReport(hostname, ssl_info); | 85 std::string report = BuildReport(hostname, ssl_info); |
82 | 86 |
83 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); | 87 scoped_ptr<net::URLRequest> url_request = |
88 CreateURLRequest(request_context_, pinning_violation_upload_url_); | |
84 url_request->set_method("POST"); | 89 url_request->set_method("POST"); |
85 | 90 |
86 scoped_ptr<net::UploadElementReader> reader( | 91 scoped_ptr<net::UploadElementReader> reader( |
87 net::UploadOwnedBytesElementReader::CreateWithString(report)); | 92 net::UploadOwnedBytesElementReader::CreateWithString(report)); |
88 url_request->set_upload( | 93 url_request->set_upload( |
89 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); | 94 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); |
90 | 95 |
91 net::HttpRequestHeaders headers; | 96 net::HttpRequestHeaders headers; |
92 headers.SetHeader(net::HttpRequestHeaders::kContentType, | 97 headers.SetHeader(net::HttpRequestHeaders::kContentType, |
93 "x-application/chrome-fraudulent-cert-report"); | 98 "x-application/chrome-fraudulent-cert-report"); |
94 url_request->SetExtraRequestHeaders(headers); | 99 url_request->SetExtraRequestHeaders(headers); |
95 | 100 |
96 net::URLRequest* raw_url_request = url_request.get(); | 101 net::URLRequest* raw_url_request = url_request.get(); |
97 inflight_requests_.insert(url_request.release()); | 102 inflight_requests_.insert(url_request.release()); |
98 raw_url_request->Start(); | 103 raw_url_request->Start(); |
99 } | 104 } |
100 | 105 |
106 void ChromeFraudulentCertificateReporter::SendInvalidChainReport( | |
107 const std::string& hostname, | |
108 const net::SSLInfo& ssl_info) { | |
felt
2015/02/18 04:16:29
Have you thought about having a single method for
felt
2015/02/18 04:16:29
Should this double check here that the user is opt
estark
2015/02/18 05:22:44
Good idea, I added a TODO. Not immediately sure ho
estark
2015/02/18 05:22:44
Yeah, I did think about that; my reasoning was tha
felt
2015/02/19 00:32:32
Well, you could create an enum so that the param i
felt
2015/02/19 00:32:32
Yes, I think that passing in a Profile to the cons
estark
2015/02/19 02:32:08
Oh I like the enum idea! Did that. Wasn't sure whe
felt
2015/02/20 19:20:34
Might make sense. I can see it go either way. We c
| |
109 // TODO(estark): Temporarily, since there is no upload endpoint, just log | |
110 // the information. | |
111 LOG(ERROR) << "SSL report for " << hostname << ":\n" | |
112 << BuildReport(hostname, ssl_info) << "\n\n"; | |
113 } | |
114 | |
101 void ChromeFraudulentCertificateReporter::RequestComplete( | 115 void ChromeFraudulentCertificateReporter::RequestComplete( |
102 net::URLRequest* request) { | 116 net::URLRequest* request) { |
103 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); | 117 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); |
104 DCHECK(i != inflight_requests_.end()); | 118 DCHECK(i != inflight_requests_.end()); |
105 scoped_ptr<net::URLRequest> url_request(*i); | 119 scoped_ptr<net::URLRequest> url_request(*i); |
106 inflight_requests_.erase(i); | 120 inflight_requests_.erase(i); |
107 } | 121 } |
108 | 122 |
109 // TODO(palmer): Currently, the upload is fire-and-forget but soon we will | 123 // TODO(palmer): Currently, the upload is fire-and-forget but soon we will |
110 // try to recover by retrying, and trying different endpoints, and | 124 // try to recover by retrying, and trying different endpoints, and |
(...skipping 14 matching lines...) Expand all Loading... | |
125 LOG(WARNING) << "Certificate upload HTTP status: " | 139 LOG(WARNING) << "Certificate upload HTTP status: " |
126 << request->GetResponseCode(); | 140 << request->GetResponseCode(); |
127 } | 141 } |
128 RequestComplete(request); | 142 RequestComplete(request); |
129 } | 143 } |
130 | 144 |
131 void ChromeFraudulentCertificateReporter::OnReadCompleted( | 145 void ChromeFraudulentCertificateReporter::OnReadCompleted( |
132 net::URLRequest* request, int bytes_read) {} | 146 net::URLRequest* request, int bytes_read) {} |
133 | 147 |
134 } // namespace chrome_browser_net | 148 } // namespace chrome_browser_net |
OLD | NEW |