net/http/transport_security_persister.cc - Issue 992733002: Remove //net (except for Android test stuff) and sdch

Side by Side Diff: net/http/transport_security_persister.cc

Issue 992733002: Remove //net (except for Android test stuff) and sdch (Closed) Base URL: git@github.com:domokit/mojo.git@master

Patch Set: Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
	(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "net/http/transport_security_persister.h"

6

7 #include "base/base64.h"

8 #include "base/bind.h"

9 #include "base/files/file_path.h"

10 #include "base/files/file_util.h"

11 #include "base/json/json_reader.h"

12 #include "base/json/json_writer.h"

13 #include "base/message_loop/message_loop.h"

14 #include "base/message_loop/message_loop_proxy.h"

15 #include "base/sequenced_task_runner.h"

16 #include "base/task_runner_util.h"

17 #include "base/values.h"

18 #include "crypto/sha2.h"

19 #include "net/cert/x509_certificate.h"

20 #include "net/http/transport_security_state.h"

21

22 using net::HashValue;

23 using net::HashValueTag;

24 using net::HashValueVector;

25 using net::TransportSecurityState;

26

27 namespace {

28

29 base::ListValue* SPKIHashesToListValue(const HashValueVector& hashes) {

30 base::ListValue* pins = new base::ListValue;

31 for (size_t i = 0; i != hashes.size(); i++)

32 pins->Append(new base::StringValue(hashes[i].ToString()));

33 return pins;

34 }

35

36 void SPKIHashesFromListValue(const base::ListValue& pins,

37 HashValueVector* hashes) {

38 size_t num_pins = pins.GetSize();

39 for (size_t i = 0; i < num_pins; ++i) {

40 std::string type_and_base64;

41 HashValue fingerprint;

42 if (pins.GetString(i, &type_and_base64) &&

43 fingerprint.FromString(type_and_base64)) {

44 hashes->push_back(fingerprint);

45 }

46 }

47 }

48

49 // This function converts the binary hashes to a base64 string which we can

50 // include in a JSON file.

51 std::string HashedDomainToExternalString(const std::string& hashed) {

52 std::string out;

53 base::Base64Encode(hashed, &out);

54 return out;

55 }

56

57 // This inverts \|HashedDomainToExternalString\|, above. It turns an external

58 // string (from a JSON file) into an internal (binary) string.

59 std::string ExternalStringToHashedDomain(const std::string& external) {

60 std::string out;

61 if (!base::Base64Decode(external, &out) \|\|

62 out.size() != crypto::kSHA256Length) {

63 return std::string();

64 }

65

66 return out;

67 }

68

69 const char kIncludeSubdomains[] = "include_subdomains";

70 const char kStsIncludeSubdomains[] = "sts_include_subdomains";

71 const char kPkpIncludeSubdomains[] = "pkp_include_subdomains";

72 const char kMode[] = "mode";

73 const char kExpiry[] = "expiry";

74 const char kDynamicSPKIHashesExpiry[] = "dynamic_spki_hashes_expiry";

75 const char kDynamicSPKIHashes[] = "dynamic_spki_hashes";

76 const char kForceHTTPS[] = "force-https";

77 const char kStrict[] = "strict";

78 const char kDefault[] = "default";

79 const char kPinningOnly[] = "pinning-only";

80 const char kCreated[] = "created";

81 const char kStsObserved[] = "sts_observed";

82 const char kPkpObserved[] = "pkp_observed";

83

84 std::string LoadState(const base::FilePath& path) {

85 std::string result;

86 if (!base::ReadFileToString(path, &result)) {

87 return "";

88 }

89 return result;

90 }

91

92 } // namespace

93

94

95 namespace net {

96

97 TransportSecurityPersister::TransportSecurityPersister(

98 TransportSecurityState* state,

99 const base::FilePath& profile_path,

100 const scoped_refptr<base::SequencedTaskRunner>& background_runner,

101 bool readonly)

102 : transport_security_state_(state),

103 writer_(profile_path.AppendASCII("TransportSecurity"), background_runner),

104 foreground_runner_(base::MessageLoop::current()->message_loop_proxy()),

105 background_runner_(background_runner),

106 readonly_(readonly),

107 weak_ptr_factory_(this) {

108 transport_security_state_->SetDelegate(this);

109

110 base::PostTaskAndReplyWithResult(

111 background_runner_.get(),

112 FROM_HERE,

113 base::Bind(&::LoadState, writer_.path()),

114 base::Bind(&TransportSecurityPersister::CompleteLoad,

115 weak_ptr_factory_.GetWeakPtr()));

116 }

117

118 TransportSecurityPersister::~TransportSecurityPersister() {

119 DCHECK(foreground_runner_->RunsTasksOnCurrentThread());

120

121 if (writer_.HasPendingWrite())

122 writer_.DoScheduledWrite();

123

124 transport_security_state_->SetDelegate(NULL);

125 }

126

127 void TransportSecurityPersister::StateIsDirty(

128 TransportSecurityState* state) {

129 DCHECK(foreground_runner_->RunsTasksOnCurrentThread());

130 DCHECK_EQ(transport_security_state_, state);

131

132 if (!readonly_)

133 writer_.ScheduleWrite(this);

134 }

135

136 bool TransportSecurityPersister::SerializeData(std::string* output) {

137 DCHECK(foreground_runner_->RunsTasksOnCurrentThread());

138

139 base::DictionaryValue toplevel;

140 base::Time now = base::Time::Now();

141 TransportSecurityState::Iterator state(*transport_security_state_);

142 for (; state.HasNext(); state.Advance()) {

143 const std::string& hostname = state.hostname();

144 const TransportSecurityState::DomainState& domain_state =

145 state.domain_state();

146

147 base::DictionaryValue* serialized = new base::DictionaryValue;

148 serialized->SetBoolean(kStsIncludeSubdomains,

149 domain_state.sts.include_subdomains);

150 serialized->SetBoolean(kPkpIncludeSubdomains,

151 domain_state.pkp.include_subdomains);

152 serialized->SetDouble(kStsObserved,

153 domain_state.sts.last_observed.ToDoubleT());

154 serialized->SetDouble(kPkpObserved,

155 domain_state.pkp.last_observed.ToDoubleT());

156 serialized->SetDouble(kExpiry, domain_state.sts.expiry.ToDoubleT());

157 serialized->SetDouble(kDynamicSPKIHashesExpiry,

158 domain_state.pkp.expiry.ToDoubleT());

159

160 switch (domain_state.sts.upgrade_mode) {

161 case TransportSecurityState::DomainState::MODE_FORCE_HTTPS:

162 serialized->SetString(kMode, kForceHTTPS);

163 break;

164 case TransportSecurityState::DomainState::MODE_DEFAULT:

165 serialized->SetString(kMode, kDefault);

166 break;

167 default:

168 NOTREACHED() << "DomainState with unknown mode";

169 delete serialized;

170 continue;

171 }

172

173 if (now < domain_state.pkp.expiry) {

174 serialized->Set(kDynamicSPKIHashes,

175 SPKIHashesToListValue(domain_state.pkp.spki_hashes));

176 }

177

178 toplevel.Set(HashedDomainToExternalString(hostname), serialized);

179 }

180

181 base::JSONWriter::WriteWithOptions(&toplevel,

182 base::JSONWriter::OPTIONS_PRETTY_PRINT,

183 output);

184 return true;

185 }

186

187 bool TransportSecurityPersister::LoadEntries(const std::string& serialized,

188 bool* dirty) {

189 DCHECK(foreground_runner_->RunsTasksOnCurrentThread());

190

191 transport_security_state_->ClearDynamicData();

192 return Deserialize(serialized, dirty, transport_security_state_);

193 }

194

195 // static

196 bool TransportSecurityPersister::Deserialize(const std::string& serialized,

197 bool* dirty,

198 TransportSecurityState* state) {

199 scoped_ptr<base::Value> value(base::JSONReader::Read(serialized));

200 base::DictionaryValue* dict_value = NULL;

201 if (!value.get() \|\| !value->GetAsDictionary(&dict_value))

202 return false;

203

204 const base::Time current_time(base::Time::Now());

205 bool dirtied = false;

206

207 for (base::DictionaryValue::Iterator i(*dict_value);

208 !i.IsAtEnd(); i.Advance()) {

209 const base::DictionaryValue* parsed = NULL;

210 if (!i.value().GetAsDictionary(&parsed)) {

211 LOG(WARNING) << "Could not parse entry " << i.key() << "; skipping entry";

212 continue;

213 }

214

215 TransportSecurityState::DomainState domain_state;

216

217 // kIncludeSubdomains is a legacy synonym for kStsIncludeSubdomains and

218 // kPkpIncludeSubdomains. Parse at least one of these properties,

219 // preferably the new ones.

220 bool include_subdomains = false;

221 bool parsed_include_subdomains = parsed->GetBoolean(kIncludeSubdomains,

222 &include_subdomains);

223 domain_state.sts.include_subdomains = include_subdomains;

224 domain_state.pkp.include_subdomains = include_subdomains;

225 if (parsed->GetBoolean(kStsIncludeSubdomains, &include_subdomains)) {

226 domain_state.sts.include_subdomains = include_subdomains;

227 parsed_include_subdomains = true;

228 }

229 if (parsed->GetBoolean(kPkpIncludeSubdomains, &include_subdomains)) {

230 domain_state.pkp.include_subdomains = include_subdomains;

231 parsed_include_subdomains = true;

232 }

233

234 std::string mode_string;

235 double expiry = 0;

236 if (!parsed_include_subdomains \|\|

237 !parsed->GetString(kMode, &mode_string) \|\|

238 !parsed->GetDouble(kExpiry, &expiry)) {

239 LOG(WARNING) << "Could not parse some elements of entry " << i.key()

240 << "; skipping entry";

241 continue;

242 }

243

244 // Don't fail if this key is not present.

245 double dynamic_spki_hashes_expiry = 0;

246 parsed->GetDouble(kDynamicSPKIHashesExpiry,

247 &dynamic_spki_hashes_expiry);

248

249 const base::ListValue* pins_list = NULL;

250 if (parsed->GetList(kDynamicSPKIHashes, &pins_list)) {

251 SPKIHashesFromListValue(*pins_list, &domain_state.pkp.spki_hashes);

252 }

253

254 if (mode_string == kForceHTTPS \|\| mode_string == kStrict) {

255 domain_state.sts.upgrade_mode =

256 TransportSecurityState::DomainState::MODE_FORCE_HTTPS;

257 } else if (mode_string == kDefault \|\| mode_string == kPinningOnly) {

258 domain_state.sts.upgrade_mode =

259 TransportSecurityState::DomainState::MODE_DEFAULT;

260 } else {

261 LOG(WARNING) << "Unknown TransportSecurityState mode string "

262 << mode_string << " found for entry " << i.key()

263 << "; skipping entry";

264 continue;

265 }

266

267 domain_state.sts.expiry = base::Time::FromDoubleT(expiry);

268 domain_state.pkp.expiry =

269 base::Time::FromDoubleT(dynamic_spki_hashes_expiry);

270

271 double sts_observed;

272 double pkp_observed;

273 if (parsed->GetDouble(kStsObserved, &sts_observed)) {

274 domain_state.sts.last_observed = base::Time::FromDoubleT(sts_observed);

275 } else if (parsed->GetDouble(kCreated, &sts_observed)) {

276 // kCreated is a legacy synonym for both kStsObserved and kPkpObserved.

277 domain_state.sts.last_observed = base::Time::FromDoubleT(sts_observed);

278 } else {

279 // We're migrating an old entry with no observation date. Make sure we

280 // write the new date back in a reasonable time frame.

281 dirtied = true;

282 domain_state.sts.last_observed = base::Time::Now();

283 }

284 if (parsed->GetDouble(kPkpObserved, &pkp_observed)) {

285 domain_state.pkp.last_observed = base::Time::FromDoubleT(pkp_observed);

286 } else if (parsed->GetDouble(kCreated, &pkp_observed)) {

287 domain_state.pkp.last_observed = base::Time::FromDoubleT(pkp_observed);

288 } else {

289 dirtied = true;

290 domain_state.pkp.last_observed = base::Time::Now();

291 }

292

293 if (domain_state.sts.expiry <= current_time &&

294 domain_state.pkp.expiry <= current_time) {

295 // Make sure we dirty the state if we drop an entry.

296 dirtied = true;

297 continue;

298 }

299

300 std::string hashed = ExternalStringToHashedDomain(i.key());

301 if (hashed.empty()) {

302 dirtied = true;

303 continue;

304 }

305

306 state->AddOrUpdateEnabledHosts(hashed, domain_state);

307 }

308

309 *dirty = dirtied;

310 return true;

311 }

312

313 void TransportSecurityPersister::CompleteLoad(const std::string& state) {

314 DCHECK(foreground_runner_->RunsTasksOnCurrentThread());

315

316 if (state.empty())

317 return;

318

319 bool dirty = false;

320 if (!LoadEntries(state, &dirty)) {

321 LOG(ERROR) << "Failed to deserialize state: " << state;

322 return;

323 }

324 if (dirty)

325 StateIsDirty(transport_security_state_);

326 }

327

328 } // namespace net

OLD	NEW

« no previous file with comments | « net/http/transport_security_persister.h ('k') | net/http/transport_security_persister_unittest.cc » ('j') | no next file with comments »