diff options
author | palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-06 19:04:21 +0000 |
---|---|---|
committer | palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-06 19:04:21 +0000 |
commit | a7c2609a96d01f2d5f9cecd15ddc55869e8c6a75 (patch) | |
tree | 6a2b69b0160fd4c77dbf1a91af54c48c023eb2af /chrome | |
parent | 9939d35f9827ed0929646607cbdb071af627ac38 (diff) | |
download | chromium_src-a7c2609a96d01f2d5f9cecd15ddc55869e8c6a75.zip chromium_src-a7c2609a96d01f2d5f9cecd15ddc55869e8c6a75.tar.gz chromium_src-a7c2609a96d01f2d5f9cecd15ddc55869e8c6a75.tar.bz2 |
Implement SHA-256 fingerprint support.
The HTTP-based Public Key Pinning Internet Draft
(tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this.
Per wtc, give the *Fingeprint* types more meaningful *HashValue* names.
Cleaning up lint along the way.
This CL reverts 149268, which reverted 149261 the previous version of this
CL. It includes a fix to the compile problem that necessitated 149268.
BUG=117914
TEST=net_unittests, unit_tests TransportSecurityPersisterTest
Review URL: https://chromiumcodereview.appspot.com/10836062
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150124 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome')
3 files changed, 71 insertions, 30 deletions
diff --git a/chrome/browser/net/transport_security_persister.cc b/chrome/browser/net/transport_security_persister.cc index 76bc514..c6a27d2 100644 --- a/chrome/browser/net/transport_security_persister.cc +++ b/chrome/browser/net/transport_security_persister.cc @@ -20,32 +20,46 @@ #include "net/base/x509_certificate.h" using content::BrowserThread; -using net::Fingerprint; -using net::FingerprintVector; +using net::HashValue; +using net::HashValueTag; +using net::HashValueVector; using net::TransportSecurityState; namespace { -ListValue* SPKIHashesToListValue(const FingerprintVector& hashes) { +ListValue* SPKIHashesToListValue(const HashValueVector& hashes) { ListValue* pins = new ListValue; - for (FingerprintVector::const_iterator i = hashes.begin(); + for (HashValueVector::const_iterator i = hashes.begin(); i != hashes.end(); ++i) { - std::string hash_str(reinterpret_cast<const char*>(i->data), - sizeof(i->data)); + std::string label; + switch (i->tag) { + case net::HASH_VALUE_SHA1: + label = "sha1/"; + break; + case net::HASH_VALUE_SHA256: + label = "sha256/"; + break; + default: + LOG(WARNING) << "Skipping invalid fingerprint with unknown type " + << i->tag; + continue; + } + + std::string hash_str(reinterpret_cast<const char*>(i->data()), i->size()); std::string b64; base::Base64Encode(hash_str, &b64); - pins->Append(new StringValue("sha1/" + b64)); + pins->Append(new StringValue(label + b64)); } return pins; } -void SPKIHashesFromListValue(const ListValue& pins, FingerprintVector* hashes) { +void SPKIHashesFromListValue(const ListValue& pins, HashValueVector* hashes) { size_t num_pins = pins.GetSize(); for (size_t i = 0; i < num_pins; ++i) { std::string type_and_base64; - Fingerprint fingerprint; + HashValue fingerprint; if (pins.GetString(i, &type_and_base64) && TransportSecurityState::ParsePin(type_and_base64, &fingerprint)) { hashes->push_back(fingerprint); diff --git a/chrome/browser/net/transport_security_persister_unittest.cc b/chrome/browser/net/transport_security_persister_unittest.cc index 2607a09..fcde3f8 100644 --- a/chrome/browser/net/transport_security_persister_unittest.cc +++ b/chrome/browser/net/transport_security_persister_unittest.cc @@ -6,6 +6,7 @@ #include <map> #include <string> +#include <vector> #include "base/file_path.h" #include "base/file_util.h" @@ -96,10 +97,12 @@ TEST_F(TransportSecurityPersisterTest, SerializeData2) { TEST_F(TransportSecurityPersisterTest, SerializeData3) { // Add an entry. - net::SHA1Fingerprint fp1; - memset(fp1.data, 0, sizeof(fp1.data)); - net::SHA1Fingerprint fp2; - memset(fp2.data, 1, sizeof(fp2.data)); + net::HashValue fp1; + fp1.tag = net::HASH_VALUE_SHA1; + memset(fp1.data(), 0, fp1.size()); + net::HashValue fp2; + fp2.tag = net::HASH_VALUE_SHA1; + memset(fp2.data(), 1, fp2.size()); TransportSecurityState::DomainState example_state; example_state.upgrade_expiry = base::Time::Now() + base::TimeDelta::FromSeconds(1000); @@ -111,8 +114,8 @@ TEST_F(TransportSecurityPersisterTest, SerializeData3) { state_.EnableHost("www.example.com", example_state); // Add another entry. - memset(fp1.data, 2, sizeof(fp1.data)); - memset(fp2.data, 3, sizeof(fp2.data)); + memset(fp1.data(), 2, fp1.size()); + memset(fp2.data(), 3, fp2.size()); example_state.upgrade_expiry = base::Time::Now() + base::TimeDelta::FromSeconds(3000); example_state.upgrade_mode = @@ -181,17 +184,26 @@ TEST_F(TransportSecurityPersisterTest, PublicKeyHashes) { TransportSecurityState::DomainState domain_state; static const char kTestDomain[] = "example.com"; EXPECT_FALSE(state_.GetDomainState(kTestDomain, false, &domain_state)); - net::FingerprintVector hashes; - EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes)); + std::vector<net::HashValueVector> hashes; + for (size_t i = 0; i < net::HASH_VALUE_TAGS_COUNT; ++i) { + net::HashValueVector v; + hashes.push_back(v); + } + EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); - net::SHA1Fingerprint hash; - memset(hash.data, '1', sizeof(hash.data)); - domain_state.static_spki_hashes.push_back(hash); + net::HashValue sha1; + sha1.tag = net::HASH_VALUE_SHA1; + memset(sha1.data(), '1', sha1.size()); + domain_state.static_spki_hashes.push_back(sha1); EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); - hashes.push_back(hash); + +DLOG(WARNING) << hashes[net::HASH_VALUE_SHA1].size(); + hashes[net::HASH_VALUE_SHA1].push_back(sha1); +DLOG(WARNING) << hashes[net::HASH_VALUE_SHA1].size(); EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes)); - hashes[0].data[0] = '2'; + + hashes[net::HASH_VALUE_SHA1][0].data()[0] = '2'; EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); const base::Time current_time(base::Time::Now()); @@ -204,8 +216,9 @@ TEST_F(TransportSecurityPersisterTest, PublicKeyHashes) { EXPECT_TRUE(persister_->LoadEntries(ser, &dirty)); EXPECT_TRUE(state_.GetDomainState(kTestDomain, false, &domain_state)); EXPECT_EQ(1u, domain_state.static_spki_hashes.size()); - EXPECT_EQ(0, memcmp(domain_state.static_spki_hashes[0].data, hash.data, - sizeof(hash.data))); + EXPECT_EQ(sha1.tag, domain_state.static_spki_hashes[0].tag); + EXPECT_EQ(0, memcmp(domain_state.static_spki_hashes[0].data(), sha1.data(), + sha1.size())); } TEST_F(TransportSecurityPersisterTest, ForcePreloads) { diff --git a/chrome/browser/ui/webui/net_internals/net_internals_ui.cc b/chrome/browser/ui/webui/net_internals/net_internals_ui.cc index 397d9e9..a413e5f 100644 --- a/chrome/browser/ui/webui/net_internals/net_internals_ui.cc +++ b/chrome/browser/ui/webui/net_internals/net_internals_ui.cc @@ -1084,18 +1084,32 @@ void NetInternalsMessageHandler::IOThreadImpl::OnStartConnectionTests( connection_tester_->RunAllTests(url); } -void SPKIHashesToString(const net::FingerprintVector& hashes, +void SPKIHashesToString(const net::HashValueVector& hashes, std::string* string) { - for (net::FingerprintVector::const_iterator + for (net::HashValueVector::const_iterator i = hashes.begin(); i != hashes.end(); ++i) { - base::StringPiece hash_str(reinterpret_cast<const char*>(i->data), - arraysize(i->data)); + std::string label; + switch (i->tag) { + case net::HASH_VALUE_SHA1: + label = "sha1/"; + break; + case net::HASH_VALUE_SHA256: + label = "sha256/"; + break; + default: + NOTREACHED(); + LOG(WARNING) << "Invalid fingerprint of unknown type " << i->tag; + label = "unknown/"; + } + + base::StringPiece hash_str(reinterpret_cast<const char*>(i->data()), + i->size()); std::string encoded; base::Base64Encode(hash_str, &encoded); if (i != hashes.begin()) *string += ","; - *string += "sha1/" + encoded; + *string += label + encoded; } } @@ -1171,7 +1185,7 @@ void NetInternalsMessageHandler::IOThreadImpl::OnHSTSAdd( i = type_and_b64s.begin(); i != type_and_b64s.end(); ++i) { std::string type_and_b64; RemoveChars(*i, " \t\r\n", &type_and_b64); - net::SHA1Fingerprint hash; + net::HashValue hash; if (!net::TransportSecurityState::ParsePin(type_and_b64, &hash)) continue; |