diff options
| -rw-r--r-- | chrome/browser/net/cert_logger.proto | 6 | ||||
| -rw-r--r-- | chrome/browser/net/chrome_fraudulent_certificate_reporter.cc | 14 | ||||
| -rw-r--r-- | net/http/transport_security_state.cc | 5 | ||||
| -rw-r--r-- | net/http/transport_security_state.h | 6 |
4 files changed, 31 insertions, 0 deletions
diff --git a/chrome/browser/net/cert_logger.proto b/chrome/browser/net/cert_logger.proto index e09ed2a..be95005 100644 --- a/chrome/browser/net/cert_logger.proto +++ b/chrome/browser/net/cert_logger.proto @@ -32,6 +32,12 @@ message CertLoggerRequest { // The time (in usec since the epoch) when the client attempted to access the // site generating the pinning error. required int64 time_usec = 3; + // public_key_hash contains the string forms of the hashes calculated for + // the chain. (I.e. "sha1/<base64 data>".) + repeated string public_key_hash = 4; + // pin contains the string forms of the pins that were matched against for + // this host. + repeated string pin = 5; }; // The response sent back to the user. diff --git a/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc b/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc index efea4b5..3b030c4 100644 --- a/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc +++ b/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc @@ -51,6 +51,20 @@ static std::string BuildReport(const std::string& hostname, for (size_t i = 0; i < pem_encoded_chain.size(); ++i) *cert_chain += pem_encoded_chain[i]; + for (net::HashValueVector::const_iterator i = + ssl_info.public_key_hashes.begin(); i != + ssl_info.public_key_hashes.end(); ++i) { + request.add_public_key_hash(i->ToString()); + } + + const char* const* google_acceptable_certs = + net::TransportSecurityState::GooglePinsForDebugging(); + for (size_t i = 0; google_acceptable_certs[i]; i++) { + net::HashValue hash_value(net::HASH_VALUE_SHA1); + memcpy(hash_value.data(), google_acceptable_certs[i], hash_value.size()); + request.add_pin(hash_value.ToString()); + } + std::string out; request.SerializeToString(&out); return out; diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc index 6a7a14f..8498d26 100644 --- a/net/http/transport_security_state.cc +++ b/net/http/transport_security_state.cc @@ -718,6 +718,11 @@ bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host, } // static +const char* const* TransportSecurityState::GooglePinsForDebugging() { + return kGoogleAcceptableCerts; +} + +// static void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { std::string canonicalized_host = CanonicalizeHost(host); diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h index 3511b69..7696cbb 100644 --- a/net/http/transport_security_state.h +++ b/net/http/transport_security_state.h @@ -248,6 +248,12 @@ class NET_EXPORT TransportSecurityState static bool IsGooglePinnedProperty(const std::string& host, bool sni_enabled); + // GooglePinsForDebugging returns an array of SHA-1 pins for Google + // properties - each 20 bytes long - with a NULL pointer signalling the end + // of the array. This is a temporary debugging measure to check for binary + // alteration / corruption. + static const char* const* GooglePinsForDebugging(); + // The maximum number of seconds for which we'll cache an HSTS request. static const long int kMaxHSTSAgeSecs; |