Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(402)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/transport_security_state.h

Issue 10836150: Revert 150375 - Implement SHA-256 fingerprint support (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/ssl_info.cc ('k') | net/base/transport_security_state.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_ 5 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_
6 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_ 6 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_
7 7
8 #include <map> 8 #include <map>
9 #include <string> 9 #include <string>
10 #include <utility> 10 #include <utility>
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after
84 // any one of which is sufficient to validate the certificate chain in 84 // any one of which is sufficient to validate the certificate chain in
85 // question. The public keys could be of a root CA, intermediate CA, or 85 // question. The public keys could be of a root CA, intermediate CA, or
86 // leaf certificate, depending on the security vs. disaster recovery 86 // leaf certificate, depending on the security vs. disaster recovery
87 // tradeoff selected. (Pinning only to leaf certifiates increases 87 // tradeoff selected. (Pinning only to leaf certifiates increases
88 // security because you no longer trust any CAs, but it hampers disaster 88 // security because you no longer trust any CAs, but it hampers disaster
89 // recovery because you can't just get a new certificate signed by the 89 // recovery because you can't just get a new certificate signed by the
90 // CA.) 90 // CA.)
91 // 91 //
92 // |bad_static_spki_hashes| contains public keys that we don't want to 92 // |bad_static_spki_hashes| contains public keys that we don't want to
93 // trust. 93 // trust.
94 bool IsChainOfPublicKeysPermitted( 94 bool IsChainOfPublicKeysPermitted(const FingerprintVector& hashes) const;
95 const std::vector<HashValueVector>& hashes) const;
96 95
97 // Returns true if any of the HashValueVectors |static_spki_hashes|, 96 // Returns true if any of the FingerprintVectors |static_spki_hashes|,
98 // |bad_static_spki_hashes|, or |dynamic_spki_hashes| contains any 97 // |bad_static_spki_hashes|, or |dynamic_spki_hashes| contains any
99 // items. 98 // items.
100 bool HasPins() const; 99 bool HasPins() const;
101 100
102 // ShouldRedirectHTTPToHTTPS returns true iff, given the |mode| of this 101 // ShouldRedirectHTTPToHTTPS returns true iff, given the |mode| of this
103 // DomainState, HTTP requests should be internally redirected to HTTPS. 102 // DomainState, HTTP requests should be internally redirected to HTTPS.
104 bool ShouldRedirectHTTPToHTTPS() const; 103 bool ShouldRedirectHTTPToHTTPS() const;
105 104
106 bool Equals(const DomainState& other) const; 105 bool Equals(const DomainState& other) const;
107 106
(...skipping 17 matching lines...) Expand all
125 bool include_subdomains; 124 bool include_subdomains;
126 125
127 // Optional; hashes of static pinned SubjectPublicKeyInfos. Unless both 126 // Optional; hashes of static pinned SubjectPublicKeyInfos. Unless both
128 // are empty, at least one of |static_spki_hashes| and 127 // are empty, at least one of |static_spki_hashes| and
129 // |dynamic_spki_hashes| MUST intersect with the set of SPKIs in the TLS 128 // |dynamic_spki_hashes| MUST intersect with the set of SPKIs in the TLS
130 // server's certificate chain. 129 // server's certificate chain.
131 // 130 //
132 // |dynamic_spki_hashes| take precedence over |static_spki_hashes|. 131 // |dynamic_spki_hashes| take precedence over |static_spki_hashes|.
133 // That is, |IsChainOfPublicKeysPermitted| first checks dynamic pins and 132 // That is, |IsChainOfPublicKeysPermitted| first checks dynamic pins and
134 // then checks static pins. 133 // then checks static pins.
135 HashValueVector static_spki_hashes; 134 FingerprintVector static_spki_hashes;
136 135
137 // Optional; hashes of dynamically pinned SubjectPublicKeyInfos. 136 // Optional; hashes of dynamically pinned SubjectPublicKeyInfos.
138 HashValueVector dynamic_spki_hashes; 137 FingerprintVector dynamic_spki_hashes;
139 138
140 // The absolute time (UTC) when the |dynamic_spki_hashes| expire. 139 // The absolute time (UTC) when the |dynamic_spki_hashes| expire.
141 base::Time dynamic_spki_hashes_expiry; 140 base::Time dynamic_spki_hashes_expiry;
142 141
143 // Optional; hashes of static known-bad SubjectPublicKeyInfos which 142 // Optional; hashes of static known-bad SubjectPublicKeyInfos which
144 // MUST NOT intersect with the set of SPKIs in the TLS server's 143 // MUST NOT intersect with the set of SPKIs in the TLS server's
145 // certificate chain. 144 // certificate chain.
146 HashValueVector bad_static_spki_hashes; 145 FingerprintVector bad_static_spki_hashes;
147 146
148 // The following members are not valid when stored in |enabled_hosts_|: 147 // The following members are not valid when stored in |enabled_hosts_|:
149 148
150 // The domain which matched during a search for this DomainState entry. 149 // The domain which matched during a search for this DomainState entry.
151 // Updated by |GetDomainState| and |GetStaticDomainState|. 150 // Updated by |GetDomainState| and |GetStaticDomainState|.
152 std::string domain; 151 std::string domain;
153 }; 152 };
154 153
155 class Iterator { 154 class Iterator {
156 public: 155 public:
(...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after
249 // SNI-using hosts as well as the rest of the pins. 248 // SNI-using hosts as well as the rest of the pins.
250 // 249 //
251 // If |host| matches both an exact entry and is a subdomain of another 250 // If |host| matches both an exact entry and is a subdomain of another
252 // entry, the exact match determines the return value. 251 // entry, the exact match determines the return value.
253 static bool IsGooglePinnedProperty(const std::string& host, 252 static bool IsGooglePinnedProperty(const std::string& host,
254 bool sni_enabled); 253 bool sni_enabled);
255 254
256 // Decodes a pin string |value| (e.g. "sha1/hvfkN/qlp/zhXR3cuerq6jd2Z7g="). 255 // Decodes a pin string |value| (e.g. "sha1/hvfkN/qlp/zhXR3cuerq6jd2Z7g=").
257 // If parsing succeeded, updates |*out| and returns true; otherwise returns 256 // If parsing succeeded, updates |*out| and returns true; otherwise returns
258 // false without updating |*out|. 257 // false without updating |*out|.
259 static bool ParsePin(const std::string& value, HashValue* out); 258 static bool ParsePin(const std::string& value, Fingerprint* out);
260 259
261 // The maximum number of seconds for which we'll cache an HSTS request. 260 // The maximum number of seconds for which we'll cache an HSTS request.
262 static const long int kMaxHSTSAgeSecs; 261 static const long int kMaxHSTSAgeSecs;
263 262
264 // Converts |hostname| from dotted form ("www.google.com") to the form 263 // Converts |hostname| from dotted form ("www.google.com") to the form
265 // used in DNS: "\x03www\x06google\x03com", lowercases that, and returns 264 // used in DNS: "\x03www\x06google\x03com", lowercases that, and returns
266 // the result. 265 // the result.
267 static std::string CanonicalizeHost(const std::string& hostname); 266 static std::string CanonicalizeHost(const std::string& hostname);
268 267
269 // Send an UMA report on pin validation failure, if the host is in a 268 // Send an UMA report on pin validation failure, if the host is in a
(...skipping 19 matching lines...) Expand all
289 std::map<std::string, DomainState> forced_hosts_; 288 std::map<std::string, DomainState> forced_hosts_;
290 289
291 Delegate* delegate_; 290 Delegate* delegate_;
292 291
293 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); 292 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
294 }; 293 };
295 294
296 } // namespace net 295 } // namespace net
297 296
298 #endif // NET_BASE_TRANSPORT_SECURITY_STATE_H_ 297 #endif // NET_BASE_TRANSPORT_SECURITY_STATE_H_
OLDNEW
« no previous file with comments | « net/base/ssl_info.cc ('k') | net/base/transport_security_state.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698