Home | History | Annotate | Download | only in net 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "chrome/browser/net/chrome_fraudulent_certificate_reporter.h"
      6 
      7 #include <set>
      8 
      9 #include "base/base64.h"
     10 #include "base/logging.h"
     11 #include "base/stl_util.h"
     12 #include "base/time/time.h"
     13 #include "chrome/browser/net/cert_logger.pb.h"
     14 #include "net/base/load_flags.h"
     15 #include "net/base/request_priority.h"
     16 #include "net/base/upload_bytes_element_reader.h"
     17 #include "net/base/upload_data_stream.h"
     18 #include "net/cert/x509_certificate.h"
     19 #include "net/ssl/ssl_info.h"
     20 #include "net/url_request/url_request_context.h"
     21 
     22 namespace chrome_browser_net {
     23 
     24 // TODO(palmer): Switch to HTTPS when the error handling delegate is more
     25 // sophisticated. Ultimately we plan to attempt the report on many transports.
     26 static const char kFraudulentCertificateUploadEndpoint[] =
     27     "http://clients3.google.com/log_cert_error";
     28 
     29 ChromeFraudulentCertificateReporter::ChromeFraudulentCertificateReporter(
     30     net::URLRequestContext* request_context)
     31     : request_context_(request_context),
     32       upload_url_(kFraudulentCertificateUploadEndpoint) {
     33 }
     34 
     35 ChromeFraudulentCertificateReporter::~ChromeFraudulentCertificateReporter() {
     36   STLDeleteElements(&inflight_requests_);
     37 }
     38 
     39 static std::string BuildReport(const std::string& hostname,
     40                                const net::SSLInfo& ssl_info) {
     41   CertLoggerRequest request;
     42   base::Time now = base::Time::Now();
     43   request.set_time_usec(now.ToInternalValue());
     44   request.set_hostname(hostname);
     45 
     46   std::vector<std::string> pem_encoded_chain;
     47   if (!ssl_info.cert->GetPEMEncodedChain(&pem_encoded_chain)) {
     48     LOG(ERROR) << "Could not get PEM encoded chain.";
     49   }
     50   std::string* cert_chain = request.mutable_cert_chain();
     51   for (size_t i = 0; i < pem_encoded_chain.size(); ++i)
     52     *cert_chain += pem_encoded_chain[i];
     53 
     54   request.add_pin(ssl_info.pinning_failure_log);
     55 
     56   std::string out;
     57   request.SerializeToString(&out);
     58   return out;
     59 }
     60 
     61 scoped_ptr<net::URLRequest>
     62 ChromeFraudulentCertificateReporter::CreateURLRequest(
     63     net::URLRequestContext* context) {
     64   scoped_ptr<net::URLRequest> request =
     65       context->CreateRequest(upload_url_, net::DEFAULT_PRIORITY, this, NULL);
     66   request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
     67                         net::LOAD_DO_NOT_SAVE_COOKIES);
     68   return request.Pass();
     69 }
     70 
     71 void ChromeFraudulentCertificateReporter::SendReport(
     72     const std::string& hostname,
     73     const net::SSLInfo& ssl_info,
     74     bool sni_available) {
     75   // We do silent/automatic reporting ONLY for Google properties. For other
     76   // domains (when we start supporting that), we will ask for user permission.
     77   if (!net::TransportSecurityState::IsGooglePinnedProperty(hostname,
     78                                                            sni_available)) {
     79     return;
     80   }
     81 
     82   std::string report = BuildReport(hostname, ssl_info);
     83 
     84   scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_);
     85   url_request->set_method("POST");
     86 
     87   scoped_ptr<net::UploadElementReader> reader(
     88       net::UploadOwnedBytesElementReader::CreateWithString(report));
     89   url_request->set_upload(make_scoped_ptr(
     90       net::UploadDataStream::CreateWithReader(reader.Pass(), 0)));
     91 
     92   net::HttpRequestHeaders headers;
     93   headers.SetHeader(net::HttpRequestHeaders::kContentType,
     94                     "x-application/chrome-fraudulent-cert-report");
     95   url_request->SetExtraRequestHeaders(headers);
     96 
     97   net::URLRequest* raw_url_request = url_request.get();
     98   inflight_requests_.insert(url_request.release());
     99   raw_url_request->Start();
    100 }
    101 
    102 void ChromeFraudulentCertificateReporter::RequestComplete(
    103     net::URLRequest* request) {
    104   std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request);
    105   DCHECK(i != inflight_requests_.end());
    106   scoped_ptr<net::URLRequest> url_request(*i);
    107   inflight_requests_.erase(i);
    108 }
    109 
    110 // TODO(palmer): Currently, the upload is fire-and-forget but soon we will
    111 // try to recover by retrying, and trying different endpoints, and
    112 // appealing to the user.
    113 void ChromeFraudulentCertificateReporter::OnResponseStarted(
    114     net::URLRequest* request) {
    115   const net::URLRequestStatus& status(request->status());
    116   if (!status.is_success()) {
    117     LOG(WARNING) << "Certificate upload failed"
    118                  << " status:" << status.status()
    119                  << " error:" << status.error();
    120   } else if (request->GetResponseCode() != 200) {
    121     LOG(WARNING) << "Certificate upload HTTP status: "
    122                  << request->GetResponseCode();
    123   }
    124   RequestComplete(request);
    125 }
    126 
    127 void ChromeFraudulentCertificateReporter::OnReadCompleted(
    128     net::URLRequest* request, int bytes_read) {}
    129 
    130 }  // namespace chrome_browser_net
    131