chrome/browser/net/chrome_fraudulent_certificate_reporter.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/browser/net/chrome_fraudulent_certificate_reporter.h"
   6
   7 #include <set>
   8
   9 #include "base/base64.h"
  10 #include "base/logging.h"
  11 #include "base/stl_util.h"
  12 #include "base/time/time.h"
  13 #include "chrome/browser/net/cert_logger.pb.h"
  14 #include "net/base/load_flags.h"
  15 #include "net/base/upload_bytes_element_reader.h"
  16 #include "net/base/upload_data_stream.h"
  17 #include "net/cert/x509_certificate.h"
  18 #include "net/ssl/ssl_info.h"
  19 #include "net/url_request/url_request_context.h"
  20
  21 namespace chrome_browser_net {
  22
  23 // TODO(palmer): Switch to HTTPS when the error handling delegate is more
  24 // sophisticated. Ultimately we plan to attempt the report on many transports.
  25 static const char kFraudulentCertificateUploadEndpoint[] =
  26     "http://clients3.google.com/log_cert_error";
  27
  28 ChromeFraudulentCertificateReporter::ChromeFraudulentCertificateReporter(
  29     net::URLRequestContext* request_context)
  30     : request_context_(request_context),
  31       upload_url_(kFraudulentCertificateUploadEndpoint) {
  32 }
  33
  34 ChromeFraudulentCertificateReporter::~ChromeFraudulentCertificateReporter() {
  35   STLDeleteElements(&inflight_requests_);
  36 }
  37
  38 static std::string BuildReport(const std::string& hostname,
  39                                const net::SSLInfo& ssl_info) {
  40   CertLoggerRequest request;
  41   base::Time now = base::Time::Now();
  42   request.set_time_usec(now.ToInternalValue());
  43   request.set_hostname(hostname);
  44
  45   std::vector<std::string> pem_encoded_chain;
  46   if (!ssl_info.cert->GetPEMEncodedChain(&pem_encoded_chain)) {
  47     LOG(ERROR) << "Could not get PEM encoded chain.";
  48   }
  49   std::string* cert_chain = request.mutable_cert_chain();
  50   for (size_t i = 0; i < pem_encoded_chain.size(); ++i)
  51     *cert_chain += pem_encoded_chain[i];
  52
  53   std::string out;
  54   request.SerializeToString(&out);
  55   return out;
  56 }
  57
  58 net::URLRequest* ChromeFraudulentCertificateReporter::CreateURLRequest(
  59       net::URLRequestContext* context) {
  60   net::URLRequest* request = context->CreateRequest(upload_url_, this);
  61   request->set_load_flags(net::LOAD_DO_NOT_SEND_COOKIES |
  62                           net::LOAD_DO_NOT_SAVE_COOKIES);
  63   return request;
  64 }
  65
  66 void ChromeFraudulentCertificateReporter::SendReport(
  67     const std::string& hostname,
  68     const net::SSLInfo& ssl_info,
  69     bool sni_available) {
  70   // We do silent/automatic reporting ONLY for Google properties. For other
  71   // domains (when we start supporting that), we will ask for user permission.
  72   if (!net::TransportSecurityState::IsGooglePinnedProperty(hostname,
  73                                                            sni_available)) {
  74     return;
  75   }
  76
  77   std::string report = BuildReport(hostname, ssl_info);
  78
  79   net::URLRequest* url_request = CreateURLRequest(request_context_);
  80   url_request->set_method("POST");
  81
  82   scoped_ptr<net::UploadElementReader> reader(
  83       net::UploadOwnedBytesElementReader::CreateWithString(report));
  84   url_request->set_upload(make_scoped_ptr(
  85       net::UploadDataStream::CreateWithReader(reader.Pass(), 0)));
  86
  87   net::HttpRequestHeaders headers;
  88   headers.SetHeader(net::HttpRequestHeaders::kContentType,
  89                     "x-application/chrome-fraudulent-cert-report");
  90   url_request->SetExtraRequestHeaders(headers);
  91
  92   inflight_requests_.insert(url_request);
  93   url_request->Start();
  94 }
  95
  96 void ChromeFraudulentCertificateReporter::RequestComplete(
  97     net::URLRequest* request) {
  98   std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request);
  99   DCHECK(i != inflight_requests_.end());
 100   delete *i;
 101   inflight_requests_.erase(i);
 102 }
 103
 104 // TODO(palmer): Currently, the upload is fire-and-forget but soon we will
 105 // try to recover by retrying, and trying different endpoints, and
 106 // appealing to the user.
 107 void ChromeFraudulentCertificateReporter::OnResponseStarted(
 108     net::URLRequest* request) {
 109   const net::URLRequestStatus& status(request->status());
 110   if (!status.is_success()) {
 111     LOG(WARNING) << "Certificate upload failed"
 112                  << " status:" << status.status()
 113                  << " error:" << status.error();
 114   } else if (request->GetResponseCode() != 200) {
 115     LOG(WARNING) << "Certificate upload HTTP status: "
 116                  << request->GetResponseCode();
 117   }
 118   RequestComplete(request);
 119 }
 120
 121 void ChromeFraudulentCertificateReporter::OnReadCompleted(
 122     net::URLRequest* request, int bytes_read) {}
 123
 124 }  // namespace chrome_browser_net