1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
9 #include "base/base64.h"
10 #include "base/bind.h"
11 #include "base/command_line.h"
12 #include "base/guid.h"
13 #include "base/logging.h"
14 #include "base/metrics/field_trial.h"
15 #include "base/strings/string_number_conversions.h"
16 #include "base/time/clock.h"
17 #include "base/time/default_clock.h"
18 #include "base/time/time.h"
19 #include "base/values.h"
20 #include "chrome/browser/profiles/profile.h"
21 #include "chrome/common/chrome_switches.h"
22 #include "components/content_settings/core/browser/host_content_settings_map.h"
23 #include "components/content_settings/core/common/content_settings_types.h"
24 #include "components/variations/variations_associated_data.h"
25 #include "net/base/hash_value.h"
26 #include "net/cert/x509_certificate.h"
27 #include "net/http/http_transaction_factory.h"
28 #include "net/url_request/url_request_context.h"
29 #include "net/url_request/url_request_context_getter.h"
34 // Switch value that specifies that certificate decisions should be forgotten at
35 // the end of the current session.
36 const int64 kForgetAtSessionEndSwitchValue = -1;
38 // Experiment information
39 const char kRememberCertificateErrorDecisionsFieldTrialName[] =
40 "RememberCertificateErrorDecisions";
41 const char kRememberCertificateErrorDecisionsFieldTrialDefaultGroup[] =
43 const char kRememberCertificateErrorDecisionsFieldTrialLengthParam[] = "length";
45 // Keys for the per-site error + certificate finger to judgment content
47 const char kSSLCertDecisionCertErrorMapKey[] = "cert_exceptions_map";
48 const char kSSLCertDecisionExpirationTimeKey[] = "decision_expiration_time";
49 const char kSSLCertDecisionVersionKey[] = "version";
50 const char kSSLCertDecisionGUIDKey[] = "guid";
52 const int kDefaultSSLCertDecisionVersion = 1;
54 void CloseIdleConnections(
55 scoped_refptr<net::URLRequestContextGetter> url_request_context_getter) {
56 url_request_context_getter->
57 GetURLRequestContext()->
58 http_transaction_factory()->
60 CloseIdleConnections();
63 // All SSL decisions are per host (and are shared arcoss schemes), so this
64 // canonicalizes all hosts into a secure scheme GURL to use with content
65 // settings. The returned GURL will be the passed in host with an empty path and
66 // https:// as the scheme.
67 GURL GetSecureGURLForHost(const std::string& host) {
68 std::string url = "https://" + host;
72 // This is a helper function that returns the length of time before a
73 // certificate decision expires based on the command line flags. Returns a
74 // non-negative value in seconds or a value of -1 indicating that decisions
75 // should not be remembered after the current session has ended (but should be
76 // remembered indefinitely as long as the session does not end), which is the
77 // "old" style of certificate decision memory. Uses the experimental group
78 // unless overridden by a command line flag.
79 int64 GetExpirationDelta() {
80 // Check command line flags first to give them priority, then check
81 // experimental groups.
82 if (CommandLine::ForCurrentProcess()->HasSwitch(
83 switches::kRememberCertErrorDecisions)) {
84 std::string switch_value =
85 CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
86 switches::kRememberCertErrorDecisions);
87 int64 expiration_delta;
88 if (!base::StringToInt64(base::StringPiece(switch_value),
90 expiration_delta < kForgetAtSessionEndSwitchValue) {
91 LOG(ERROR) << "Failed to parse the certificate error decision "
92 << "memory length: " << switch_value;
93 return kForgetAtSessionEndSwitchValue;
96 return expiration_delta;
99 // If the user is in the field trial, set the expiration to the length
100 // associated with that experimental group. The default group cannot have
101 // parameters associated with it, so it needs to be handled explictly.
102 std::string group_name = base::FieldTrialList::FindFullName(
103 kRememberCertificateErrorDecisionsFieldTrialName);
104 if (!group_name.empty() &&
106 kRememberCertificateErrorDecisionsFieldTrialDefaultGroup) != 0) {
107 int64 field_trial_param_length;
108 std::string param = variations::GetVariationParamValue(
109 kRememberCertificateErrorDecisionsFieldTrialName,
110 kRememberCertificateErrorDecisionsFieldTrialLengthParam);
111 if (!param.empty() && base::StringToInt64(base::StringPiece(param),
112 &field_trial_param_length)) {
113 return field_trial_param_length;
117 return kForgetAtSessionEndSwitchValue;
120 std::string GetKey(const net::X509Certificate& cert, net::CertStatus error) {
121 // Since a security decision will be made based on the fingerprint, Chrome
122 // should use the SHA-256 fingerprint for the certificate.
123 net::SHA256HashValue fingerprint =
124 net::X509Certificate::CalculateChainFingerprint256(
125 cert.os_cert_handle(), cert.GetIntermediateCertificates());
126 std::string base64_fingerprint;
128 base::StringPiece(reinterpret_cast<const char*>(fingerprint.data),
129 sizeof(fingerprint.data)),
130 &base64_fingerprint);
131 return base::UintToString(error) + base64_fingerprint;
136 // This helper function gets the dictionary of certificate fingerprints to
137 // errors of certificates that have been accepted by the user from the content
138 // dictionary that has been passed in. The returned pointer is owned by the the
139 // argument dict that is passed in.
141 // If create_entries is set to |DO_NOT_CREATE_DICTIONARY_ENTRIES|,
142 // GetValidCertDecisionsDict will return NULL if there is anything invalid about
143 // the setting, such as an invalid version or invalid value types (in addition
144 // to there not being any values in the dictionary). If create_entries is set to
145 // |CREATE_DICTIONARY_ENTRIES|, if no dictionary is found or the decisions are
146 // expired, a new dictionary will be created.
147 base::DictionaryValue* ChromeSSLHostStateDelegate::GetValidCertDecisionsDict(
148 base::DictionaryValue* dict,
149 CreateDictionaryEntriesDisposition create_entries,
150 bool* expired_previous_decision) {
151 // This needs to be done first in case the method is short circuited by an
153 *expired_previous_decision = false;
155 // Extract the version of the certificate decision structure from the content
158 bool success = dict->GetInteger(kSSLCertDecisionVersionKey, &version);
160 if (create_entries == DO_NOT_CREATE_DICTIONARY_ENTRIES)
163 dict->SetInteger(kSSLCertDecisionVersionKey,
164 kDefaultSSLCertDecisionVersion);
165 version = kDefaultSSLCertDecisionVersion;
168 // If the version is somehow a newer version than Chrome can handle, there's
169 // really nothing to do other than fail silently and pretend it doesn't exist
170 // (or is malformed).
171 if (version > kDefaultSSLCertDecisionVersion) {
172 LOG(ERROR) << "Failed to parse a certificate error exception that is in a "
173 << "newer version format (" << version << ") than is supported ("
174 << kDefaultSSLCertDecisionVersion << ")";
178 // Extract the certificate decision's expiration time from the content
179 // setting. If there is no expiration time, that means it should never expire
180 // and it should reset only at session restart, so skip all of the expiration
182 bool expired = false;
183 base::Time now = clock_->Now();
184 base::Time decision_expiration;
185 if (dict->HasKey(kSSLCertDecisionExpirationTimeKey)) {
186 std::string decision_expiration_string;
187 int64 decision_expiration_int64;
188 success = dict->GetString(kSSLCertDecisionExpirationTimeKey,
189 &decision_expiration_string);
190 if (!base::StringToInt64(base::StringPiece(decision_expiration_string),
191 &decision_expiration_int64)) {
192 LOG(ERROR) << "Failed to parse a certificate error exception that has a "
193 << "bad value for an expiration time: "
194 << decision_expiration_string;
197 decision_expiration =
198 base::Time::FromInternalValue(decision_expiration_int64);
201 // Check to see if the user's certificate decision has expired.
202 // - Expired and |create_entries| is DO_NOT_CREATE_DICTIONARY_ENTRIES, return
204 // - Expired and |create_entries| is CREATE_DICTIONARY_ENTRIES, update the
206 if (should_remember_ssl_decisions_ !=
207 FORGET_SSL_EXCEPTION_DECISIONS_AT_SESSION_END &&
208 decision_expiration.ToInternalValue() <= now.ToInternalValue()) {
209 *expired_previous_decision = true;
211 if (create_entries == DO_NOT_CREATE_DICTIONARY_ENTRIES)
215 base::Time expiration_time =
216 now + default_ssl_cert_decision_expiration_delta_;
217 // Unfortunately, JSON (and thus content settings) doesn't support int64
218 // values, only doubles. Since this mildly depends on precision, it is
219 // better to store the value as a string.
220 dict->SetString(kSSLCertDecisionExpirationTimeKey,
221 base::Int64ToString(expiration_time.ToInternalValue()));
222 } else if (should_remember_ssl_decisions_ ==
223 FORGET_SSL_EXCEPTION_DECISIONS_AT_SESSION_END) {
224 if (dict->HasKey(kSSLCertDecisionGUIDKey)) {
225 std::string old_expiration_guid;
226 success = dict->GetString(kSSLCertDecisionGUIDKey, &old_expiration_guid);
227 if (old_expiration_guid.compare(current_expiration_guid_) != 0) {
228 *expired_previous_decision = true;
234 dict->SetString(kSSLCertDecisionGUIDKey, current_expiration_guid_);
236 // Extract the map of certificate fingerprints to errors from the setting.
237 base::DictionaryValue* cert_error_dict = NULL; // Will be owned by dict
239 !dict->GetDictionary(kSSLCertDecisionCertErrorMapKey, &cert_error_dict)) {
240 if (create_entries == DO_NOT_CREATE_DICTIONARY_ENTRIES)
243 cert_error_dict = new base::DictionaryValue();
244 // dict takes ownership of cert_error_dict
245 dict->Set(kSSLCertDecisionCertErrorMapKey, cert_error_dict);
248 return cert_error_dict;
251 // If |should_remember_ssl_decisions_| is
252 // FORGET_SSL_EXCEPTION_DECISIONS_AT_SESSION_END, that means that all invalid
253 // certificate proceed decisions should be forgotten when the session ends. To
254 // simulate that, Chrome keeps track of a guid to represent the current browser
255 // session and stores it in decision entries. See the comment for
256 // |current_expiration_guid_| for more information.
257 ChromeSSLHostStateDelegate::ChromeSSLHostStateDelegate(Profile* profile)
258 : clock_(new base::DefaultClock()),
260 current_expiration_guid_(base::GenerateGUID()) {
261 int64 expiration_delta = GetExpirationDelta();
262 if (expiration_delta == kForgetAtSessionEndSwitchValue) {
263 should_remember_ssl_decisions_ =
264 FORGET_SSL_EXCEPTION_DECISIONS_AT_SESSION_END;
265 expiration_delta = 0;
267 should_remember_ssl_decisions_ = REMEMBER_SSL_EXCEPTION_DECISIONS_FOR_DELTA;
269 default_ssl_cert_decision_expiration_delta_ =
270 base::TimeDelta::FromSeconds(expiration_delta);
273 ChromeSSLHostStateDelegate::~ChromeSSLHostStateDelegate() {
276 void ChromeSSLHostStateDelegate::AllowCert(const std::string& host,
277 const net::X509Certificate& cert,
278 net::CertStatus error) {
279 GURL url = GetSecureGURLForHost(host);
280 const ContentSettingsPattern pattern =
281 ContentSettingsPattern::FromURLNoWildcard(url);
282 HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
283 scoped_ptr<base::Value> value(map->GetWebsiteSetting(
284 url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, std::string(), NULL));
286 if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY))
287 value.reset(new base::DictionaryValue());
289 base::DictionaryValue* dict;
290 bool success = value->GetAsDictionary(&dict);
293 bool expired_previous_decision; // unused value in this function
294 base::DictionaryValue* cert_dict = GetValidCertDecisionsDict(
295 dict, CREATE_DICTIONARY_ENTRIES, &expired_previous_decision);
296 // If a a valid certificate dictionary cannot be extracted from the content
297 // setting, that means it's in an unknown format. Unfortunately, there's
298 // nothing to be done in that case, so a silent fail is the only option.
302 dict->SetIntegerWithoutPathExpansion(kSSLCertDecisionVersionKey,
303 kDefaultSSLCertDecisionVersion);
304 cert_dict->SetIntegerWithoutPathExpansion(GetKey(cert, error), ALLOWED);
306 // The map takes ownership of the value, so it is released in the call to
307 // SetWebsiteSetting.
308 map->SetWebsiteSetting(pattern,
310 CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
315 void ChromeSSLHostStateDelegate::Clear() {
316 profile_->GetHostContentSettingsMap()->ClearSettingsForOneType(
317 CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS);
320 content::SSLHostStateDelegate::CertJudgment
321 ChromeSSLHostStateDelegate::QueryPolicy(const std::string& host,
322 const net::X509Certificate& cert,
323 net::CertStatus error,
324 bool* expired_previous_decision) {
325 HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
326 GURL url = GetSecureGURLForHost(host);
327 scoped_ptr<base::Value> value(map->GetWebsiteSetting(
328 url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, std::string(), NULL));
330 // Set a default value in case this method is short circuited and doesn't do a
332 *expired_previous_decision = false;
333 if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY))
336 base::DictionaryValue* dict; // Owned by value
338 bool success = value->GetAsDictionary(&dict);
341 base::DictionaryValue* cert_error_dict; // Owned by value
342 cert_error_dict = GetValidCertDecisionsDict(
343 dict, DO_NOT_CREATE_DICTIONARY_ENTRIES, expired_previous_decision);
344 if (!cert_error_dict) {
345 // This revoke is necessary to clear any old expired setting that may be
346 // lingering in the case that an old decision expried.
347 RevokeUserAllowExceptions(host);
351 success = cert_error_dict->GetIntegerWithoutPathExpansion(GetKey(cert, error),
354 // If a policy decision was successfully retrieved and it's a valid value of
355 // ALLOWED, return the valid value. Otherwise, return DENIED.
356 if (success && policy_decision == ALLOWED)
362 void ChromeSSLHostStateDelegate::RevokeUserAllowExceptions(
363 const std::string& host) {
364 GURL url = GetSecureGURLForHost(host);
365 const ContentSettingsPattern pattern =
366 ContentSettingsPattern::FromURLNoWildcard(url);
367 HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
369 map->SetWebsiteSetting(pattern,
371 CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
376 // TODO(jww): This will revoke all of the decisions in the browser context.
377 // However, the networking stack actually keeps track of its own list of
378 // exceptions per-HttpNetworkTransaction in the SSLConfig structure (see the
379 // allowed_bad_certs Vector in net/ssl/ssl_config.h). This dual-tracking of
380 // exceptions introduces a problem where the browser context can revoke a
381 // certificate, but if a transaction reuses a cached version of the SSLConfig
382 // (probably from a pooled socket), it may bypass the intestitial layer.
384 // Over time, the cached versions should expire and it should converge on
385 // showing the interstitial. We probably need to introduce into the networking
386 // stack a way revoke SSLConfig's allowed_bad_certs lists per socket.
388 // For now, RevokeUserAllowExceptionsHard is our solution for the rare case
389 // where it is necessary to revoke the preferences immediately. It does so by
390 // flushing idle sockets, thus it is a big hammer and should be wielded with
391 // extreme caution as it can have a big, negative impact on network performance.
392 void ChromeSSLHostStateDelegate::RevokeUserAllowExceptionsHard(
393 const std::string& host) {
394 RevokeUserAllowExceptions(host);
395 scoped_refptr<net::URLRequestContextGetter> getter(
396 profile_->GetRequestContext());
397 getter->GetNetworkTaskRunner()->PostTask(
398 FROM_HERE, base::Bind(&CloseIdleConnections, getter));
401 bool ChromeSSLHostStateDelegate::HasAllowException(
402 const std::string& host) const {
403 GURL url = GetSecureGURLForHost(host);
404 const ContentSettingsPattern pattern =
405 ContentSettingsPattern::FromURLNoWildcard(url);
406 HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
408 scoped_ptr<base::Value> value(map->GetWebsiteSetting(
409 url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, std::string(), NULL));
411 if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY))
414 base::DictionaryValue* dict; // Owned by value
415 bool success = value->GetAsDictionary(&dict);
418 for (base::DictionaryValue::Iterator it(*dict); !it.IsAtEnd(); it.Advance()) {
419 int policy_decision; // Owned by dict
420 success = it.value().GetAsInteger(&policy_decision);
421 if (success && (static_cast<CertJudgment>(policy_decision) == ALLOWED))
428 void ChromeSSLHostStateDelegate::HostRanInsecureContent(const std::string& host,
430 ran_insecure_content_hosts_.insert(BrokenHostEntry(host, pid));
433 bool ChromeSSLHostStateDelegate::DidHostRunInsecureContent(
434 const std::string& host,
436 return !!ran_insecure_content_hosts_.count(BrokenHostEntry(host, pid));
438 void ChromeSSLHostStateDelegate::SetClock(scoped_ptr<base::Clock> clock) {
439 clock_.reset(clock.release());