1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // TransportSecurityState maintains an in memory database containing the
6 // list of hosts that currently have transport security enabled. This
7 // singleton object deals with writing that data out to disk as needed and
8 // loading it at startup.
10 // At startup we need to load the transport security state from the
11 // disk. For the moment, we don't want to delay startup for this load, so we
12 // let the TransportSecurityState run for a while without being loaded.
13 // This means that it's possible for pages opened very quickly not to get the
14 // correct transport security information.
16 // To load the state, we schedule a Task on file_task_runner, which
17 // deserializes and configures the TransportSecurityState.
19 // The TransportSecurityState object supports running a callback function
20 // when it changes. This object registers the callback, pointing at itself.
22 // TransportSecurityState calls...
23 // TransportSecurityPersister::StateIsDirty
24 // since the callback isn't allowed to block or reenter, we schedule a Task
25 // on the file task runner after some small amount of time
29 // TransportSecurityPersister::SerializeState
30 // copies the current state of the TransportSecurityState, serializes
31 // and writes to disk.
33 #ifndef NET_HTTP_TRANSPORT_SECURITY_PERSISTER_H_
34 #define NET_HTTP_TRANSPORT_SECURITY_PERSISTER_H_
38 #include "base/files/file_path.h"
39 #include "base/files/important_file_writer.h"
40 #include "base/memory/ref_counted.h"
41 #include "base/memory/weak_ptr.h"
42 #include "net/base/net_export.h"
43 #include "net/http/transport_security_state.h"
46 class SequencedTaskRunner
;
51 // Reads and updates on-disk TransportSecurity state. Clients of this class
52 // should create, destroy, and call into it from one thread.
54 // file_task_runner is the task runner this class should use internally to
55 // perform file IO, and can optionally be associated with a different thread.
56 class NET_EXPORT TransportSecurityPersister
57 : public TransportSecurityState::Delegate
,
58 public base::ImportantFileWriter::DataSerializer
{
60 TransportSecurityPersister(TransportSecurityState
* state
,
61 const base::FilePath
& profile_path
,
62 base::SequencedTaskRunner
* file_task_runner
,
64 virtual ~TransportSecurityPersister();
66 // Called by the TransportSecurityState when it changes its state.
67 virtual void StateIsDirty(TransportSecurityState
*) OVERRIDE
;
69 // ImportantFileWriter::DataSerializer:
71 // Serializes |transport_security_state_| into |*output|. Returns true if
72 // all DomainStates were serialized correctly.
74 // The serialization format is JSON; the JSON represents a dictionary of
75 // host:DomainState pairs (host is a string). The DomainState is
76 // represented as a dictionary containing the following keys and value
77 // types (not all keys will always be present):
79 // "sts_include_subdomains": true|false
80 // "pkp_include_subdomains": true|false
83 // "dynamic_spki_hashes_expiry": double
84 // "mode": "default"|"force-https"
85 // legacy value synonyms "strict" = "force-https"
86 // "pinning-only" = "default"
87 // legacy value "spdy-only" is unused and ignored
88 // "static_spki_hashes": list of strings
89 // legacy key synonym "preloaded_spki_hashes"
90 // "bad_static_spki_hashes": list of strings
91 // legacy key synonym "bad_preloaded_spki_hashes"
92 // "dynamic_spki_hashes": list of strings
94 // The JSON dictionary keys are strings containing
95 // Base64(SHA256(TransportSecurityState::CanonicalizeHost(domain))).
96 // The reason for hashing them is so that the stored state does not
97 // trivially reveal a user's browsing history to an attacker reading the
98 // serialized state on disk.
99 virtual bool SerializeData(std::string
* data
) OVERRIDE
;
101 // Clears any existing non-static entries, and then re-populates
102 // |transport_security_state_|.
104 // Sets |*dirty| to true if the new state differs from the persisted
105 // state; false otherwise.
106 bool LoadEntries(const std::string
& serialized
, bool* dirty
);
109 // Populates |state| from the JSON string |serialized|. Returns true if
110 // all entries were parsed and deserialized correctly.
112 // Sets |*dirty| to true if the new state differs from the persisted
113 // state; false otherwise.
114 static bool Deserialize(const std::string
& serialized
,
116 TransportSecurityState
* state
);
118 void CompleteLoad(const std::string
& state
);
120 TransportSecurityState
* transport_security_state_
;
122 // Helper for safely writing the data.
123 base::ImportantFileWriter writer_
;
125 scoped_refptr
<base::SequencedTaskRunner
> foreground_runner_
;
126 scoped_refptr
<base::SequencedTaskRunner
> background_runner_
;
128 // Whether or not we're in read-only mode.
129 const bool readonly_
;
131 base::WeakPtrFactory
<TransportSecurityPersister
> weak_ptr_factory_
;
133 DISALLOW_COPY_AND_ASSIGN(TransportSecurityPersister
);
138 #endif // NET_HTTP_TRANSPORT_SECURITY_PERSISTER_H_