12a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 22a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 32a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// found in the LICENSE file. 42a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 52a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#ifndef NET_HTTP_HTTP_SECURITY_HEADERS_H_ 62a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#define NET_HTTP_HTTP_SECURITY_HEADERS_H_ 72a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 82a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include <string> 92a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 102a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/basictypes.h" 112a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/gtest_prod_util.h" 12eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#include "base/time/time.h" 132a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/values.h" 142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "net/base/hash_value.h" 152a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "net/base/net_export.h" 162a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)namespace net { 182a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 192a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)const int64 kMaxHSTSAgeSecs = 86400 * 365; // 1 year 202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Parses |value| as a Strict-Transport-Security header value. If successful, 2290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// returns true and sets |*max_age| and |*include_subdomains|. 232a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Otherwise returns false and leaves the output parameters unchanged. 242a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// 252a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// value is the right-hand side of: 262a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// 272a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// "Strict-Transport-Security" ":" 282a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// [ directive ] *( ";" [ directive ] ) 2990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)bool NET_EXPORT_PRIVATE ParseHSTSHeader(const std::string& value, 3090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) base::TimeDelta* max_age, 312a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bool* include_subdomains); 322a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 33eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// Parses |value| as a Public-Key-Pins header value. If successful, returns 34eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// true and populates the |*max_age|, |*include_subdomains|, and |*hashes| 35eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// values. Otherwise returns false and leaves the output parameters 36eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// unchanged. 372a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// 382a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// value is the right-hand side of: 392a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// 402a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// "Public-Key-Pins" ":" 412a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// "max-age" "=" delta-seconds ";" 422a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// "pin-" algo "=" base64 [ ";" ... ] 43eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// [ ";" "includeSubdomains" ] 442a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// 452a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// For this function to return true, the key hashes specified by the HPKP 46eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// header must pass two additional checks. There MUST be at least one key 47eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// hash which matches the SSL certificate chain of the current site (as 48eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// specified by the chain_hashes) parameter. In addition, there MUST be at 49eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// least one key hash which does NOT match the site's SSL certificate chain 50eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// (this is the "backup pin"). 5190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)bool NET_EXPORT_PRIVATE ParseHPKPHeader(const std::string& value, 522a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const HashValueVector& chain_hashes, 5390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) base::TimeDelta* max_age, 54eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch bool* include_subdomains, 552a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) HashValueVector* hashes); 562a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 572a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} // namespace net 582a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 592a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif // NET_HTTP_HTTP_SECURITY_HEADERS_H_ 60