Pass SSLInfo in ResourceResponseInfo instead of assorted fields

Bug: 721408
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I037a0c3e5f91b284700cddfd5c5253f01aa7fde2
Reviewed-on: https://chromium-review.googlesource.com/978623Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Cr-Commit-Position: refs/heads/master@{#546134}

content/browser/devtools/protocol/network_handler.cc

@@ -1045,20 +1045,14 @@ Response NetworkHandler::SetBypassServiceWorker(bool bypass) {
 namespace {
 
 std::unique_ptr<protocol::Network::SecurityDetails> BuildSecurityDetails(
-    const network::ResourceResponseInfo& info) {
-  if (info.certificate.empty())
-    return nullptr;
-  scoped_refptr<net::X509Certificate> cert(
-      net::X509Certificate::CreateFromBytes(info.certificate[0].data(),
-                                            info.certificate[0].size()));
-  if (!cert)
+    const net::SSLInfo& ssl_info) {
+  if (!ssl_info.cert)
     return nullptr;
-
   std::unique_ptr<
       protocol::Array<protocol::Network::SignedCertificateTimestamp>>
       signed_certificate_timestamp_list =
           protocol::Array<Network::SignedCertificateTimestamp>::create();
-  for (auto const& sct : info.signed_certificate_timestamps) {
+  for (auto const& sct : ssl_info.signed_certificate_timestamps) {
     std::unique_ptr<protocol::Network::SignedCertificateTimestamp>
         signed_certificate_timestamp =
             Network::SignedCertificateTimestamp::Create()
@@ -1082,7 +1076,7 @@ std::unique_ptr<protocol::Network::SecurityDetails> BuildSecurityDetails(
   }
   std::vector<std::string> san_dns;
   std::vector<std::string> san_ip;
-  cert->GetSubjectAltName(&san_dns, &san_ip);
+  ssl_info.cert->GetSubjectAltName(&san_dns, &san_ip);
   std::unique_ptr<Array<String>> san_list = Array<String>::create();
   for (const std::string& san : san_dns)
     san_list->addItem(san);
@@ -1093,7 +1087,7 @@ std::unique_ptr<protocol::Network::SecurityDetails> BuildSecurityDetails(
   }
 
   int ssl_version =
-      net::SSLConnectionStatusToVersion(info.ssl_connection_status);
+      net::SSLConnectionStatusToVersion(ssl_info.connection_status);
   const char* protocol;
   net::SSLVersionToString(&protocol, ssl_version);
 
@@ -1103,7 +1097,7 @@ std::unique_ptr<protocol::Network::SecurityDetails> BuildSecurityDetails(
   bool is_aead;
   bool is_tls13;
   uint16_t cipher_suite =
-      net::SSLConnectionStatusToCipherSuite(info.ssl_connection_status);
+      net::SSLConnectionStatusToCipherSuite(ssl_info.connection_status);
   net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead,
                                &is_tls13, cipher_suite);
   if (key_exchange == nullptr) {
@@ -1116,25 +1110,24 @@ std::unique_ptr<protocol::Network::SecurityDetails> BuildSecurityDetails(
           .SetProtocol(protocol)
           .SetKeyExchange(key_exchange)
           .SetCipher(cipher)
-          .SetSubjectName(cert->subject().common_name)
+          .SetSubjectName(ssl_info.cert->subject().common_name)
           .SetSanList(std::move(san_list))
-          .SetIssuer(cert->issuer().common_name)
-          .SetValidFrom(cert->valid_start().ToDoubleT())
-          .SetValidTo(cert->valid_expiry().ToDoubleT())
+          .SetIssuer(ssl_info.cert->issuer().common_name)
+          .SetValidFrom(ssl_info.cert->valid_start().ToDoubleT())
+          .SetValidTo(ssl_info.cert->valid_expiry().ToDoubleT())
           .SetCertificateId(0)  // Keep this in protocol for compatability.
           .SetSignedCertificateTimestampList(
               std::move(signed_certificate_timestamp_list))
           .Build();
 
-  if (info.ssl_key_exchange_group != 0) {
+  if (ssl_info.key_exchange_group != 0) {
     const char* key_exchange_group =
-        SSL_get_curve_name(info.ssl_key_exchange_group);
+        SSL_get_curve_name(ssl_info.key_exchange_group);
     if (key_exchange_group)
       security_details->SetKeyExchangeGroup(key_exchange_group);
   }
   if (mac)
     security_details->SetMac(mac);
-
   return security_details;
 }
 
@@ -1199,7 +1192,8 @@ std::unique_ptr<Network::Response> BuildResponse(
   response->SetProtocol(GetProtocol(url, info));
   response->SetRemoteIPAddress(info.socket_address.HostForURL());
   response->SetRemotePort(info.socket_address.port());
-  response->SetSecurityDetails(BuildSecurityDetails(info));
+  if (info.ssl_info.has_value())
+    response->SetSecurityDetails(BuildSecurityDetails(*info.ssl_info));
 
   return response;
 }

content/browser/loader/resource_loader.cc

@@ -35,7 +35,6 @@
 #include "net/base/io_buffer.h"
 #include "net/base/load_flags.h"
 #include "net/cert/symantec_certs.h"
-#include "net/cert/x509_util.h"
 #include "net/http/http_response_headers.h"
 #include "net/nqe/effective_connection_type.h"
 #include "net/nqe/network_quality_estimator.h"
@@ -116,25 +115,9 @@ void PopulateResourceResponse(
         (!net::IsCertStatusError(response->head.cert_status) ||
          net::IsCertStatusMinorError(response->head.cert_status)) &&
         net::IsLegacySymantecCert(request->ssl_info().public_key_hashes);
-    if (info->ShouldReportRawHeaders()) {
-      // Only pass these members when the network panel of the DevTools is open,
-      // i.e. ShouldReportRawHeaders() is set. These data are used to populate
-      // the requests in the security panel too.
-      response->head.ssl_connection_status =
-          request->ssl_info().connection_status;
-      response->head.ssl_key_exchange_group =
-          request->ssl_info().key_exchange_group;
-      response->head.signed_certificate_timestamps =
-          request->ssl_info().signed_certificate_timestamps;
-      response->head.certificate.emplace_back(
-          net::x509_util::CryptoBufferAsStringPiece(
-              request->ssl_info().cert->cert_buffer()));
-      for (const auto& cert :
-           request->ssl_info().cert->intermediate_buffers()) {
-        response->head.certificate.emplace_back(
-            net::x509_util::CryptoBufferAsStringPiece(cert.get()));
-      }
-    }
+
+    if (info->ShouldReportRawHeaders())
+      response->head.ssl_info = request->ssl_info();
   } else {
     // We should not have any SSL state.
     DCHECK(!request->ssl_info().cert_status);

content/renderer/loader/web_url_loader_impl.cc

@@ -47,10 +47,12 @@
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/ct_sct_to_string.h"
 #include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_connection_status_flags.h"
+#include "net/ssl/ssl_info.h"
 #include "net/url_request/url_request_data_job.h"
 #include "services/network/loader_util.h"
 #include "services/network/public/cpp/resource_request.h"
@@ -245,6 +247,12 @@ blink::WebURLResponse::SignedCertificateTimestamp NetSCTToBlinkSCT(
           sct_and_status.sct->signature.signature_data.length())));
 }
 
+WebString CryptoBufferAsWebString(const CRYPTO_BUFFER* buffer) {
+  base::StringPiece sp = net::x509_util::CryptoBufferAsStringPiece(buffer);
+  return blink::WebString::FromLatin1(
+      reinterpret_cast<const blink::WebLChar*>(sp.begin()), sp.size());
+}
+
 void SetSecurityStyleAndDetails(const GURL& url,
                                 const network::ResourceResponseInfo& info,
                                 WebURLResponse* response,
@@ -261,13 +269,15 @@ void SetSecurityStyleAndDetails(const GURL& url,
   // The resource loader does not provide a guarantee that requests always have
   // security info (such as a certificate) attached. Use WebSecurityStyleUnknown
   // in this case where there isn't enough information to be useful.
-  if (info.certificate.empty()) {
+  if (!info.ssl_info.has_value()) {
     response->SetSecurityStyle(blink::kWebSecurityStyleUnknown);
     return;
   }
 
+  const net::SSLInfo& ssl_info = *info.ssl_info;
+
   int ssl_version =
-      net::SSLConnectionStatusToVersion(info.ssl_connection_status);
+      net::SSLConnectionStatusToVersion(ssl_info.connection_status);
   const char* protocol;
   net::SSLVersionToString(&protocol, ssl_version);
 
@@ -277,7 +287,7 @@ void SetSecurityStyleAndDetails(const GURL& url,
   bool is_aead;
   bool is_tls13;
   uint16_t cipher_suite =
-      net::SSLConnectionStatusToCipherSuite(info.ssl_connection_status);
+      net::SSLConnectionStatusToCipherSuite(ssl_info.connection_status);
   net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead,
                                &is_tls13, cipher_suite);
   if (key_exchange == nullptr) {
@@ -291,9 +301,9 @@ void SetSecurityStyleAndDetails(const GURL& url,
   }
 
   const char* key_exchange_group = "";
-  if (info.ssl_key_exchange_group != 0) {
+  if (ssl_info.key_exchange_group != 0) {
     // Historically the field was named 'curve' rather than 'group'.
-    key_exchange_group = SSL_get_curve_name(info.ssl_key_exchange_group);
+    key_exchange_group = SSL_get_curve_name(ssl_info.key_exchange_group);
     if (!key_exchange_group) {
       NOTREACHED();
       key_exchange_group = "";
@@ -304,15 +314,12 @@ void SetSecurityStyleAndDetails(const GURL& url,
       GetSecurityStyleForResource(url, info.cert_status));
 
   blink::WebURLResponse::SignedCertificateTimestampList sct_list(
-      info.signed_certificate_timestamps.size());
+      ssl_info.signed_certificate_timestamps.size());
 
   for (size_t i = 0; i < sct_list.size(); ++i)
-    sct_list[i] = NetSCTToBlinkSCT(info.signed_certificate_timestamps[i]);
+    sct_list[i] = NetSCTToBlinkSCT(ssl_info.signed_certificate_timestamps[i]);
 
-  scoped_refptr<net::X509Certificate> cert(
-      net::X509Certificate::CreateFromBytes(info.certificate[0].data(),
-                                            info.certificate[0].size()));
-  if (!cert) {
+  if (!ssl_info.cert) {
     NOTREACHED();
     response->SetSecurityStyle(blink::kWebSecurityStyleUnknown);
     return;
@@ -320,7 +327,7 @@ void SetSecurityStyleAndDetails(const GURL& url,
 
   std::vector<std::string> san_dns;
   std::vector<std::string> san_ip;
-  cert->GetSubjectAltName(&san_dns, &san_ip);
+  ssl_info.cert->GetSubjectAltName(&san_dns, &san_ip);
   blink::WebVector<blink::WebString> web_san(san_dns.size() + san_ip.size());
   std::transform(
       san_dns.begin(), san_dns.end(), web_san.begin(),
@@ -332,19 +339,20 @@ void SetSecurityStyleAndDetails(const GURL& url,
                    return blink::WebString::FromLatin1(ip.ToString());
                  });
 
-  blink::WebVector<blink::WebString> web_cert(info.certificate.size());
-  std::transform(
-      info.certificate.begin(), info.certificate.end(), web_cert.begin(),
-      [](const std::string& h) { return blink::WebString::FromLatin1(h); });
+  blink::WebVector<blink::WebString> web_cert;
+  web_cert.reserve(ssl_info.cert->intermediate_buffers().size() + 1);
+  web_cert.emplace_back(CryptoBufferAsWebString(ssl_info.cert->cert_buffer()));
+  for (const auto& cert : ssl_info.cert->intermediate_buffers())
+    web_cert.emplace_back(CryptoBufferAsWebString(cert.get()));
 
   blink::WebURLResponse::WebSecurityDetails webSecurityDetails(
       WebString::FromASCII(protocol), WebString::FromASCII(key_exchange),
       WebString::FromASCII(key_exchange_group), WebString::FromASCII(cipher),
       WebString::FromASCII(mac),
-      WebString::FromUTF8(cert->subject().common_name), web_san,
-      WebString::FromUTF8(cert->issuer().common_name),
-      cert->valid_start().ToDoubleT(), cert->valid_expiry().ToDoubleT(),
-      web_cert, sct_list);
+      WebString::FromUTF8(ssl_info.cert->subject().common_name), web_san,
+      WebString::FromUTF8(ssl_info.cert->issuer().common_name),
+      ssl_info.cert->valid_start().ToDoubleT(),
+      ssl_info.cert->valid_expiry().ToDoubleT(), web_cert, sct_list);
 
   response->SetSecurityDetails(webSecurityDetails);
 }

content/renderer/loader/web_url_loader_impl_unittest.cc

@@ -699,11 +699,14 @@ TEST_F(WebURLLoaderImplTest, ResponseCert) {
   base::StringPiece cert1_der =
       net::x509_util::CryptoBufferAsStringPiece(certs[1]->cert_buffer());
 
-  network::ResourceResponseInfo info;
+  net::SSLInfo ssl_info;
+  ssl_info.cert =
+      net::X509Certificate::CreateFromDERCertChain({cert0_der, cert1_der});
   net::SSLConnectionStatusSetVersion(net::SSL_CONNECTION_VERSION_TLS1_2,
-                                     &info.ssl_connection_status);
-  info.certificate.emplace_back(cert0_der);
-  info.certificate.emplace_back(cert1_der);
+                                     &ssl_info.connection_status);
+
+  network::ResourceResponseInfo info;
+  info.ssl_info = ssl_info;
   blink::WebURLResponse web_url_response;
   WebURLLoaderImpl::PopulateURLResponse(url, info, &web_url_response, true);
 
@@ -735,10 +738,12 @@ TEST_F(WebURLLoaderImplTest, ResponseCertWithNoSANs) {
   base::StringPiece cert0_der =
       net::x509_util::CryptoBufferAsStringPiece(certs[0]->cert_buffer());
 
-  network::ResourceResponseInfo info;
+  net::SSLInfo ssl_info;
   net::SSLConnectionStatusSetVersion(net::SSL_CONNECTION_VERSION_TLS1_2,
-                                     &info.ssl_connection_status);
-  info.certificate.emplace_back(cert0_der);
+                                     &ssl_info.connection_status);
+  ssl_info.cert = certs[0];
+  network::ResourceResponseInfo info;
+  info.ssl_info = ssl_info;
   blink::WebURLResponse web_url_response;
   WebURLLoaderImpl::PopulateURLResponse(url, info, &web_url_response, true);
 

services/network/public/cpp/network_param_ipc_traits.h

@@ -384,11 +384,8 @@ IPC_STRUCT_TRAITS_BEGIN(network::ResourceResponseInfo)
   IPC_STRUCT_TRAITS_MEMBER(did_service_worker_navigation_preload)
   IPC_STRUCT_TRAITS_MEMBER(previews_state)
   IPC_STRUCT_TRAITS_MEMBER(effective_connection_type)
-  IPC_STRUCT_TRAITS_MEMBER(certificate)
   IPC_STRUCT_TRAITS_MEMBER(cert_status)
-  IPC_STRUCT_TRAITS_MEMBER(ssl_connection_status)
-  IPC_STRUCT_TRAITS_MEMBER(ssl_key_exchange_group)
-  IPC_STRUCT_TRAITS_MEMBER(signed_certificate_timestamps)
+  IPC_STRUCT_TRAITS_MEMBER(ssl_info)
   IPC_STRUCT_TRAITS_MEMBER(cors_exposed_header_names)
 IPC_STRUCT_TRAITS_END()
 

services/network/public/cpp/resource_response.cc

@@ -52,12 +52,8 @@ scoped_refptr<ResourceResponse> ResourceResponse::DeepCopy() const {
   new_response->head.cache_storage_cache_name = head.cache_storage_cache_name;
   new_response->head.previews_state = head.previews_state;
   new_response->head.effective_connection_type = head.effective_connection_type;
-  new_response->head.certificate = head.certificate;
   new_response->head.cert_status = head.cert_status;
-  new_response->head.ssl_connection_status = head.ssl_connection_status;
-  new_response->head.ssl_key_exchange_group = head.ssl_key_exchange_group;
-  new_response->head.signed_certificate_timestamps =
-      head.signed_certificate_timestamps;
+  new_response->head.ssl_info = head.ssl_info;
   new_response->head.cors_exposed_header_names = head.cors_exposed_header_names;
   new_response->head.did_service_worker_navigation_preload =
       head.did_service_worker_navigation_preload;

services/network/public/cpp/resource_response_info.cc

@@ -26,8 +26,6 @@ ResourceResponseInfo::ResourceResponseInfo()
       previews_state(0),
       effective_connection_type(net::EFFECTIVE_CONNECTION_TYPE_UNKNOWN),
       cert_status(0),
-      ssl_connection_status(0),
-      ssl_key_exchange_group(0),
       did_service_worker_navigation_preload(false),
       blocked_cross_site_document(false) {}
 

services/network/public/cpp/resource_response_info.h

@@ -155,29 +155,14 @@ struct COMPONENT_EXPORT(NETWORK_CPP_BASE) ResourceResponseInfo {
   // only for responses that correspond to main frame requests.
   net::EffectiveConnectionType effective_connection_type;
 
-  // DER-encoded X509Certificate certificate chain. Only present if the renderer
-  // process set report_raw_headers to true.
-  std::vector<std::string> certificate;
-
   // Bitmask of status info of the SSL certificate. See cert_status_flags.h for
   // values.
   net::CertStatus cert_status;
 
-  // Information about the SSL connection itself. See
-  // ssl_connection_status_flags.h for values. The protocol version,
-  // ciphersuite, and compression in use are encoded within. Only present if
-  // the renderer process set report_raw_headers to true.
-  int ssl_connection_status;
-
-  // The key exchange group used by the SSL connection or zero if unknown or not
-  // applicable. Only present if the renderer process set report_raw_headers to
-  // true.
-  uint16_t ssl_key_exchange_group;
-
-  // List of Signed Certificate Timestamps (SCTs) and their corresponding
-  // validation status. Only present if the renderer process set
-  // report_raw_headers to true.
-  net::SignedCertificateTimestampAndStatusList signed_certificate_timestamps;
+  // Only provided if kURLLoadOptionsSendSSLInfoWithResponse was specified to
+  // the URLLoaderFactory::CreateLoaderAndStart option or
+  // if ResourceRequest::report_raw_headers is set.
+  base::Optional<net::SSLInfo> ssl_info;
 
   // In case this is a CORS response fetched by a ServiceWorker, this is the
   // set of headers that should be exposed.