Issue 518: Enabling CRLSets

Revoked certificates don't show certificate error on all platforms. This PR enables CRLSets, a component managed by Google to show certificate errors for domains with revoked certificates. Since, CRLSets is maintained by Google we will be proxying requests for CRLSets through crlsets[n].brave.com, crxdownload.brave.com (resources) and componentupdater.brave.com (component updates) auditors: @bbondy, @bsclifton, @diracdeltas
brave · Feb 9, 2019 · 773fd94 · 773fd94
1 parent d5e0001
commit 773fd94
Show file tree

Hide file tree

Showing 7 changed files with 238 additions and 52 deletions.
diff --git a/browser/net/brave_static_redirect_network_delegate_helper.cc b/browser/net/brave_static_redirect_network_delegate_helper.cc
@@ -1,9 +1,10 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
+// Copyright (c) 2019 The Brave Authors. All rights reserved.
 
 #include "brave/browser/net/brave_static_redirect_network_delegate_helper.h"
 
+#include <memory>
+#include <vector>
+
 #include "brave/common/network_constants.h"
 #include "extensions/common/url_pattern.h"
 
@@ -13,8 +14,16 @@ int OnBeforeURLRequest_StaticRedirectWork(
     const ResponseCallback& next_callback,
     std::shared_ptr<BraveRequestInfo> ctx) {
   GURL::Replacements replacements;
-  static URLPattern geo_pattern(URLPattern::SCHEME_HTTPS, kGeoLocationsPattern);
-  static URLPattern safeBrowsing_pattern(URLPattern::SCHEME_HTTPS, kSafeBrowsingPrefix);
+  static URLPattern geo_pattern(URLPattern::SCHEME_HTTPS,
+    kGeoLocationsPattern);
+  static URLPattern safeBrowsing_pattern(URLPattern::SCHEME_HTTPS,
+    kSafeBrowsingPrefix);
+  static URLPattern crlSet_pattern1(URLPattern::SCHEME_HTTP |
+    URLPattern::SCHEME_HTTPS, kCRLSetPrefix1);
+  static URLPattern crlSet_pattern2(URLPattern::SCHEME_HTTP |
+    URLPattern::SCHEME_HTTPS, kCRLSetPrefix2);
+  static URLPattern crxDownload_pattern(URLPattern::SCHEME_HTTP |
+    URLPattern::SCHEME_HTTPS, kCRXDownloadPrefix);
 
   if (geo_pattern.MatchesURL(ctx->request_url)) {
     ctx->new_url_spec = GURL(GOOGLEAPIS_ENDPOINT GOOGLEAPIS_API_KEY).spec();
@@ -27,44 +36,89 @@ int OnBeforeURLRequest_StaticRedirectWork(
     return net::OK;
   }
 
+  if (crxDownload_pattern.MatchesHost(ctx->request_url)) {
+    replacements.SetSchemeStr("https");
+    replacements.SetHostStr("crxdownload.brave.com");
+    ctx->new_url_spec = ctx->request_url.ReplaceComponents(replacements).spec();
+    return net::OK;
+  }
+
+  if (crlSet_pattern1.MatchesHost(ctx->request_url)) {
+    replacements.SetSchemeStr("https");
+    replacements.SetHostStr("crlsets1.brave.com");
+    ctx->new_url_spec = ctx->request_url.ReplaceComponents(replacements).spec();
+    return net::OK;
+  }
+
+  if (crlSet_pattern2.MatchesHost(ctx->request_url)) {
+    replacements.SetSchemeStr("https");
+    replacements.SetHostStr("crlsets2.brave.com");
+    ctx->new_url_spec = ctx->request_url.ReplaceComponents(replacements).spec();
+    return net::OK;
+  }
+
 #if !defined(NDEBUG)
   GURL gurl = ctx->request_url;
   static std::vector<URLPattern> allowed_patterns({
     // Brave updates
     URLPattern(URLPattern::SCHEME_HTTPS, "https://go-updater.brave.com/*"),
     // Brave promo referrals, production and staging (laptop-updates
     // proxies to promo-services)
-    // TODO: In the future, we may want to specify the value of the
+    // TODO(@emerick): In the future, we may want to specify the value of the
     // BRAVE_REFERRALS_SERVER environment variable rather than
     // hardcoding the server name here
     URLPattern(URLPattern::SCHEME_HTTPS, "https://laptop-updates.brave.com/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://laptop-updates-staging.herokuapp.com/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://laptop-updates-staging.herokuapp.com/*"),
     // CRX file download
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://brave-core-ext.s3.brave.com/release/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://brave-core-ext.s3.brave.com/release/*"),
     // Safe Browsing and other files
     URLPattern(URLPattern::SCHEME_HTTPS, "https://static.brave.com/*"),
-    // We do allow redirects to the Google update server for extensions we don't support
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://update.googleapis.com/service/update2"),
+    // We do allow redirects to the Google update server for extensions we don't
+    // support
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://update.googleapis.com/service/update2"),
 
     // Rewards URLs
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://ledger.mercury.basicattentiontoken.org/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://balance.mercury.basicattentiontoken.org/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://publishers.basicattentiontoken.org/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://publishers-distro.basicattentiontoken.org/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://ledger-staging.mercury.basicattentiontoken.org/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://balance-staging.mercury.basicattentiontoken.org/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://publishers-staging.basicattentiontoken.org/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://publishers-staging-distro.basicattentiontoken.org/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://ledger.mercury.basicattentiontoken.org/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://balance.mercury.basicattentiontoken.org/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://publishers.basicattentiontoken.org/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://publishers-distro.basicattentiontoken.org/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://ledger-staging.mercury.basicattentiontoken.org/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://balance-staging.mercury.basicattentiontoken.org/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://publishers-staging.basicattentiontoken.org/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://publishers-staging-distro.basicattentiontoken.org/*"),
 
     // Safe browsing
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://safebrowsing.brave.com/v4/*"),
-    URLPattern(URLPattern::SCHEME_HTTPS, "https://ssl.gstatic.com/safebrowsing/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://safebrowsing.brave.com/v4/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS,
+      "https://ssl.gstatic.com/safebrowsing/*"),
+
+    // CRLSets
+    URLPattern(URLPattern::SCHEME_HTTPS, "https://crlsets1.brave.com/*"),
+    URLPattern(URLPattern::SCHEME_HTTPS, "https://crlsets2.brave.com/*"),
 
-    // Will be removed when https://github.com/brave/brave-browser/issues/663 is fixed
+    URLPattern(URLPattern::SCHEME_HTTPS, "https://crxdownload.brave.com/*"),
+
+    // Will be removed when https://github.com/brave/brave-browser/issues/663
+    // is fixed
     URLPattern(URLPattern::SCHEME_HTTPS, "https://www.gstatic.com/*"),
   });
-  // Check to make sure the URL being requested matches at least one of the allowed patterns
-  bool is_url_allowed = std::any_of(allowed_patterns.begin(), allowed_patterns.end(),
+
+  // Check to make sure the URL being requested matches at least one of the
+  // allowed patterns
+  bool is_url_allowed = std::any_of(allowed_patterns.begin(),
+    allowed_patterns.end(),
     [&gurl](URLPattern pattern) {
       if (pattern.MatchesURL(gurl)) {
         return true;
@@ -74,11 +128,13 @@ int OnBeforeURLRequest_StaticRedirectWork(
   if (!is_url_allowed) {
     LOG(ERROR) << "URL not allowed from system network delegate: " << gurl;
   }
-  // TODO: Before we can turn this into DCHECK we have to find a way to allow these, I think they are for Chrome Cast
+  // TODO(@bbondy): Before we can turn this into DCHECK we have to find a way to
+  // allow these, I think they are for Chrome Cast
   // http://192.168.0.13:8008/ssdp/device-desc.xml
-  // http://192.168.0.27:60000/upnp/dev/e16bf493-ed87-5798-ffff-ffffeb4f1c34/desc
-  // And also I don't know where they're from, but there's always 3 requests similar to this:
-  // http://vijscbncpv/
+  // http://192.168.0.27:60000/upnp/dev/e16bf493-ed87-5798-ffff-ffffeb4f1c34
+  // /desc
+  // And also I don't know where they're from, but there's always 3 requests
+  // similar to this: http://vijscbncpv/
 #endif
 
   return net::OK;

diff --git a/browser/net/brave_static_redirect_network_delegate_helper_unittest.cc b/browser/net/brave_static_redirect_network_delegate_helper_unittest.cc
@@ -1,9 +1,9 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
+// Copyright (c) 2019 The Brave Authors. All rights reserved.
 
 #include "brave/browser/net/brave_static_redirect_network_delegate_helper.h"
 
+#include <memory>
+
 #include "brave/browser/net/url_context.h"
 #include "brave/common/network_constants.h"
 #include "chrome/test/base/chrome_render_view_host_test_harness.h"
@@ -13,7 +13,6 @@
 #include "url/gurl.h"
 #include "url/url_constants.h"
 
-
 namespace {
 
 class BraveStaticRedirectNetworkDelegateHelperTest: public testing::Test {
@@ -41,7 +40,8 @@ TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, NoModifyTypicalURL) {
                              TRAFFIC_ANNOTATION_FOR_TESTS);
   std::shared_ptr<brave::BraveRequestInfo>
       before_url_context(new brave::BraveRequestInfo());
-  brave::BraveRequestInfo::FillCTXFromRequest(request.get(), before_url_context);
+  brave::BraveRequestInfo::FillCTXFromRequest(request.get(),
+    before_url_context);
   brave::ResponseCallback callback;
   int ret =
     OnBeforeURLRequest_StaticRedirectWork(callback,
@@ -58,7 +58,8 @@ TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, ModifyGeoURL) {
                              TRAFFIC_ANNOTATION_FOR_TESTS);
   std::shared_ptr<brave::BraveRequestInfo>
       before_url_context(new brave::BraveRequestInfo());
-  brave::BraveRequestInfo::FillCTXFromRequest(request.get(), before_url_context);
+  brave::BraveRequestInfo::FillCTXFromRequest(request.get(),
+    before_url_context);
   brave::ResponseCallback callback;
   GURL expected_url(GOOGLEAPIS_ENDPOINT GOOGLEAPIS_API_KEY);
   int ret =
@@ -68,15 +69,85 @@ TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, ModifyGeoURL) {
   EXPECT_EQ(ret, net::OK);
 }
 
+TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, ModifyCRLSet1) {
+  net::TestDelegate test_delegate;
+  GURL url("https://dl.google.com/release2/chrome_component/AJ4r388iQSJq_4819/"
+    "4819_all_crl-set-5934829738003798040.data.crx3");
+  std::unique_ptr<net::URLRequest> request =
+      context()->CreateRequest(url, net::IDLE, &test_delegate,
+                             TRAFFIC_ANNOTATION_FOR_TESTS);
+  std::shared_ptr<brave::BraveRequestInfo>
+      before_url_context(new brave::BraveRequestInfo());
+  brave::BraveRequestInfo::FillCTXFromRequest(request.get(),
+    before_url_context);
+  brave::ResponseCallback callback;
+  GURL expected_url("https://crlsets1.brave.com/release2/chrome_component/"
+    "AJ4r388iQSJq_4819/4819_all_crl-set-5934829738003798040.data.crx3");
+  int ret =
+      OnBeforeURLRequest_StaticRedirectWork(callback,
+                                            before_url_context);
+  EXPECT_EQ(before_url_context->new_url_spec, expected_url);
+  EXPECT_EQ(ret, net::OK);
+}
+
+TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, ModifyCRLSet2) {
+  net::TestDelegate test_delegate;
+  GURL url("https://r2---sn-8xgp1vo-qxoe.gvt1.com/edgedl/release2/"
+    "chrome_component/AJ4r388iQSJq_4819/4819_all_crl-set-5934829738003798040"
+    ".data.crx3");
+  std::unique_ptr<net::URLRequest> request =
+      context()->CreateRequest(url, net::IDLE, &test_delegate,
+                             TRAFFIC_ANNOTATION_FOR_TESTS);
+  std::shared_ptr<brave::BraveRequestInfo>
+      before_url_context(new brave::BraveRequestInfo());
+  brave::BraveRequestInfo::FillCTXFromRequest(request.get(),
+                                              before_url_context);
+  brave::ResponseCallback callback;
+  GURL expected_url("https://crlsets2.brave.com/edgedl/release2/chrome_compone"
+    "nt/AJ4r388iQSJq_4819/4819_all_crl-set-5934829738003798040.data.crx3");
+  int ret =
+      OnBeforeURLRequest_StaticRedirectWork(callback,
+                                            before_url_context);
+  EXPECT_EQ(before_url_context->new_url_spec, expected_url);
+  EXPECT_EQ(ret, net::OK);
+}
+
+TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, ModifyCRXDownload) {
+  net::TestDelegate test_delegate;
+  GURL url("https://clients2.googleusercontent.com/crx/blobs/QgAAAC6zw0qH2DJtn"
+    "Xe8Z7rUJP1RM6lX7kVcwkQ56ujmG3AWYOAkxoNnIdnEBUz_3z4keVhjzzAF10srsaL7lrntfB"
+    "IflcYIrTziwX3SUS9i_P-CAMZSmuV5tdQl-Roo6cnVC_GRzKsnZSKm1Q/extension_2_0_67"
+    "3_0.crx");
+  std::unique_ptr<net::URLRequest> request =
+      context()->CreateRequest(url, net::IDLE, &test_delegate,
+                             TRAFFIC_ANNOTATION_FOR_TESTS);
+  std::shared_ptr<brave::BraveRequestInfo>
+      before_url_context(new brave::BraveRequestInfo());
+  brave::BraveRequestInfo::FillCTXFromRequest(request.get(),
+    before_url_context);
+  brave::ResponseCallback callback;
+  GURL expected_url("https://crxdownload.brave.com/crx/blobs/QgAAAC6"
+    "zw0qH2DJtnXe8Z7rUJP1RM6lX7kVcwkQ56ujmG3AWYOAkxoNnIdnEBUz_3z4keVhjzzAF10sr"
+    "saL7lrntfBIflcYIrTziwX3SUS9i_P-CAMZSmuV5tdQl-Roo6cnVC_GRzKsnZSKm1Q/extens"
+    "ion_2_0_673_0.crx");
+  int ret =
+      OnBeforeURLRequest_StaticRedirectWork(callback,
+                                            before_url_context);
+  EXPECT_EQ(before_url_context->new_url_spec, expected_url);
+  EXPECT_EQ(ret, net::OK);
+}
+
 TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, ModifySafeBrowsingURLV4) {
   net::TestDelegate test_delegate;
-  GURL url("https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$req=ChkKCGNocm9taXVtEg02Ni");
+  GURL url("https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$"
+    "req=ChkKCGNocm9taXVtEg02Ni");
   std::unique_ptr<net::URLRequest> request =
       context()->CreateRequest(url, net::IDLE, &test_delegate,
                              TRAFFIC_ANNOTATION_FOR_TESTS);
   std::shared_ptr<brave::BraveRequestInfo>
       before_url_context(new brave::BraveRequestInfo());
-  brave::BraveRequestInfo::FillCTXFromRequest(request.get(), before_url_context);
+  brave::BraveRequestInfo::FillCTXFromRequest(request.get(),
+      before_url_context);
   brave::ResponseCallback callback;
   GURL::Replacements replacements;
   replacements.SetHostStr(SAFEBROWSING_ENDPOINT);
@@ -90,13 +161,15 @@ TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, ModifySafeBrowsingURLV4) {
 
 TEST_F(BraveStaticRedirectNetworkDelegateHelperTest, ModifySafeBrowsingURLV5) {
   net::TestDelegate test_delegate;
-  GURL url("https://safebrowsing.googleapis.com/v5/threatListUpdates:fetch?$req=ChkKCGNocm9taXVtEg02Ni");
+  GURL url("https://safebrowsing.googleapis.com/v5/threatListUpdates:fetch?$"
+      "req=ChkKCGNocm9taXVtEg02Ni");
   std::unique_ptr<net::URLRequest> request =
       context()->CreateRequest(url, net::IDLE, &test_delegate,
                              TRAFFIC_ANNOTATION_FOR_TESTS);
   std::shared_ptr<brave::BraveRequestInfo>
       before_url_context(new brave::BraveRequestInfo());
-  brave::BraveRequestInfo::FillCTXFromRequest(request.get(), before_url_context);
+  brave::BraveRequestInfo::FillCTXFromRequest(request.get(),
+      before_url_context);
   brave::ResponseCallback callback;
   GURL::Replacements replacements;
   replacements.SetHostStr(SAFEBROWSING_ENDPOINT);

diff --git a/chromium_src/chrome/browser/component_updater/crl_set_component_installer.cc b/chromium_src/chrome/browser/component_updater/crl_set_component_installer.cc
@@ -0,0 +1,27 @@
+// Copyright (c) 2019 The Brave Authors. All rights reserved.
+
+#define RegisterCRLSetComponent RegisterCRLSetComponent_ChromiumImpl
+#include "../../../../../chrome/browser/component_updater/crl_set_component_installer.cc"  // NOLINT
+#undef  RegisterCRLSetComponent
+
+#include "brave/browser/extensions/brave_component_extension.h"
+#include "brave/common/extensions/extension_constants.h"
+#include "chrome/browser/browser_process.h"
+
+namespace component_updater {
+
+void OnCRLSetRegistered() {
+  ComponentsUI demand_updater;
+  demand_updater.OnDemandUpdate(g_browser_process->component_updater(),
+      crl_set_extension_id);
+}
+
+void RegisterCRLSetComponent(ComponentUpdateService* cus,
+                             const base::FilePath& user_data_dir) {
+  auto installer = base::MakeRefCounted<component_updater::ComponentInstaller>(
+      std::make_unique<CRLSetPolicy>());
+  installer->Register(g_browser_process->component_updater(),
+      base::Bind(&OnCRLSetRegistered));
+}
+
+}  // namespace component_updater
diff --git a/common/extensions/extension_constants.cc b/common/extensions/extension_constants.cc
@@ -1,6 +1,4 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
+// Copyright (c) 2019 The Brave Authors. All rights reserved.
 
 #include "brave/common/extensions/extension_constants.h"
 
@@ -10,8 +8,13 @@ const char brave_webtorrent_extension_id[] = "lgjmpdmojkpocjcopdikifhejkkjglho";
 const char hangouts_extension_id[] = "nkeimhogjdpnpccoofpliimaahmaaome";
 const char widevine_extension_id[] = "oimompecagnajdejgnnjijobebaeigek";
 const char brave_sync_extension_id[] = "nomlkjnggnifocmealianaaiobmebgil";
+const char crl_set_extension_id[] = "hfnkpimlhhgieaddgfemjhofmfblmnib";
 
 const char pdfjs_extension_id[] = "oemmndcbldboiebfnladdacbdfmadadm";
 const char pdfjs_extension_name[] = "PDF Viewer (PDF.js)";
-const char pdfjs_extension_public_key[] = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDb5PIb8ayK6vHvEIY1nJKRSCDE8iJ1T43qFN+5dvCVQrmyEkgqB9ZuZNT24Lwot96HV51VoITHKRNIVKI2Nrbfn0M49t7qtaP34g/GXJ7mAIbSzsY4+i+Wsz8EL2SNEIw6uH8RmXG7nZ29NJ7sk7jn17QmMsO2UJ01UT8hfOOOEQIDAQAB";
-const char pdfjs_extension_origin[] = "chrome-extension://oemmndcbldboiebfnladdacbdfmadadm/";
+const char pdfjs_extension_public_key[] =
+    "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDb5PIb8ayK6vHvEIY1nJKRSCDE8iJ1T43qFN"
+    "+5dvCVQrmyEkgqB9ZuZNT24Lwot96HV51VoITHKRNIVKI2Nrbfn0M49t7qtaP34g/GXJ7mAIbS"
+    "zsY4+i+Wsz8EL2SNEIw6uH8RmXG7nZ29NJ7sk7jn17QmMsO2UJ01UT8hfOOOEQIDAQAB";
+const char pdfjs_extension_origin[] =
+    "chrome-extension://oemmndcbldboiebfnladdacbdfmadadm/";
diff --git a/common/extensions/extension_constants.h b/common/extensions/extension_constants.h
@@ -1,15 +1,20 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
+// Copyright (c) 2019 The Brave Authors. All rights reserved.
+
+#ifndef BRAVE_COMMON_EXTENSIONS_EXTENSION_CONSTANTS_H_
+#define BRAVE_COMMON_EXTENSIONS_EXTENSION_CONSTANTS_H_
+
 
 extern const char brave_extension_id[];
 extern const char brave_rewards_extension_id[];
 extern const char brave_webtorrent_extension_id[];
 extern const char hangouts_extension_id[];
 extern const char widevine_extension_id[];
 extern const char brave_sync_extension_id[];
+extern const char crl_set_extension_id[];
 
 extern const char pdfjs_extension_id[];
 extern const char pdfjs_extension_name[];
 extern const char pdfjs_extension_public_key[];
 extern const char pdfjs_extension_origin[];
+
+#endif  // BRAVE_COMMON_EXTENSIONS_EXTENSION_CONSTANTS_H_