Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(971)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 8536035: Include the full certificate chain in the download pingback. (Closed)

Created:
9 years, 1 month ago by Brian Ryner
Modified:
9 years, 1 month ago
Reviewers:
noelutz, Ryan Sleevi, mattm
CC:
chromium-reviews, Paweł Hajdan Jr.
Visibility:
Public.

Description

Include the full certificate chain in the download pingback. BUG=102540 TEST=SignatureUtilWinTest Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=109807

Patch Set 1 #

Total comments: 3
Unified diffs Side-by-side diffs Delta from patch set Stats (+141 lines, -48 lines) Patch
M chrome/browser/safe_browsing/download_protection_service.cc View 2 chunks +3 lines, -2 lines 2 comments Download
M chrome/browser/safe_browsing/download_protection_service_unittest.cc View 3 chunks +7 lines, -4 lines 0 comments Download
M chrome/browser/safe_browsing/signature_util_win.cc View 2 chunks +47 lines, -5 lines 1 comment Download
M chrome/browser/safe_browsing/signature_util_win_unittest.cc View 2 chunks +67 lines, -34 lines 0 comments Download
M chrome/common/safe_browsing/csd.proto View 1 chunk +17 lines, -3 lines 0 comments Download

Messages

Total messages: 9 (0 generated)
Brian Ryner
9 years, 1 month ago (2011-11-11 23:59:17 UTC) #1
noelutz
lgtm
9 years, 1 month ago (2011-11-12 00:03:42 UTC) #2
mattm
lgtm http://codereview.chromium.org/8536035/diff/1/chrome/browser/safe_browsing/download_protection_service.cc File chrome/browser/safe_browsing/download_protection_service.cc (right): http://codereview.chromium.org/8536035/diff/1/chrome/browser/safe_browsing/download_protection_service.cc#newcode406 chrome/browser/safe_browsing/download_protection_service.cc:406: DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE)); Probably want to move to doing this ...
9 years, 1 month ago (2011-11-12 03:15:36 UTC) #3
Brian Ryner
So just to clarify, you're suggesting that we read the cert (CryptQueryObject) on the file ...
9 years, 1 month ago (2011-11-12 19:00:39 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/bryner@chromium.org/8536035/1
9 years, 1 month ago (2011-11-12 19:00:53 UTC) #5
commit-bot: I haz the power
Change committed as 109807
9 years, 1 month ago (2011-11-12 20:02:25 UTC) #6
Ryan Sleevi
Just some drive-by comments. I wasn't aware there was CryptoAPI usage outside of net/ && ...
9 years, 1 month ago (2011-11-12 22:06:17 UTC) #7
Brian Ryner
Thanks for the comments Ryan. Responses inline. On 2011/11/12 22:06:17, Ryan Sleevi wrote: > drive-by: ...
9 years, 1 month ago (2011-11-14 02:55:43 UTC) #8
Ryan Sleevi
9 years, 1 month ago (2011-11-14 03:13:18 UTC) #9 
On 2011/11/14 02:55:43, Brian Ryner wrote:
> Thanks for the comments Ryan.  Responses inline.
> 
> On 2011/11/12 22:06:17, Ryan Sleevi wrote:
> > drive-by: +1 to this. These calls can take upwards of 20 seconds, depending
on
> > how the system is configured, due to things like AIA chasing (which can
still
> > happen for WinVerifyTrust/Authenticode sigs, IIRC).
> 
> Hm, can you explain a little bit more of what's involved here?  20 seconds is
> much longer than we'd like this check to take.  Is this still true with
> revocation checking disabled or is it unrelated?
> 

It's unrelated. While the expectation is that a signed executable will have all
of the certificate change embedded as a PKCS#7 signerInfo, it's possible to
avoid doing this. Because you're using CertGetCertificateChain on top of the
CMSG (rather than the WTHelper routines), this means that AIA fetching will be
enabled by default.

The thing that controls this is the HCERTCHAINENGINE you're passing in. The NULL
chain engine (the default) will have URL fetching enabled. You can override this
by creating a CERT_CHAIN_ENGINE_CONFIG that passes
CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL, so as to disable AIA fetching.
Alternatively, you can pass CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL as a flag to
CertGetCertificateChain().

Even still though, the logical "Root" store includes the AUTHROOT system, which
may make a ping to Microsoft to download a root on the fly.  You could use
CERT_CHAIN_DISABLE_AUTH_ROOT_UPDATE to disable that.

Additionally, though documented as a revocation aspect, I believe that
CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT /
CERT_CHAIN_PARA.dwUrlRetrievalTimeout will affect the AIA fetches (in addition
to CRL/OCSP status checks, which are not enabled with your current flags).

But the easiest way to side-step all of that is to use the WinVerifyTrust
hWVTStateData. 

Just realize that the WVT call can still be multi-second blocking - it has to
read (and hash) the entire fire, to build a chain it may consult the various
default System stores, which may be backed by (Registry, LDAP, Smartcard, other
latency-ridden pieces). Since you're not showing a UI, it may make sense to
delegate this call entirely to a worker thread.

Alternatively, slap some metrics around here to figure out the time to execute.
With about:tracking/about:tracking2 now, perhaps it will be easier to see how
long these block.

Powered by Google App Engine
This is Rietveld 408576698