Support EC certs in OriginBoundCertService and OriginBoundCertStore.

chrome/browser/net/sqlite_origin_bound_cert_store.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/net/sqlite_origin_bound_cert_store.h"
 
 #include <list>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/string_util.h"
 #include "base/threading/thread.h"
 #include "base/threading/thread_restrictions.h"
 #include "chrome/browser/diagnostics/sqlite_diagnostics.h"
 #include "content/public/browser/browser_thread.h"
+#include "net/base/ssl_client_cert_type.h"
 #include "sql/meta_table.h"
 #include "sql/statement.h"
 #include "sql/transaction.h"
 
 using content::BrowserThread;
 
 // This class is designed to be shared between any calling threads and the
 // database thread.  It batches operations and commits them on a timer.
 class SQLiteOriginBoundCertStore::Backend
     : public base::RefCountedThreadSafe<SQLiteOriginBoundCertStore::Backend> {
@@ skipping 79 matching lines @@
   PendingOperationsList::size_type num_pending_;
   // True if the persistent store should be deleted upon destruction.
   bool clear_local_state_on_exit_;
   // Guard |pending_|, |num_pending_| and |clear_local_state_on_exit_|.
   base::Lock lock_;
 
   DISALLOW_COPY_AND_ASSIGN(Backend);
 };
 
 // Version number of the database.
-static const int kCurrentVersionNumber = 1;
+static const int kCurrentVersionNumber = 2;
 static const int kCompatibleVersionNumber = 1;
 
 namespace {
 
 // Initializes the certs table, returning true on success.
 bool InitTable(sql::Connection* db) {
   if (!db->DoesTableExist("origin_bound_certs")) {
     if (!db->Execute("CREATE TABLE origin_bound_certs ("
                      "origin TEXT NOT NULL UNIQUE PRIMARY KEY,"
                      "private_key BLOB NOT NULL,"
-                     "cert BLOB NOT NULL)"))
+                     "cert BLOB NOT NULL,"
+                     "cert_type INTEGER DEFAULT 1)"))

[wtc, 2011/12/02 22:06:59]

Is it necessary to specify a default value for cert_type?
You should document that the value 1 means rsa_sign.

[mattm, 2011/12/05 22:19:20]

Ah, changed the DB update code to avoid needing the default.
done (at the update location)

       return false;
   }
 
   return true;
 }
 
 }  // namespace
 
 bool SQLiteOriginBoundCertStore::Backend::Load(
     std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*>* certs) {
@@ skipping 21 matching lines @@
   if (!EnsureDatabaseVersion() || !InitTable(db_.get())) {
     NOTREACHED() << "Unable to open cert DB.";
     db_.reset();
     return false;
   }
 
   db_->Preload();
 
   // Slurp all the certs into the out-vector.
   sql::Statement smt(db_->GetUniqueStatement(
-      "SELECT origin, private_key, cert FROM origin_bound_certs"));
+      "SELECT origin, private_key, cert, cert_type FROM origin_bound_certs"));
   if (!smt) {
     NOTREACHED() << "select statement prep failed";
     db_.reset();
     return false;
   }
 
   while (smt.Step()) {
     std::string private_key_from_db, cert_from_db;
     smt.ColumnBlobAsString(1, &private_key_from_db);
     smt.ColumnBlobAsString(2, &cert_from_db);
     scoped_ptr<net::DefaultOriginBoundCertStore::OriginBoundCert> cert(
         new net::DefaultOriginBoundCertStore::OriginBoundCert(
             smt.ColumnString(0),  // origin
+            static_cast<net::SSLClientCertType>(smt.ColumnInt(3)),
             private_key_from_db,
             cert_from_db));
     certs->push_back(cert.release());
   }
 
   return true;
 }
 
 bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() {
   // Version check.
   if (!meta_table_.Init(
       db_.get(), kCurrentVersionNumber, kCompatibleVersionNumber)) {
     return false;
   }
 
   if (meta_table_.GetCompatibleVersionNumber() > kCurrentVersionNumber) {
     LOG(WARNING) << "Origin bound cert database is too new.";
     return false;
   }
 
   int cur_version = meta_table_.GetVersionNumber();
+  if (cur_version == 1) {
+    sql::Transaction transaction(db_.get());
+    if (!transaction.Begin())
+      return false;
+    if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN cert_type "
+                      "INTEGER DEFAULT 1")) {

[wtc, 2011/12/02 22:06:59]

"DEFAULT 1" makes sense here because all the certs in version 1
databases are rsa_sign.  Can we explicitly set the value
of the cert_type column to 1, rather than relying on the
default value?

[mattm, 2011/12/05 22:19:20]

Done.

+      LOG(WARNING) << "Unable to update origin bound cert database to "
+                   << "version 2.";
+      return false;
+    }
+    ++cur_version;
+    meta_table_.SetVersionNumber(cur_version);
+    meta_table_.SetCompatibleVersionNumber(
+        std::min(cur_version, kCompatibleVersionNumber));
+    transaction.Commit();
+  }
 
   // Put future migration cases here.
 
   // When the version is too old, we just try to continue anyway, there should
   // not be a released product that makes a database too old for us to handle.
   LOG_IF(WARNING, cur_version < kCurrentVersionNumber) <<
       "Origin bound cert database version " << cur_version <<
       " is too old to handle.";
 
   return true;
@@ skipping 49 matching lines @@
     base::AutoLock locked(lock_);
     pending_.swap(ops);
     num_pending_ = 0;
   }
 
   // Maybe an old timer fired or we are already Close()'ed.
   if (!db_.get() || ops.empty())
     return;
 
   sql::Statement add_smt(db_->GetCachedStatement(SQL_FROM_HERE,
-      "INSERT INTO origin_bound_certs (origin, private_key, cert) "
-      "VALUES (?,?,?)"));
+      "INSERT INTO origin_bound_certs (origin, private_key, cert, cert_type) "
+      "VALUES (?,?,?,?)"));
   if (!add_smt) {
     NOTREACHED();
     return;
   }
 
   sql::Statement del_smt(db_->GetCachedStatement(SQL_FROM_HERE,
                              "DELETE FROM origin_bound_certs WHERE origin=?"));
   if (!del_smt) {
     NOTREACHED();
     return;
   }
 
   sql::Transaction transaction(db_.get());
   if (!transaction.Begin()) {
     NOTREACHED();
     return;
   }
   for (PendingOperationsList::iterator it = ops.begin();
        it != ops.end(); ++it) {
     // Free the certs as we commit them to the database.
     scoped_ptr<PendingOperation> po(*it);
     switch (po->op()) {
       case PendingOperation::CERT_ADD: {
         add_smt.Reset();
         add_smt.BindString(0, po->cert().origin());
         const std::string& private_key = po->cert().private_key();
         add_smt.BindBlob(1, private_key.data(), private_key.size());
         const std::string& cert = po->cert().cert();
         add_smt.BindBlob(2, cert.data(), cert.size());
+        add_smt.BindInt(3, po->cert().type());
         if (!add_smt.Run())
           NOTREACHED() << "Could not add an origin bound cert to the DB.";
         break;
       }
       case PendingOperation::CERT_DELETE:
         del_smt.Reset();
         del_smt.BindString(0, po->cert().origin());
         if (!del_smt.Run())
           NOTREACHED() << "Could not delete an origin bound cert from the DB.";
         break;
@@ skipping 82 matching lines @@
   if (backend_.get())
     backend_->SetClearLocalStateOnExit(clear_local_state);
 }
 
 void SQLiteOriginBoundCertStore::Flush(const base::Closure& completion_task) {
   if (backend_.get())
     backend_->Flush(completion_task);
   else if (!completion_task.is_null())
     MessageLoop::current()->PostTask(FROM_HERE, completion_task);
 }