Handle Origin Bound Certificate expiration.

net/base/origin_bound_cert_service.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/origin_bound_cert_service.h"
 
 #include <algorithm>
 #include <limits>
 
 #include "base/compiler_specific.h"
@@ skipping 81 matching lines @@
 };
 
 // OriginBoundCertServiceWorker runs on a worker thread and takes care of the
 // blocking process of performing key generation. Deletes itself eventually
 // if Start() succeeds.
 class OriginBoundCertServiceWorker {
  public:
   OriginBoundCertServiceWorker(
       const std::string& origin,
       SSLClientCertType type,
+      base::Time not_valid_after,
       OriginBoundCertService* origin_bound_cert_service)
       : origin_(origin),
         type_(type),
+        not_valid_after_(not_valid_after),
         serial_number_(base::RandInt(0, std::numeric_limits<int>::max())),
         origin_loop_(MessageLoop::current()),
         origin_bound_cert_service_(origin_bound_cert_service),
         canceled_(false),
         error_(ERR_FAILED) {
   }
 
   bool Start() {
     DCHECK_EQ(MessageLoop::current(), origin_loop_);
 
@@ skipping 10 matching lines @@
     base::AutoLock locked(lock_);
     canceled_ = true;
   }
 
  private:
   void Run() {
     // Runs on a worker thread.
     error_ = OriginBoundCertService::GenerateCert(origin_,
                                                   type_,
                                                   serial_number_,
+                                                  not_valid_after_,
                                                   &private_key_,
                                                   &cert_);
 #if defined(USE_NSS)
     // Detach the thread from NSPR.
     // Calling NSS functions attaches the thread to NSPR, which stores
     // the NSPR thread ID in thread-specific data.
     // The threads in our thread pool terminate after we have called
     // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets
     // segfaults on shutdown when the threads' thread-specific data
     // destructors run.
     PR_DetachThread();
 #endif
     Finish();
   }
 
   // DoReply runs on the origin thread.
   void DoReply() {
     DCHECK_EQ(MessageLoop::current(), origin_loop_);
     {
       // We lock here because the worker thread could still be in Finished,
       // after the PostTask, but before unlocking |lock_|. If we do not lock in
       // this case, we will end up deleting a locked Lock, which can lead to
       // memory leaks or worse errors.
       base::AutoLock locked(lock_);
       if (!canceled_) {
-        origin_bound_cert_service_->HandleResult(origin_, error_, type_,
-                                                 private_key_, cert_);
+        origin_bound_cert_service_->HandleResult(
+            origin_, error_, type_, not_valid_after_, private_key_, cert_);
       }
     }
     delete this;
   }
 
   void Finish() {
     // Runs on the worker thread.
     // We assume that the origin loop outlives the OriginBoundCertService. If
     // the OriginBoundCertService is deleted, it will call Cancel on us. If it
     // does so before the Acquire, we'll delete ourselves and return. If it's
@@ skipping 12 matching lines @@
             FROM_HERE,
             NewRunnableMethod(this, &OriginBoundCertServiceWorker::DoReply));
       }
     }
     if (canceled)
       delete this;
   }
 
   const std::string origin_;
   const SSLClientCertType type_;
+  const base::Time not_valid_after_;
   // Note that serial_number_ must be initialized on a non-worker thread
   // (see documentation for OriginBoundCertService::GenerateCert).
   uint32 serial_number_;
   MessageLoop* const origin_loop_;
   OriginBoundCertService* const origin_bound_cert_service_;
 
   // lock_ protects canceled_.
   base::Lock lock_;
 
   // If canceled_ is true,
@@ skipping 109 matching lines @@
   }
   if (preferred_type == CLIENT_CERT_INVALID_TYPE) {
     // None of the requested types are supported.
     *out_req = NULL;
     return ERR_CLIENT_AUTH_CERT_TYPE_UNSUPPORTED;
   }
 
   requests_++;
 
   // Check if an origin bound cert of an acceptable type already exists for this
-  // origin.
+  // origin, and that it has not expired.
+  base::Time now = base::Time::Now();

[wtc, 2011/12/14 02:03:39]

For unit tests, we may want to provide a way to override the
function for getting the current time.

+  base::Time not_valid_after;
   if (origin_bound_cert_store_->GetOriginBoundCert(origin,
                                                    type,
+                                                   &not_valid_after,
                                                    private_key,
                                                    cert)) {
-    if (IsSupportedCertType(*type) &&
-        std::find(requested_types.begin(), requested_types.end(), *type) !=
-        requested_types.end()) {
+    if (not_valid_after < now) {
+      DVLOG(1) << "Cert store had expired cert for " << origin;
+    } else if (!IsSupportedCertType(*type) ||
+               std::find(requested_types.begin(), requested_types.end(),
+                         *type) == requested_types.end()) {
+      DVLOG(1) << "Cert store had cert of wrong type " << *type << " for "
+               << origin;
+    } else {
       cert_store_hits_++;
       *out_req = NULL;
       return OK;
     }
-    DVLOG(1) << "Cert store had cert of wrong type " << *type << " for "
-             << origin;
   }
 
   // |origin_bound_cert_store_| has no cert for this origin. See if an
   // identical request is currently in flight.
   OriginBoundCertServiceJob* job = NULL;
   std::map<std::string, OriginBoundCertServiceJob*>::const_iterator j;
   j = inflight_.find(origin);
   if (j != inflight_.end()) {
     // An identical request is in flight already. We'll just attach our
     // callback.
     job = j->second;
     // Check that the job is for an acceptable type of cert.
     if (std::find(requested_types.begin(), requested_types.end(), job->type())
         == requested_types.end()) {
       DVLOG(1) << "Found inflight job of wrong type " << job->type()
                << " for " << origin;
       *out_req = NULL;
       // If we get here, the server is asking for different types of certs in
       // short succession.  This probably means the server is broken or
       // misconfigured.  Since we only store one type of cert per origin, we
       // are unable to handle this well.  Just return an error and let the first
       // job finish.
       return ERR_ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH;
     }
     inflight_joins_++;
   } else {
     // Need to make a new request.
-    OriginBoundCertServiceWorker* worker =
-        new OriginBoundCertServiceWorker(origin, preferred_type, this);
+    OriginBoundCertServiceWorker* worker = new OriginBoundCertServiceWorker(
+            origin,
+            preferred_type,
+            now + base::TimeDelta::FromDays(kValidityPeriodInDays),

[wtc, 2011/12/15 03:18:51]

It doesn't seem necessary to pass not_valid_after to the
OriginBoundCertServiceWorker constructor.  More on this
below.

[mattm, 2011/12/20 00:28:38]

Done.

+            this);
     job = new OriginBoundCertServiceJob(worker, preferred_type);
     if (!worker->Start()) {
       delete job;
       delete worker;
       *out_req = NULL;
       // TODO(rkn): Log to the NetLog.
       LOG(ERROR) << "OriginBoundCertServiceWorker couldn't be started.";
       return ERR_INSUFFICIENT_RESOURCES;  // Just a guess.
     }
     inflight_[origin] = job;
   }
 
   OriginBoundCertServiceRequest* request =
       new OriginBoundCertServiceRequest(callback, type, private_key, cert);
   job->AddRequest(request);
   *out_req = request;
   return ERR_IO_PENDING;
 }
 
 // static
 int OriginBoundCertService::GenerateCert(const std::string& origin,
                                          SSLClientCertType type,
                                          uint32 serial_number,
+                                         base::Time not_valid_after,
                                          std::string* private_key,
                                          std::string* cert) {
   std::string der_cert;
   std::vector<uint8> private_key_info;
   switch (type) {
     case CLIENT_CERT_RSA_SIGN: {
       scoped_ptr<crypto::RSAPrivateKey> key(
           crypto::RSAPrivateKey::Create(kKeySizeInBits));
       if (!key.get()) {
         DLOG(ERROR) << "Unable to create key pair for client";
         return ERR_KEY_GENERATION_FAILED;
       }
       if (!x509_util::CreateOriginBoundCertRSA(
           key.get(),
           origin,
           serial_number,
-          base::TimeDelta::FromDays(kValidityPeriodInDays),
+          not_valid_after,

[wtc, 2011/12/15 03:18:51]

It seems that the GenerateCert method doesn't need to take
not_valid_after as input.  It can generate not_valid_after
internally here.

But this requires the GenerateCert method to return
not_valid_after as output, so that it can be passed to the
HandleResult method.

[mattm, 2011/12/20 00:28:38]

Done.

           &der_cert)) {
         DLOG(ERROR) << "Unable to create x509 cert for client";
         return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
       }
 
       if (!key->ExportPrivateKey(&private_key_info)) {
         DLOG(ERROR) << "Unable to export private key";
         return ERR_PRIVATE_KEY_EXPORT_FAILED;
       }
       break;
     }
     case CLIENT_CERT_ECDSA_SIGN: {
       scoped_ptr<crypto::ECPrivateKey> key(crypto::ECPrivateKey::Create());
       if (!key.get()) {
         DLOG(ERROR) << "Unable to create key pair for client";
         return ERR_KEY_GENERATION_FAILED;
       }
       if (!x509_util::CreateOriginBoundCertEC(
           key.get(),
           origin,
           serial_number,
-          base::TimeDelta::FromDays(kValidityPeriodInDays),
+          not_valid_after,
           &der_cert)) {
         DLOG(ERROR) << "Unable to create x509 cert for client";
         return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
       }
 
       if (!key->ExportEncryptedPrivateKey(
           kEPKIPassword, 1, &private_key_info)) {
         DLOG(ERROR) << "Unable to export private key";
         return ERR_PRIVATE_KEY_EXPORT_FAILED;
       }
@@ skipping 18 matching lines @@
   OriginBoundCertServiceRequest* request =
       reinterpret_cast<OriginBoundCertServiceRequest*>(req);
   request->Cancel();
 }
 
 // HandleResult is called by OriginBoundCertServiceWorker on the origin message
 // loop. It deletes OriginBoundCertServiceJob.
 void OriginBoundCertService::HandleResult(const std::string& origin,
                                           int error,
                                           SSLClientCertType type,
+                                          base::Time not_valid_after,
                                           const std::string& private_key,
                                           const std::string& cert) {
   DCHECK(CalledOnValidThread());
 
-  origin_bound_cert_store_->SetOriginBoundCert(origin, type, private_key, cert);
+  origin_bound_cert_store_->SetOriginBoundCert(
+      origin, type, not_valid_after, private_key, cert);
 
   std::map<std::string, OriginBoundCertServiceJob*>::iterator j;
   j = inflight_.find(origin);
   if (j == inflight_.end()) {
     NOTREACHED();
     return;
   }
   OriginBoundCertServiceJob* job = j->second;
   inflight_.erase(j);
 
   job->HandleResult(error, type, private_key, cert);
   delete job;
 }
 
 int OriginBoundCertService::cert_count() {
   return origin_bound_cert_store_->GetCertCount();
 }
 
 }  // namespace net
 
 DISABLE_RUNNABLE_METHOD_REFCOUNT(net::OriginBoundCertServiceWorker);