Chromium Code Reviews Chromium Code Reviews
Issue 8890073:
Handle Origin Bound Certificate expiration. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/base/origin_bound_cert_service.cc |
| diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc |
| index f86d82ce1537e8e5fb0e0e9dd4d858ebeedd4bad..27fb7fa15ddf21a73821b44759f295785cbeaa9d 100644 |
| --- a/net/base/origin_bound_cert_service.cc |
| +++ b/net/base/origin_bound_cert_service.cc |
| @@ -99,9 +99,11 @@ class OriginBoundCertServiceWorker { |
| OriginBoundCertServiceWorker( |
| const std::string& origin, |
| SSLClientCertType type, |
| + base::Time not_valid_after, |
| OriginBoundCertService* origin_bound_cert_service) |
| : origin_(origin), |
| type_(type), |
| + not_valid_after_(not_valid_after), |
| serial_number_(base::RandInt(0, std::numeric_limits<int>::max())), |
| origin_loop_(MessageLoop::current()), |
| origin_bound_cert_service_(origin_bound_cert_service), |
| @@ -132,6 +134,7 @@ class OriginBoundCertServiceWorker { |
| error_ = OriginBoundCertService::GenerateCert(origin_, |
| type_, |
| serial_number_, |
| + not_valid_after_, |
| &private_key_, |
| &cert_); |
| #if defined(USE_NSS) |
| @@ -157,8 +160,8 @@ class OriginBoundCertServiceWorker { |
| // memory leaks or worse errors. |
| base::AutoLock locked(lock_); |
| if (!canceled_) { |
| - origin_bound_cert_service_->HandleResult(origin_, error_, type_, |
| - private_key_, cert_); |
| + origin_bound_cert_service_->HandleResult( |
| + origin_, error_, type_, not_valid_after_, private_key_, cert_); |
| } |
| } |
| delete this; |
| @@ -191,6 +194,7 @@ class OriginBoundCertServiceWorker { |
| const std::string origin_; |
| const SSLClientCertType type_; |
| + const base::Time not_valid_after_; |
| // Note that serial_number_ must be initialized on a non-worker thread |
| // (see documentation for OriginBoundCertService::GenerateCert). |
| uint32 serial_number_; |
| @@ -320,20 +324,26 @@ int OriginBoundCertService::GetOriginBoundCert( |
| requests_++; |
| // Check if an origin bound cert of an acceptable type already exists for this |
| - // origin. |
| + // origin, and that it has not expired. |
| + base::Time now = base::Time::Now(); |
|
wtc
2011/12/14 02:03:39
For unit tests, we may want to provide a way to ov
|
| + base::Time not_valid_after; |
| if (origin_bound_cert_store_->GetOriginBoundCert(origin, |
| type, |
| + ¬_valid_after, |
| private_key, |
| cert)) { |
| - if (IsSupportedCertType(*type) && |
| - std::find(requested_types.begin(), requested_types.end(), *type) != |
| - requested_types.end()) { |
| + if (not_valid_after < now) { |
| + DVLOG(1) << "Cert store had expired cert for " << origin; |
| + } else if (!IsSupportedCertType(*type) || |
| + std::find(requested_types.begin(), requested_types.end(), |
| + *type) == requested_types.end()) { |
| + DVLOG(1) << "Cert store had cert of wrong type " << *type << " for " |
| + << origin; |
| + } else { |
| cert_store_hits_++; |
| *out_req = NULL; |
| return OK; |
| } |
| - DVLOG(1) << "Cert store had cert of wrong type " << *type << " for " |
| - << origin; |
| } |
| // |origin_bound_cert_store_| has no cert for this origin. See if an |
| @@ -361,8 +371,11 @@ int OriginBoundCertService::GetOriginBoundCert( |
| inflight_joins_++; |
| } else { |
| // Need to make a new request. |
| - OriginBoundCertServiceWorker* worker = |
| - new OriginBoundCertServiceWorker(origin, preferred_type, this); |
| + OriginBoundCertServiceWorker* worker = new OriginBoundCertServiceWorker( |
| + origin, |
| + preferred_type, |
| + now + base::TimeDelta::FromDays(kValidityPeriodInDays), |
|
wtc
2011/12/15 03:18:51
It doesn't seem necessary to pass not_valid_after
mattm
2011/12/20 00:28:38
Done.
|
| + this); |
| job = new OriginBoundCertServiceJob(worker, preferred_type); |
| if (!worker->Start()) { |
| delete job; |
| @@ -386,6 +399,7 @@ int OriginBoundCertService::GetOriginBoundCert( |
| int OriginBoundCertService::GenerateCert(const std::string& origin, |
| SSLClientCertType type, |
| uint32 serial_number, |
| + base::Time not_valid_after, |
| std::string* private_key, |
| std::string* cert) { |
| std::string der_cert; |
| @@ -402,7 +416,7 @@ int OriginBoundCertService::GenerateCert(const std::string& origin, |
| key.get(), |
| origin, |
| serial_number, |
| - base::TimeDelta::FromDays(kValidityPeriodInDays), |
| + not_valid_after, |
|
wtc
2011/12/15 03:18:51
It seems that the GenerateCert method doesn't need
mattm
2011/12/20 00:28:38
Done.
|
| &der_cert)) { |
| DLOG(ERROR) << "Unable to create x509 cert for client"; |
| return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED; |
| @@ -424,7 +438,7 @@ int OriginBoundCertService::GenerateCert(const std::string& origin, |
| key.get(), |
| origin, |
| serial_number, |
| - base::TimeDelta::FromDays(kValidityPeriodInDays), |
| + not_valid_after, |
| &der_cert)) { |
| DLOG(ERROR) << "Unable to create x509 cert for client"; |
| return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED; |
| @@ -463,11 +477,13 @@ void OriginBoundCertService::CancelRequest(RequestHandle req) { |
| void OriginBoundCertService::HandleResult(const std::string& origin, |
| int error, |
| SSLClientCertType type, |
| + base::Time not_valid_after, |
| const std::string& private_key, |
| const std::string& cert) { |
| DCHECK(CalledOnValidThread()); |
| - origin_bound_cert_store_->SetOriginBoundCert(origin, type, private_key, cert); |
| + origin_bound_cert_store_->SetOriginBoundCert( |
| + origin, type, not_valid_after, private_key, cert); |
| std::map<std::string, OriginBoundCertServiceJob*>::iterator j; |
| j = inflight_.find(origin); |
