OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SSL_CHANNEL_ID_SERVICE_H_ | 5 #ifndef NET_SSL_CHANNEL_ID_SERVICE_H_ |
6 #define NET_SSL_CHANNEL_ID_SERVICE_H_ | 6 #define NET_SSL_CHANNEL_ID_SERVICE_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <string> | 9 #include <string> |
10 #include <vector> | 10 #include <vector> |
11 | 11 |
12 #include "base/basictypes.h" | 12 #include "base/basictypes.h" |
13 #include "base/memory/scoped_ptr.h" | 13 #include "base/memory/scoped_ptr.h" |
14 #include "base/memory/weak_ptr.h" | 14 #include "base/memory/weak_ptr.h" |
15 #include "base/threading/non_thread_safe.h" | 15 #include "base/threading/non_thread_safe.h" |
16 #include "base/time/time.h" | 16 #include "base/time/time.h" |
17 #include "crypto/ec_private_key.h" | |
17 #include "net/base/completion_callback.h" | 18 #include "net/base/completion_callback.h" |
18 #include "net/base/net_export.h" | 19 #include "net/base/net_export.h" |
19 #include "net/ssl/channel_id_store.h" | 20 #include "net/ssl/channel_id_store.h" |
20 | 21 |
21 namespace base { | 22 namespace base { |
22 class TaskRunner; | 23 class TaskRunner; |
23 } | 24 } |
24 | 25 |
25 namespace net { | 26 namespace net { |
26 | 27 |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
99 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. | 100 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. |
100 // The PrivateKeyInfo is always an ECDSA private key. | 101 // The PrivateKeyInfo is always an ECDSA private key. |
101 // | 102 // |
102 // |callback| must not be null. ERR_IO_PENDING is returned if the operation | 103 // |callback| must not be null. ERR_IO_PENDING is returned if the operation |
103 // could not be completed immediately, in which case the result code will | 104 // could not be completed immediately, in which case the result code will |
104 // be passed to the callback when available. | 105 // be passed to the callback when available. |
105 // | 106 // |
106 // |*out_req| will be initialized with a handle to the async request. This | 107 // |*out_req| will be initialized with a handle to the async request. This |
107 // RequestHandle object must be cancelled or destroyed before the | 108 // RequestHandle object must be cancelled or destroyed before the |
108 // ChannelIDService is destroyed. | 109 // ChannelIDService is destroyed. |
109 int GetOrCreateChannelID( | 110 int GetOrCreateChannelID(const std::string& host, |
110 const std::string& host, | 111 scoped_ptr<crypto::ECPrivateKey>* key, |
111 std::string* private_key, | 112 const CompletionCallback& callback, |
112 std::string* cert, | 113 RequestHandle* out_req); |
113 const CompletionCallback& callback, | |
114 RequestHandle* out_req); | |
115 | 114 |
116 // Fetches the domain bound cert for the specified host if one exists. | 115 // Fetches the domain bound cert for the specified host if one exists. |
117 // Returns OK if successful, ERR_FILE_NOT_FOUND if none exists, or an error | 116 // Returns OK if successful, ERR_FILE_NOT_FOUND if none exists, or an error |
118 // code upon failure. | 117 // code upon failure. |
119 // | 118 // |
120 // On successful completion, |private_key| stores a DER-encoded | 119 // On successful completion, |private_key| stores a DER-encoded |
121 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. | 120 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. |
122 // The PrivateKeyInfo is always an ECDSA private key. | 121 // The PrivateKeyInfo is always an ECDSA private key. |
123 // | 122 // |
124 // |callback| must not be null. ERR_IO_PENDING is returned if the operation | 123 // |callback| must not be null. ERR_IO_PENDING is returned if the operation |
125 // could not be completed immediately, in which case the result code will | 124 // could not be completed immediately, in which case the result code will |
126 // be passed to the callback when available. If an in-flight | 125 // be passed to the callback when available. If an in-flight |
127 // GetChannelID is pending, and a new GetOrCreateDomainBoundCert | 126 // GetChannelID is pending, and a new GetOrCreateDomainBoundCert |
128 // request arrives for the same domain, the GetChannelID request will | 127 // request arrives for the same domain, the GetChannelID request will |
129 // not complete until a new cert is created. | 128 // not complete until a new cert is created. |
130 // | 129 // |
131 // |*out_req| will be initialized with a handle to the async request. This | 130 // |*out_req| will be initialized with a handle to the async request. This |
132 // RequestHandle object must be cancelled or destroyed before the | 131 // RequestHandle object must be cancelled or destroyed before the |
133 // ChannelIDService is destroyed. | 132 // ChannelIDService is destroyed. |
134 int GetChannelID( | 133 int GetChannelID(const std::string& host, |
135 const std::string& host, | 134 scoped_ptr<crypto::ECPrivateKey>* key, |
136 std::string* private_key, | 135 const CompletionCallback& callback, |
137 std::string* cert, | 136 RequestHandle* out_req); |
138 const CompletionCallback& callback, | |
139 RequestHandle* out_req); | |
140 | 137 |
141 // Returns the backing ChannelIDStore. | 138 // Returns the backing ChannelIDStore. |
142 ChannelIDStore* GetChannelIDStore(); | 139 ChannelIDStore* GetChannelIDStore(); |
143 | 140 |
144 // Public only for unit testing. | 141 // Public only for unit testing. |
145 int cert_count(); | 142 int cert_count(); |
146 uint64 requests() const { return requests_; } | 143 uint64 requests() const { return requests_; } |
147 uint64 cert_store_hits() const { return cert_store_hits_; } | 144 uint64 key_store_hits() const { return key_store_hits_; } |
148 uint64 inflight_joins() const { return inflight_joins_; } | 145 uint64 inflight_joins() const { return inflight_joins_; } |
149 uint64 workers_created() const { return workers_created_; } | 146 uint64 workers_created() const { return workers_created_; } |
150 | 147 |
151 private: | 148 private: |
152 // Cancels the specified request. |req| is the handle stored by | 149 // Cancels the specified request. |req| is the handle stored by |
153 // GetChannelID(). After a request is canceled, its completion | 150 // GetChannelID(). After a request is canceled, its completion |
154 // callback will not be called. | 151 // callback will not be called. |
155 void CancelRequest(ChannelIDServiceRequest* req); | 152 void CancelRequest(ChannelIDServiceRequest* req); |
156 | 153 |
157 void GotChannelID(int err, | 154 void GotChannelID(int err, |
158 const std::string& server_identifier, | 155 const std::string& server_identifier, |
159 base::Time expiration_time, | 156 const std::string& private_key, |
160 const std::string& key, | 157 const std::string& public_key); |
161 const std::string& cert); | |
162 void GeneratedChannelID( | 158 void GeneratedChannelID( |
163 const std::string& server_identifier, | 159 const std::string& server_identifier, |
164 int error, | 160 int error, |
165 scoped_ptr<ChannelIDStore::ChannelID> channel_id); | 161 scoped_ptr<ChannelIDStore::ChannelID> channel_id); |
166 void HandleResult(int error, | 162 void HandleResult(int error, |
167 const std::string& server_identifier, | 163 const std::string& server_identifier, |
168 const std::string& private_key, | 164 const std::string& private_key, |
169 const std::string& cert); | 165 const std::string& public_key); |
170 | 166 |
171 // Searches for an in-flight request for the same domain. If found, | 167 // Searches for an in-flight request for the same domain. If found, |
172 // attaches to the request and returns true. Returns false if no in-flight | 168 // attaches to the request and returns true. Returns false if no in-flight |
173 // request is found. | 169 // request is found. |
174 bool JoinToInFlightRequest(const base::TimeTicks& request_start, | 170 bool JoinToInFlightRequest(const base::TimeTicks& request_start, |
175 const std::string& domain, | 171 const std::string& domain, |
176 std::string* private_key, | 172 scoped_ptr<crypto::ECPrivateKey>* key, |
177 std::string* cert, | |
178 bool create_if_missing, | 173 bool create_if_missing, |
179 const CompletionCallback& callback, | 174 const CompletionCallback& callback, |
180 RequestHandle* out_req); | 175 RequestHandle* out_req); |
181 | 176 |
182 // Looks for the domain bound cert for |domain| in this service's store. | 177 // Looks for the domain bound cert for |domain| in this service's store. |
183 // Returns OK if it can be found synchronously, ERR_IO_PENDING if the | 178 // Returns OK if it can be found synchronously, ERR_IO_PENDING if the |
184 // result cannot be obtained synchronously, or a network error code on | 179 // result cannot be obtained synchronously, or a network error code on |
185 // failure (including failure to find a domain-bound cert of |domain|). | 180 // failure (including failure to find a domain-bound cert of |domain|). |
186 int LookupChannelID(const base::TimeTicks& request_start, | 181 int LookupChannelID(const base::TimeTicks& request_start, |
187 const std::string& domain, | 182 const std::string& domain, |
188 std::string* private_key, | 183 scoped_ptr<crypto::ECPrivateKey>* key, |
189 std::string* cert, | |
190 bool create_if_missing, | 184 bool create_if_missing, |
191 const CompletionCallback& callback, | 185 const CompletionCallback& callback, |
192 RequestHandle* out_req); | 186 RequestHandle* out_req); |
193 | 187 |
194 scoped_ptr<ChannelIDStore> channel_id_store_; | 188 scoped_ptr<ChannelIDStore> channel_id_store_; |
195 scoped_refptr<base::TaskRunner> task_runner_; | 189 scoped_refptr<base::TaskRunner> task_runner_; |
196 | 190 |
197 // inflight_ maps from a server to an active generation which is taking | 191 // inflight_ maps from a server to an active generation which is taking |
198 // place. | 192 // place. |
199 std::map<std::string, ChannelIDServiceJob*> inflight_; | 193 std::map<std::string, ChannelIDServiceJob*> inflight_; |
200 | 194 |
201 uint64 requests_; | 195 uint64 requests_; |
202 uint64 cert_store_hits_; | 196 uint64 key_store_hits_; |
203 uint64 inflight_joins_; | 197 uint64 inflight_joins_; |
204 uint64 workers_created_; | 198 uint64 workers_created_; |
205 | 199 |
206 bool is_system_time_valid_; | 200 bool is_system_time_valid_; |
207 | 201 |
208 base::WeakPtrFactory<ChannelIDService> weak_ptr_factory_; | 202 base::WeakPtrFactory<ChannelIDService> weak_ptr_factory_; |
209 | 203 |
210 DISALLOW_COPY_AND_ASSIGN(ChannelIDService); | 204 DISALLOW_COPY_AND_ASSIGN(ChannelIDService); |
211 }; | 205 }; |
212 | 206 |
207 // Exports the public and private keys from the provided crypto::ECPrivateKey | |
208 // |key| and writes them to |public_key| and |private_key|. If there's an error | |
209 // calling ExportEncryptedPrivateKey or ExportPublicKey on the ECPrivateKey, | |
210 // then this function returns ERR_PRIVATE_KEY_EXPORT_FAILED. Otherwise it | |
211 // returns OK. | |
212 // | |
213 // This function is only exposed here so that it can be used in unittests. | |
214 NET_EXPORT_PRIVATE int ExportKeypair(scoped_ptr<crypto::ECPrivateKey>& key, | |
Ryan Sleevi
2015/04/10 00:42:14
style: const-ref or pass as raw pointer
Ryan Sleevi
2015/04/10 00:42:14
naming: KeyPair
nharper
2015/04/25 02:59:18
Done.
nharper
2015/04/25 02:59:18
Done.
| |
215 std::string* public_key, | |
216 std::string* private_key); | |
Ryan Sleevi
2015/04/09 22:40:10
This is a little weird. Why isn't this part of the
nharper
2015/04/10 00:32:09
crypto::ECPrivateKey deals in std::vector<uint8> i
Ryan Sleevi
2015/04/10 00:42:14
We only need the two calls because of NSS, right?
nharper
2015/04/25 02:59:18
Yes, in a sane API (like openssl's) we'd only need
| |
217 | |
218 // This function is the opposite of ExportKeypair. It takes DER encoded public | |
219 // and private keys |public_key| and |private_key| and creates a | |
220 // crypto::ECPrivateKey. If there is an issue creating the crypto::ECPrivateKey, | |
221 // this function returns ERR_UNEXPECTED. Otherwise it returns OK. | |
222 // | |
223 // This function is only exposed here so that it can be used in unittests. | |
224 NET_EXPORT_PRIVATE int CreateECPrivateKeyFromSerializedKey( | |
225 const std::string& public_key, | |
226 const std::string& private_key, | |
227 scoped_ptr<crypto::ECPrivateKey>* key_out); | |
Ryan Sleevi
2015/04/09 22:40:10
Why does the API require the public key to create
nharper
2015/04/10 00:32:09
My opinion is that it shouldn't be needed, but the
Ryan Sleevi
2015/04/10 00:42:14
On the other hand, it encourages readers/API desig
nharper
2015/04/25 02:59:18
The format of the encrypted private_key is the sam
| |
213 } // namespace net | 228 } // namespace net |
214 | 229 |
215 #endif // NET_SSL_CHANNEL_ID_SERVICE_H_ | 230 #endif // NET_SSL_CHANNEL_ID_SERVICE_H_ |
OLD | NEW |