OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/channel_id_service.h" | 5 #include "net/ssl/channel_id_service.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <limits> | 8 #include <limits> |
9 | 9 |
10 #include "base/bind.h" | 10 #include "base/bind.h" |
(...skipping 17 matching lines...) Expand all Loading... | |
28 #include "url/gurl.h" | 28 #include "url/gurl.h" |
29 | 29 |
30 #if !defined(USE_OPENSSL) | 30 #if !defined(USE_OPENSSL) |
31 #include <private/pprthred.h> // PR_DetachThread | 31 #include <private/pprthred.h> // PR_DetachThread |
32 #endif | 32 #endif |
33 | 33 |
34 namespace net { | 34 namespace net { |
35 | 35 |
36 namespace { | 36 namespace { |
37 | 37 |
38 const int kValidityPeriodInDays = 365; | |
39 // When we check the system time, we add this many days to the end of the check | |
40 // so the result will still hold even after chrome has been running for a | |
41 // while. | |
42 const int kSystemTimeValidityBufferInDays = 90; | |
43 | |
44 // Used by the GetDomainBoundCertResult histogram to record the final | 38 // Used by the GetDomainBoundCertResult histogram to record the final |
45 // outcome of each GetChannelID or GetOrCreateChannelID call. | 39 // outcome of each GetChannelID or GetOrCreateChannelID call. |
46 // Do not re-use values. | 40 // Do not re-use values. |
47 enum GetChannelIDResult { | 41 enum GetChannelIDResult { |
48 // Synchronously found and returned an existing domain bound cert. | 42 // Synchronously found and returned an existing domain bound cert. |
49 SYNC_SUCCESS = 0, | 43 SYNC_SUCCESS = 0, |
50 // Retrieved or generated and returned a domain bound cert asynchronously. | 44 // Retrieved or generated and returned a domain bound cert asynchronously. |
51 ASYNC_SUCCESS = 1, | 45 ASYNC_SUCCESS = 1, |
52 // Retrieval/generation request was cancelled before the cert generation | 46 // Retrieval/generation request was cancelled before the cert generation |
53 // completed. | 47 // completed. |
54 ASYNC_CANCELLED = 2, | 48 ASYNC_CANCELLED = 2, |
55 // Cert generation failed. | 49 // Cert generation failed. |
56 ASYNC_FAILURE_KEYGEN = 3, | 50 ASYNC_FAILURE_KEYGEN = 3, |
57 ASYNC_FAILURE_CREATE_CERT = 4, | 51 // Result code 4 was removed (ASYNC_FAILURE_CREATE_CERT) |
58 ASYNC_FAILURE_EXPORT_KEY = 5, | 52 ASYNC_FAILURE_EXPORT_KEY = 5, |
59 ASYNC_FAILURE_UNKNOWN = 6, | 53 ASYNC_FAILURE_UNKNOWN = 6, |
60 // GetChannelID or GetOrCreateChannelID was called with | 54 // GetChannelID or GetOrCreateChannelID was called with |
61 // invalid arguments. | 55 // invalid arguments. |
62 INVALID_ARGUMENT = 7, | 56 INVALID_ARGUMENT = 7, |
63 // We don't support any of the cert types the server requested. | 57 // We don't support any of the cert types the server requested. |
64 UNSUPPORTED_TYPE = 8, | 58 UNSUPPORTED_TYPE = 8, |
65 // Server asked for a different type of certs while we were generating one. | 59 // Server asked for a different type of certs while we were generating one. |
66 TYPE_MISMATCH = 9, | 60 TYPE_MISMATCH = 9, |
67 // Couldn't start a worker to generate a cert. | 61 // Couldn't start a worker to generate a cert. |
(...skipping 13 matching lines...) Expand all Loading... | |
81 base::TimeDelta::FromMinutes(5), | 75 base::TimeDelta::FromMinutes(5), |
82 50); | 76 50); |
83 } | 77 } |
84 | 78 |
85 // On success, returns a ChannelID object and sets |*error| to OK. | 79 // On success, returns a ChannelID object and sets |*error| to OK. |
86 // Otherwise, returns NULL, and |*error| will be set to a net error code. | 80 // Otherwise, returns NULL, and |*error| will be set to a net error code. |
87 // |serial_number| is passed in because base::RandInt cannot be called from an | 81 // |serial_number| is passed in because base::RandInt cannot be called from an |
88 // unjoined thread, due to relying on a non-leaked LazyInstance | 82 // unjoined thread, due to relying on a non-leaked LazyInstance |
89 scoped_ptr<ChannelIDStore::ChannelID> GenerateChannelID( | 83 scoped_ptr<ChannelIDStore::ChannelID> GenerateChannelID( |
90 const std::string& server_identifier, | 84 const std::string& server_identifier, |
91 uint32 serial_number, | |
92 int* error) { | 85 int* error) { |
93 scoped_ptr<ChannelIDStore::ChannelID> result; | 86 scoped_ptr<ChannelIDStore::ChannelID> result; |
94 | 87 |
95 base::TimeTicks start = base::TimeTicks::Now(); | 88 base::TimeTicks start = base::TimeTicks::Now(); |
96 base::Time not_valid_before = base::Time::Now(); | 89 base::Time not_valid_before = base::Time::Now(); |
97 base::Time not_valid_after = | 90 scoped_ptr<crypto::ECPrivateKey> key(crypto::ECPrivateKey::Create()); |
98 not_valid_before + base::TimeDelta::FromDays(kValidityPeriodInDays); | 91 |
99 std::string der_cert; | 92 if (!key) { |
100 std::vector<uint8> private_key_info; | 93 DLOG(ERROR) << "Unable to create channel ID key pair"; |
101 scoped_ptr<crypto::ECPrivateKey> key; | 94 *error = ERR_KEY_GENERATION_FAILED; |
102 if (!x509_util::CreateKeyAndChannelIDEC(server_identifier, | |
103 serial_number, | |
104 not_valid_before, | |
105 not_valid_after, | |
106 &key, | |
107 &der_cert)) { | |
108 DLOG(ERROR) << "Unable to create x509 cert for client"; | |
109 *error = ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED; | |
110 return result.Pass(); | 95 return result.Pass(); |
111 } | 96 } |
112 | 97 |
113 if (!key->ExportEncryptedPrivateKey(ChannelIDService::kEPKIPassword, | 98 result.reset(new ChannelIDStore::ChannelID(server_identifier, |
114 1, &private_key_info)) { | 99 not_valid_before, key.get())); |
Ryan Sleevi
2015/05/08 23:43:13
Should this be renamed to |creation_date|?
nharper
2015/05/11 21:26:44
Renamed to creation_time.
| |
115 DLOG(ERROR) << "Unable to export private key"; | |
116 *error = ERR_PRIVATE_KEY_EXPORT_FAILED; | |
117 return result.Pass(); | |
118 } | |
119 | |
120 // TODO(rkn): Perhaps ExportPrivateKey should be changed to output a | |
121 // std::string* to prevent this copying. | |
122 std::string key_out(private_key_info.begin(), private_key_info.end()); | |
123 | |
124 result.reset(new ChannelIDStore::ChannelID( | |
125 server_identifier, | |
126 not_valid_before, | |
127 not_valid_after, | |
128 key_out, | |
129 der_cert)); | |
130 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GenerateCertTime", | 100 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GenerateCertTime", |
131 base::TimeTicks::Now() - start, | 101 base::TimeTicks::Now() - start, |
132 base::TimeDelta::FromMilliseconds(1), | 102 base::TimeDelta::FromMilliseconds(1), |
133 base::TimeDelta::FromMinutes(5), | 103 base::TimeDelta::FromMinutes(5), |
134 50); | 104 50); |
135 *error = OK; | 105 *error = OK; |
136 return result.Pass(); | 106 return result.Pass(); |
137 } | 107 } |
138 | 108 |
139 } // namespace | 109 } // namespace |
140 | 110 |
141 // Represents the output and result callback of a request. | 111 // Represents the output and result callback of a request. |
142 class ChannelIDServiceRequest { | 112 class ChannelIDServiceRequest { |
143 public: | 113 public: |
144 ChannelIDServiceRequest(base::TimeTicks request_start, | 114 ChannelIDServiceRequest(base::TimeTicks request_start, |
145 const CompletionCallback& callback, | 115 const CompletionCallback& callback, |
146 std::string* private_key, | 116 scoped_ptr<crypto::ECPrivateKey>* key) |
147 std::string* cert) | 117 : request_start_(request_start), callback_(callback), key_(key) {} |
148 : request_start_(request_start), | |
149 callback_(callback), | |
150 private_key_(private_key), | |
151 cert_(cert) { | |
152 } | |
153 | 118 |
154 // Ensures that the result callback will never be made. | 119 // Ensures that the result callback will never be made. |
155 void Cancel() { | 120 void Cancel() { |
156 RecordGetChannelIDResult(ASYNC_CANCELLED); | 121 RecordGetChannelIDResult(ASYNC_CANCELLED); |
157 callback_.Reset(); | 122 callback_.Reset(); |
158 private_key_ = NULL; | 123 key_->reset(); |
Ryan Sleevi
2015/05/08 23:43:13
Why is this explicitly necessary? Shouldn't the dt
nharper
2015/05/11 21:26:44
I don't know why it would be necessary - I only pu
| |
159 cert_ = NULL; | |
160 } | 124 } |
161 | 125 |
162 // Copies the contents of |private_key| and |cert| to the caller's output | 126 // Copies the contents of |key| to the caller's output argument and calls the |
163 // arguments and calls the callback. | 127 // callback. |
164 void Post(int error, | 128 void Post(int error, crypto::ECPrivateKey* key) { |
165 const std::string& private_key, | |
166 const std::string& cert) { | |
167 switch (error) { | 129 switch (error) { |
168 case OK: { | 130 case OK: { |
169 base::TimeDelta request_time = base::TimeTicks::Now() - request_start_; | 131 base::TimeDelta request_time = base::TimeTicks::Now() - request_start_; |
170 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GetCertTimeAsync", | 132 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GetCertTimeAsync", |
171 request_time, | 133 request_time, |
172 base::TimeDelta::FromMilliseconds(1), | 134 base::TimeDelta::FromMilliseconds(1), |
173 base::TimeDelta::FromMinutes(5), | 135 base::TimeDelta::FromMinutes(5), |
174 50); | 136 50); |
175 RecordGetChannelIDTime(request_time); | 137 RecordGetChannelIDTime(request_time); |
176 RecordGetChannelIDResult(ASYNC_SUCCESS); | 138 RecordGetChannelIDResult(ASYNC_SUCCESS); |
177 break; | 139 break; |
178 } | 140 } |
179 case ERR_KEY_GENERATION_FAILED: | 141 case ERR_KEY_GENERATION_FAILED: |
180 RecordGetChannelIDResult(ASYNC_FAILURE_KEYGEN); | 142 RecordGetChannelIDResult(ASYNC_FAILURE_KEYGEN); |
181 break; | 143 break; |
182 case ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED: | |
183 RecordGetChannelIDResult(ASYNC_FAILURE_CREATE_CERT); | |
184 break; | |
185 case ERR_PRIVATE_KEY_EXPORT_FAILED: | 144 case ERR_PRIVATE_KEY_EXPORT_FAILED: |
186 RecordGetChannelIDResult(ASYNC_FAILURE_EXPORT_KEY); | 145 RecordGetChannelIDResult(ASYNC_FAILURE_EXPORT_KEY); |
187 break; | 146 break; |
188 case ERR_INSUFFICIENT_RESOURCES: | 147 case ERR_INSUFFICIENT_RESOURCES: |
189 RecordGetChannelIDResult(WORKER_FAILURE); | 148 RecordGetChannelIDResult(WORKER_FAILURE); |
190 break; | 149 break; |
191 default: | 150 default: |
192 RecordGetChannelIDResult(ASYNC_FAILURE_UNKNOWN); | 151 RecordGetChannelIDResult(ASYNC_FAILURE_UNKNOWN); |
193 break; | 152 break; |
194 } | 153 } |
195 if (!callback_.is_null()) { | 154 if (!callback_.is_null()) { |
196 *private_key_ = private_key; | 155 if (key) |
197 *cert_ = cert; | 156 key_->reset(key->Copy()); |
198 callback_.Run(error); | 157 callback_.Run(error); |
199 } | 158 } |
200 delete this; | 159 delete this; |
201 } | 160 } |
202 | 161 |
203 bool canceled() const { return callback_.is_null(); } | 162 bool canceled() const { return callback_.is_null(); } |
204 | 163 |
205 private: | 164 private: |
206 base::TimeTicks request_start_; | 165 base::TimeTicks request_start_; |
207 CompletionCallback callback_; | 166 CompletionCallback callback_; |
208 std::string* private_key_; | 167 scoped_ptr<crypto::ECPrivateKey>* key_; |
209 std::string* cert_; | |
210 }; | 168 }; |
211 | 169 |
212 // ChannelIDServiceWorker runs on a worker thread and takes care of the | 170 // ChannelIDServiceWorker runs on a worker thread and takes care of the |
213 // blocking process of performing key generation. Will take care of deleting | 171 // blocking process of performing key generation. Will take care of deleting |
214 // itself once Start() is called. | 172 // itself once Start() is called. |
215 class ChannelIDServiceWorker { | 173 class ChannelIDServiceWorker { |
216 public: | 174 public: |
217 typedef base::Callback<void( | 175 typedef base::Callback<void( |
218 const std::string&, | 176 const std::string&, |
219 int, | 177 int, |
220 scoped_ptr<ChannelIDStore::ChannelID>)> WorkerDoneCallback; | 178 scoped_ptr<ChannelIDStore::ChannelID>)> WorkerDoneCallback; |
221 | 179 |
222 ChannelIDServiceWorker( | 180 ChannelIDServiceWorker( |
223 const std::string& server_identifier, | 181 const std::string& server_identifier, |
224 const WorkerDoneCallback& callback) | 182 const WorkerDoneCallback& callback) |
225 : server_identifier_(server_identifier), | 183 : server_identifier_(server_identifier), |
226 serial_number_(base::RandInt(0, std::numeric_limits<int>::max())), | |
227 origin_loop_(base::MessageLoopProxy::current()), | 184 origin_loop_(base::MessageLoopProxy::current()), |
228 callback_(callback) { | 185 callback_(callback) { |
229 } | 186 } |
230 | 187 |
231 // Starts the worker on |task_runner|. If the worker fails to start, such as | 188 // Starts the worker on |task_runner|. If the worker fails to start, such as |
232 // if the task runner is shutting down, then it will take care of deleting | 189 // if the task runner is shutting down, then it will take care of deleting |
233 // itself. | 190 // itself. |
234 bool Start(const scoped_refptr<base::TaskRunner>& task_runner) { | 191 bool Start(const scoped_refptr<base::TaskRunner>& task_runner) { |
235 DCHECK(origin_loop_->RunsTasksOnCurrentThread()); | 192 DCHECK(origin_loop_->RunsTasksOnCurrentThread()); |
236 | 193 |
237 return task_runner->PostTask( | 194 return task_runner->PostTask( |
238 FROM_HERE, | 195 FROM_HERE, |
239 base::Bind(&ChannelIDServiceWorker::Run, base::Owned(this))); | 196 base::Bind(&ChannelIDServiceWorker::Run, base::Owned(this))); |
240 } | 197 } |
241 | 198 |
242 private: | 199 private: |
243 void Run() { | 200 void Run() { |
244 // Runs on a worker thread. | 201 // Runs on a worker thread. |
245 int error = ERR_FAILED; | 202 int error = ERR_FAILED; |
246 scoped_ptr<ChannelIDStore::ChannelID> cert = | 203 scoped_ptr<ChannelIDStore::ChannelID> cert = |
Ryan Sleevi
2015/05/08 23:43:13
This variable name is no longer correct, is it?
nharper
2015/05/11 21:26:44
Done.
| |
247 GenerateChannelID(server_identifier_, serial_number_, &error); | 204 GenerateChannelID(server_identifier_, &error); |
248 DVLOG(1) << "GenerateCert " << server_identifier_ << " returned " << error; | 205 DVLOG(1) << "GenerateCert " << server_identifier_ << " returned " << error; |
Ryan Sleevi
2015/05/08 23:43:13
That looks wonky :)
Just delete the DVLOG IMO
nharper
2015/05/11 21:26:44
Done.
| |
249 #if !defined(USE_OPENSSL) | 206 #if !defined(USE_OPENSSL) |
250 // Detach the thread from NSPR. | 207 // Detach the thread from NSPR. |
251 // Calling NSS functions attaches the thread to NSPR, which stores | 208 // Calling NSS functions attaches the thread to NSPR, which stores |
252 // the NSPR thread ID in thread-specific data. | 209 // the NSPR thread ID in thread-specific data. |
253 // The threads in our thread pool terminate after we have called | 210 // The threads in our thread pool terminate after we have called |
254 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets | 211 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets |
255 // segfaults on shutdown when the threads' thread-specific data | 212 // segfaults on shutdown when the threads' thread-specific data |
256 // destructors run. | 213 // destructors run. |
257 PR_DetachThread(); | 214 PR_DetachThread(); |
258 #endif | 215 #endif |
259 origin_loop_->PostTask(FROM_HERE, | 216 origin_loop_->PostTask(FROM_HERE, |
260 base::Bind(callback_, server_identifier_, error, | 217 base::Bind(callback_, server_identifier_, error, |
261 base::Passed(&cert))); | 218 base::Passed(&cert))); |
262 } | 219 } |
263 | 220 |
264 const std::string server_identifier_; | 221 const std::string server_identifier_; |
265 // Note that serial_number_ must be initialized on a non-worker thread | |
266 // (see documentation for GenerateCert). | |
267 uint32 serial_number_; | |
268 scoped_refptr<base::SequencedTaskRunner> origin_loop_; | 222 scoped_refptr<base::SequencedTaskRunner> origin_loop_; |
269 WorkerDoneCallback callback_; | 223 WorkerDoneCallback callback_; |
270 | 224 |
271 DISALLOW_COPY_AND_ASSIGN(ChannelIDServiceWorker); | 225 DISALLOW_COPY_AND_ASSIGN(ChannelIDServiceWorker); |
272 }; | 226 }; |
273 | 227 |
274 // A ChannelIDServiceJob is a one-to-one counterpart of an | 228 // A ChannelIDServiceJob is a one-to-one counterpart of an |
275 // ChannelIDServiceWorker. It lives only on the ChannelIDService's | 229 // ChannelIDServiceWorker. It lives only on the ChannelIDService's |
276 // origin message loop. | 230 // origin message loop. |
277 class ChannelIDServiceJob { | 231 class ChannelIDServiceJob { |
278 public: | 232 public: |
279 ChannelIDServiceJob(bool create_if_missing) | 233 ChannelIDServiceJob(bool create_if_missing) |
280 : create_if_missing_(create_if_missing) { | 234 : create_if_missing_(create_if_missing) { |
281 } | 235 } |
282 | 236 |
283 ~ChannelIDServiceJob() { | 237 ~ChannelIDServiceJob() { |
284 if (!requests_.empty()) | 238 if (!requests_.empty()) |
285 DeleteAllCanceled(); | 239 DeleteAllCanceled(); |
286 } | 240 } |
287 | 241 |
288 void AddRequest(ChannelIDServiceRequest* request, | 242 void AddRequest(ChannelIDServiceRequest* request, |
289 bool create_if_missing = false) { | 243 bool create_if_missing = false) { |
290 create_if_missing_ |= create_if_missing; | 244 create_if_missing_ |= create_if_missing; |
291 requests_.push_back(request); | 245 requests_.push_back(request); |
292 } | 246 } |
293 | 247 |
294 void HandleResult(int error, | 248 void HandleResult(int error, crypto::ECPrivateKey* key) { |
295 const std::string& private_key, | 249 PostAll(error, key); |
296 const std::string& cert) { | |
297 PostAll(error, private_key, cert); | |
298 } | 250 } |
299 | 251 |
300 bool CreateIfMissing() const { return create_if_missing_; } | 252 bool CreateIfMissing() const { return create_if_missing_; } |
301 | 253 |
302 private: | 254 private: |
303 void PostAll(int error, | 255 void PostAll(int error, crypto::ECPrivateKey* key) { |
304 const std::string& private_key, | |
305 const std::string& cert) { | |
306 std::vector<ChannelIDServiceRequest*> requests; | 256 std::vector<ChannelIDServiceRequest*> requests; |
307 requests_.swap(requests); | 257 requests_.swap(requests); |
308 | 258 |
309 for (std::vector<ChannelIDServiceRequest*>::iterator | 259 for (std::vector<ChannelIDServiceRequest*>::iterator |
310 i = requests.begin(); i != requests.end(); i++) { | 260 i = requests.begin(); i != requests.end(); i++) { |
311 (*i)->Post(error, private_key, cert); | 261 (*i)->Post(error, key); |
312 // Post() causes the ChannelIDServiceRequest to delete itself. | 262 // Post() causes the ChannelIDServiceRequest to delete itself. |
313 } | 263 } |
314 } | 264 } |
315 | 265 |
316 void DeleteAllCanceled() { | 266 void DeleteAllCanceled() { |
317 for (std::vector<ChannelIDServiceRequest*>::iterator | 267 for (std::vector<ChannelIDServiceRequest*>::iterator |
318 i = requests_.begin(); i != requests_.end(); i++) { | 268 i = requests_.begin(); i != requests_.end(); i++) { |
319 if ((*i)->canceled()) { | 269 if ((*i)->canceled()) { |
320 delete *i; | 270 delete *i; |
321 } else { | 271 } else { |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
363 // members afterwards. Reset callback_ first. | 313 // members afterwards. Reset callback_ first. |
364 base::ResetAndReturn(&callback_).Run(result); | 314 base::ResetAndReturn(&callback_).Run(result); |
365 } | 315 } |
366 | 316 |
367 ChannelIDService::ChannelIDService( | 317 ChannelIDService::ChannelIDService( |
368 ChannelIDStore* channel_id_store, | 318 ChannelIDStore* channel_id_store, |
369 const scoped_refptr<base::TaskRunner>& task_runner) | 319 const scoped_refptr<base::TaskRunner>& task_runner) |
370 : channel_id_store_(channel_id_store), | 320 : channel_id_store_(channel_id_store), |
371 task_runner_(task_runner), | 321 task_runner_(task_runner), |
372 requests_(0), | 322 requests_(0), |
373 cert_store_hits_(0), | 323 key_store_hits_(0), |
374 inflight_joins_(0), | 324 inflight_joins_(0), |
375 workers_created_(0), | 325 workers_created_(0), |
376 weak_ptr_factory_(this) { | 326 weak_ptr_factory_(this) { |
377 base::Time start = base::Time::Now(); | |
378 base::Time end = start + base::TimeDelta::FromDays( | |
379 kValidityPeriodInDays + kSystemTimeValidityBufferInDays); | |
380 is_system_time_valid_ = x509_util::IsSupportedValidityRange(start, end); | |
381 } | 327 } |
382 | 328 |
383 ChannelIDService::~ChannelIDService() { | 329 ChannelIDService::~ChannelIDService() { |
384 STLDeleteValues(&inflight_); | 330 STLDeleteValues(&inflight_); |
385 } | 331 } |
386 | 332 |
387 //static | 333 //static |
388 std::string ChannelIDService::GetDomainForHost(const std::string& host) { | 334 std::string ChannelIDService::GetDomainForHost(const std::string& host) { |
389 std::string domain = | 335 std::string domain = |
390 registry_controlled_domains::GetDomainAndRegistry( | 336 registry_controlled_domains::GetDomainAndRegistry( |
391 host, registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); | 337 host, registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); |
392 if (domain.empty()) | 338 if (domain.empty()) |
393 return host; | 339 return host; |
394 return domain; | 340 return domain; |
395 } | 341 } |
396 | 342 |
397 int ChannelIDService::GetOrCreateChannelID( | 343 int ChannelIDService::GetOrCreateChannelID( |
398 const std::string& host, | 344 const std::string& host, |
399 std::string* private_key, | 345 scoped_ptr<crypto::ECPrivateKey>* key, |
400 std::string* cert, | |
401 const CompletionCallback& callback, | 346 const CompletionCallback& callback, |
402 RequestHandle* out_req) { | 347 RequestHandle* out_req) { |
403 DVLOG(1) << __FUNCTION__ << " " << host; | 348 DVLOG(1) << __FUNCTION__ << " " << host; |
404 DCHECK(CalledOnValidThread()); | 349 DCHECK(CalledOnValidThread()); |
405 base::TimeTicks request_start = base::TimeTicks::Now(); | 350 base::TimeTicks request_start = base::TimeTicks::Now(); |
406 | 351 |
407 if (callback.is_null() || !private_key || !cert || host.empty()) { | 352 if (callback.is_null() || !key || host.empty()) { |
408 RecordGetChannelIDResult(INVALID_ARGUMENT); | 353 RecordGetChannelIDResult(INVALID_ARGUMENT); |
409 return ERR_INVALID_ARGUMENT; | 354 return ERR_INVALID_ARGUMENT; |
410 } | 355 } |
411 | 356 |
412 std::string domain = GetDomainForHost(host); | 357 std::string domain = GetDomainForHost(host); |
413 if (domain.empty()) { | 358 if (domain.empty()) { |
414 RecordGetChannelIDResult(INVALID_ARGUMENT); | 359 RecordGetChannelIDResult(INVALID_ARGUMENT); |
415 return ERR_INVALID_ARGUMENT; | 360 return ERR_INVALID_ARGUMENT; |
416 } | 361 } |
417 | 362 |
418 requests_++; | 363 requests_++; |
419 | 364 |
420 // See if a request for the same domain is currently in flight. | 365 // See if a request for the same domain is currently in flight. |
421 bool create_if_missing = true; | 366 bool create_if_missing = true; |
422 if (JoinToInFlightRequest(request_start, domain, private_key, cert, | 367 if (JoinToInFlightRequest(request_start, domain, key, create_if_missing, |
423 create_if_missing, callback, out_req)) { | 368 callback, out_req)) { |
424 return ERR_IO_PENDING; | 369 return ERR_IO_PENDING; |
425 } | 370 } |
426 | 371 |
427 int err = LookupChannelID(request_start, domain, private_key, cert, | 372 int err = LookupChannelID(request_start, domain, key, create_if_missing, |
428 create_if_missing, callback, out_req); | 373 callback, out_req); |
429 if (err == ERR_FILE_NOT_FOUND) { | 374 if (err == ERR_FILE_NOT_FOUND) { |
430 // Sync lookup did not find a valid cert. Start generating a new one. | 375 // Sync lookup did not find a valid cert. Start generating a new one. |
431 workers_created_++; | 376 workers_created_++; |
432 ChannelIDServiceWorker* worker = new ChannelIDServiceWorker( | 377 ChannelIDServiceWorker* worker = new ChannelIDServiceWorker( |
433 domain, | 378 domain, |
434 base::Bind(&ChannelIDService::GeneratedChannelID, | 379 base::Bind(&ChannelIDService::GeneratedChannelID, |
435 weak_ptr_factory_.GetWeakPtr())); | 380 weak_ptr_factory_.GetWeakPtr())); |
436 if (!worker->Start(task_runner_)) { | 381 if (!worker->Start(task_runner_)) { |
437 // TODO(rkn): Log to the NetLog. | 382 // TODO(rkn): Log to the NetLog. |
438 LOG(ERROR) << "ChannelIDServiceWorker couldn't be started."; | 383 LOG(ERROR) << "ChannelIDServiceWorker couldn't be started."; |
439 RecordGetChannelIDResult(WORKER_FAILURE); | 384 RecordGetChannelIDResult(WORKER_FAILURE); |
440 return ERR_INSUFFICIENT_RESOURCES; | 385 return ERR_INSUFFICIENT_RESOURCES; |
441 } | 386 } |
442 // We are waiting for cert generation. Create a job & request to track it. | 387 // We are waiting for cert generation. Create a job & request to track it. |
443 ChannelIDServiceJob* job = new ChannelIDServiceJob(create_if_missing); | 388 ChannelIDServiceJob* job = new ChannelIDServiceJob(create_if_missing); |
444 inflight_[domain] = job; | 389 inflight_[domain] = job; |
445 | 390 |
446 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( | 391 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( |
447 request_start, | 392 request_start, base::Bind(&RequestHandle::OnRequestComplete, |
448 base::Bind(&RequestHandle::OnRequestComplete, | 393 base::Unretained(out_req)), |
449 base::Unretained(out_req)), | 394 key); |
450 private_key, | |
451 cert); | |
452 job->AddRequest(request); | 395 job->AddRequest(request); |
453 out_req->RequestStarted(this, request, callback); | 396 out_req->RequestStarted(this, request, callback); |
454 return ERR_IO_PENDING; | 397 return ERR_IO_PENDING; |
455 } | 398 } |
456 | 399 |
457 return err; | 400 return err; |
458 } | 401 } |
459 | 402 |
460 int ChannelIDService::GetChannelID( | 403 int ChannelIDService::GetChannelID(const std::string& host, |
461 const std::string& host, | 404 scoped_ptr<crypto::ECPrivateKey>* key, |
462 std::string* private_key, | 405 const CompletionCallback& callback, |
463 std::string* cert, | 406 RequestHandle* out_req) { |
464 const CompletionCallback& callback, | |
465 RequestHandle* out_req) { | |
466 DVLOG(1) << __FUNCTION__ << " " << host; | 407 DVLOG(1) << __FUNCTION__ << " " << host; |
467 DCHECK(CalledOnValidThread()); | 408 DCHECK(CalledOnValidThread()); |
468 base::TimeTicks request_start = base::TimeTicks::Now(); | 409 base::TimeTicks request_start = base::TimeTicks::Now(); |
469 | 410 |
470 if (callback.is_null() || !private_key || !cert || host.empty()) { | 411 if (callback.is_null() || !key || host.empty()) { |
471 RecordGetChannelIDResult(INVALID_ARGUMENT); | 412 RecordGetChannelIDResult(INVALID_ARGUMENT); |
472 return ERR_INVALID_ARGUMENT; | 413 return ERR_INVALID_ARGUMENT; |
473 } | 414 } |
474 | 415 |
475 std::string domain = GetDomainForHost(host); | 416 std::string domain = GetDomainForHost(host); |
476 if (domain.empty()) { | 417 if (domain.empty()) { |
477 RecordGetChannelIDResult(INVALID_ARGUMENT); | 418 RecordGetChannelIDResult(INVALID_ARGUMENT); |
478 return ERR_INVALID_ARGUMENT; | 419 return ERR_INVALID_ARGUMENT; |
479 } | 420 } |
480 | 421 |
481 requests_++; | 422 requests_++; |
482 | 423 |
483 // See if a request for the same domain currently in flight. | 424 // See if a request for the same domain currently in flight. |
484 bool create_if_missing = false; | 425 bool create_if_missing = false; |
485 if (JoinToInFlightRequest(request_start, domain, private_key, cert, | 426 if (JoinToInFlightRequest(request_start, domain, key, create_if_missing, |
486 create_if_missing, callback, out_req)) { | 427 callback, out_req)) { |
487 return ERR_IO_PENDING; | 428 return ERR_IO_PENDING; |
488 } | 429 } |
489 | 430 |
490 int err = LookupChannelID(request_start, domain, private_key, cert, | 431 int err = LookupChannelID(request_start, domain, key, create_if_missing, |
491 create_if_missing, callback, out_req); | 432 callback, out_req); |
492 return err; | 433 return err; |
493 } | 434 } |
494 | 435 |
495 void ChannelIDService::GotChannelID( | 436 void ChannelIDService::GotChannelID( |
496 int err, | 437 int err, |
497 const std::string& server_identifier, | 438 const std::string& server_identifier, |
498 base::Time expiration_time, | 439 const scoped_ptr<crypto::ECPrivateKey> key) { |
499 const std::string& key, | |
500 const std::string& cert) { | |
501 DCHECK(CalledOnValidThread()); | 440 DCHECK(CalledOnValidThread()); |
502 | 441 |
503 std::map<std::string, ChannelIDServiceJob*>::iterator j; | 442 std::map<std::string, ChannelIDServiceJob*>::iterator j; |
504 j = inflight_.find(server_identifier); | 443 j = inflight_.find(server_identifier); |
505 if (j == inflight_.end()) { | 444 if (j == inflight_.end()) { |
506 NOTREACHED(); | 445 NOTREACHED(); |
507 return; | 446 return; |
508 } | 447 } |
509 | 448 |
510 if (err == OK) { | 449 if (err == OK) { |
511 // Async DB lookup found a valid cert. | 450 // Async DB lookup found a valid cert. |
512 DVLOG(1) << "Cert store had valid cert for " << server_identifier; | 451 DVLOG(1) << "Cert store had valid key for " << server_identifier; |
Ryan Sleevi
2015/05/08 23:43:14
Can nuke this as well
nharper
2015/05/11 21:26:44
Done.
| |
513 cert_store_hits_++; | 452 key_store_hits_++; |
514 // ChannelIDServiceRequest::Post will do the histograms and stuff. | 453 // ChannelIDServiceRequest::Post will do the histograms and stuff. |
515 HandleResult(OK, server_identifier, key, cert); | 454 HandleResult(OK, server_identifier, key.get()); |
516 return; | 455 return; |
517 } | 456 } |
518 // Async lookup failed or the certificate was missing. Return the error | 457 // Async lookup failed or the certificate was missing. Return the error |
519 // directly, unless the certificate was missing and a request asked to create | 458 // directly, unless the certificate was missing and a request asked to create |
520 // one. | 459 // one. |
521 if (err != ERR_FILE_NOT_FOUND || !j->second->CreateIfMissing()) { | 460 if (err != ERR_FILE_NOT_FOUND || !j->second->CreateIfMissing()) { |
522 HandleResult(err, server_identifier, key, cert); | 461 HandleResult(err, server_identifier, key.get()); |
523 return; | 462 return; |
524 } | 463 } |
525 // At least one request asked to create a cert => start generating a new one. | 464 // At least one request asked to create a cert => start generating a new one. |
526 workers_created_++; | 465 workers_created_++; |
527 ChannelIDServiceWorker* worker = new ChannelIDServiceWorker( | 466 ChannelIDServiceWorker* worker = new ChannelIDServiceWorker( |
528 server_identifier, | 467 server_identifier, |
529 base::Bind(&ChannelIDService::GeneratedChannelID, | 468 base::Bind(&ChannelIDService::GeneratedChannelID, |
530 weak_ptr_factory_.GetWeakPtr())); | 469 weak_ptr_factory_.GetWeakPtr())); |
531 if (!worker->Start(task_runner_)) { | 470 if (!worker->Start(task_runner_)) { |
532 // TODO(rkn): Log to the NetLog. | 471 // TODO(rkn): Log to the NetLog. |
533 LOG(ERROR) << "ChannelIDServiceWorker couldn't be started."; | 472 LOG(ERROR) << "ChannelIDServiceWorker couldn't be started."; |
534 HandleResult(ERR_INSUFFICIENT_RESOURCES, | 473 HandleResult(ERR_INSUFFICIENT_RESOURCES, server_identifier, nullptr); |
535 server_identifier, | |
536 std::string(), | |
537 std::string()); | |
538 } | 474 } |
539 } | 475 } |
540 | 476 |
541 ChannelIDStore* ChannelIDService::GetChannelIDStore() { | 477 ChannelIDStore* ChannelIDService::GetChannelIDStore() { |
542 return channel_id_store_.get(); | 478 return channel_id_store_.get(); |
543 } | 479 } |
544 | 480 |
545 void ChannelIDService::CancelRequest(ChannelIDServiceRequest* req) { | 481 void ChannelIDService::CancelRequest(ChannelIDServiceRequest* req) { |
546 DCHECK(CalledOnValidThread()); | 482 DCHECK(CalledOnValidThread()); |
547 req->Cancel(); | 483 req->Cancel(); |
548 } | 484 } |
549 | 485 |
550 void ChannelIDService::GeneratedChannelID( | 486 void ChannelIDService::GeneratedChannelID( |
551 const std::string& server_identifier, | 487 const std::string& server_identifier, |
552 int error, | 488 int error, |
553 scoped_ptr<ChannelIDStore::ChannelID> cert) { | 489 scoped_ptr<ChannelIDStore::ChannelID> channel_id) { |
554 DCHECK(CalledOnValidThread()); | 490 DCHECK(CalledOnValidThread()); |
555 | 491 |
556 if (error == OK) { | 492 if (error == OK) { |
557 // TODO(mattm): we should just Pass() the cert object to | 493 scoped_ptr<crypto::ECPrivateKey> key(channel_id->key()->Copy()); |
558 // SetChannelID(). | 494 channel_id_store_->SetChannelID(channel_id.Pass()); |
559 channel_id_store_->SetChannelID( | |
560 cert->server_identifier(), | |
561 cert->creation_time(), | |
562 cert->expiration_time(), | |
563 cert->private_key(), | |
564 cert->cert()); | |
565 | 495 |
566 HandleResult(error, server_identifier, cert->private_key(), cert->cert()); | 496 HandleResult(error, server_identifier, key.get()); |
567 } else { | 497 } else { |
568 HandleResult(error, server_identifier, std::string(), std::string()); | 498 HandleResult(error, server_identifier, nullptr); |
569 } | 499 } |
570 } | 500 } |
571 | 501 |
572 void ChannelIDService::HandleResult( | 502 void ChannelIDService::HandleResult(int error, |
573 int error, | 503 const std::string& server_identifier, |
574 const std::string& server_identifier, | 504 crypto::ECPrivateKey* key) { |
Ryan Sleevi
2015/05/08 23:43:13
Is there any risk of |key| being invalidated? Woul
nharper
2015/05/11 21:26:44
I'm not concerned about |key| being invalidated. H
| |
575 const std::string& private_key, | |
576 const std::string& cert) { | |
577 DCHECK(CalledOnValidThread()); | 505 DCHECK(CalledOnValidThread()); |
578 | 506 |
579 std::map<std::string, ChannelIDServiceJob*>::iterator j; | 507 std::map<std::string, ChannelIDServiceJob*>::iterator j; |
580 j = inflight_.find(server_identifier); | 508 j = inflight_.find(server_identifier); |
581 if (j == inflight_.end()) { | 509 if (j == inflight_.end()) { |
582 NOTREACHED(); | 510 NOTREACHED(); |
583 return; | 511 return; |
584 } | 512 } |
585 ChannelIDServiceJob* job = j->second; | 513 ChannelIDServiceJob* job = j->second; |
586 inflight_.erase(j); | 514 inflight_.erase(j); |
587 | 515 |
588 job->HandleResult(error, private_key, cert); | 516 job->HandleResult(error, key); |
589 delete job; | 517 delete job; |
590 } | 518 } |
591 | 519 |
592 bool ChannelIDService::JoinToInFlightRequest( | 520 bool ChannelIDService::JoinToInFlightRequest( |
593 const base::TimeTicks& request_start, | 521 const base::TimeTicks& request_start, |
594 const std::string& domain, | 522 const std::string& domain, |
595 std::string* private_key, | 523 scoped_ptr<crypto::ECPrivateKey>* key, |
596 std::string* cert, | |
597 bool create_if_missing, | 524 bool create_if_missing, |
598 const CompletionCallback& callback, | 525 const CompletionCallback& callback, |
599 RequestHandle* out_req) { | 526 RequestHandle* out_req) { |
600 ChannelIDServiceJob* job = NULL; | 527 ChannelIDServiceJob* job = NULL; |
601 std::map<std::string, ChannelIDServiceJob*>::const_iterator j = | 528 std::map<std::string, ChannelIDServiceJob*>::const_iterator j = |
602 inflight_.find(domain); | 529 inflight_.find(domain); |
603 if (j != inflight_.end()) { | 530 if (j != inflight_.end()) { |
604 // A request for the same domain is in flight already. We'll attach our | 531 // A request for the same domain is in flight already. We'll attach our |
605 // callback, but we'll also mark it as requiring a cert if one's mising. | 532 // callback, but we'll also mark it as requiring a cert if one's mising. |
606 job = j->second; | 533 job = j->second; |
607 inflight_joins_++; | 534 inflight_joins_++; |
608 | 535 |
609 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( | 536 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( |
610 request_start, | 537 request_start, base::Bind(&RequestHandle::OnRequestComplete, |
611 base::Bind(&RequestHandle::OnRequestComplete, | 538 base::Unretained(out_req)), |
612 base::Unretained(out_req)), | 539 key); |
613 private_key, | |
614 cert); | |
615 job->AddRequest(request, create_if_missing); | 540 job->AddRequest(request, create_if_missing); |
616 out_req->RequestStarted(this, request, callback); | 541 out_req->RequestStarted(this, request, callback); |
617 return true; | 542 return true; |
618 } | 543 } |
619 return false; | 544 return false; |
620 } | 545 } |
621 | 546 |
622 int ChannelIDService::LookupChannelID( | 547 int ChannelIDService::LookupChannelID(const base::TimeTicks& request_start, |
623 const base::TimeTicks& request_start, | 548 const std::string& domain, |
624 const std::string& domain, | 549 scoped_ptr<crypto::ECPrivateKey>* key, |
625 std::string* private_key, | 550 bool create_if_missing, |
626 std::string* cert, | 551 const CompletionCallback& callback, |
627 bool create_if_missing, | 552 RequestHandle* out_req) { |
628 const CompletionCallback& callback, | 553 // Check if a channel ID key already exists for this domain. |
629 RequestHandle* out_req) { | |
630 // Check if a domain bound cert already exists for this domain. Note that | |
631 // |expiration_time| is ignored, and expired certs are considered valid. | |
632 base::Time expiration_time; | |
633 int err = channel_id_store_->GetChannelID( | 554 int err = channel_id_store_->GetChannelID( |
634 domain, | 555 domain, key, base::Bind(&ChannelIDService::GotChannelID, |
635 &expiration_time /* ignored */, | 556 weak_ptr_factory_.GetWeakPtr())); |
636 private_key, | |
637 cert, | |
638 base::Bind(&ChannelIDService::GotChannelID, | |
639 weak_ptr_factory_.GetWeakPtr())); | |
640 | 557 |
641 if (err == OK) { | 558 if (err == OK) { |
642 // Sync lookup found a valid cert. | 559 // Sync lookup found a valid cert. |
643 DVLOG(1) << "Cert store had valid cert for " << domain; | 560 DVLOG(1) << "Cert store had valid key for " << domain; |
644 cert_store_hits_++; | 561 key_store_hits_++; |
645 RecordGetChannelIDResult(SYNC_SUCCESS); | 562 RecordGetChannelIDResult(SYNC_SUCCESS); |
646 base::TimeDelta request_time = base::TimeTicks::Now() - request_start; | 563 base::TimeDelta request_time = base::TimeTicks::Now() - request_start; |
647 UMA_HISTOGRAM_TIMES("DomainBoundCerts.GetCertTimeSync", request_time); | 564 UMA_HISTOGRAM_TIMES("DomainBoundCerts.GetCertTimeSync", request_time); |
648 RecordGetChannelIDTime(request_time); | 565 RecordGetChannelIDTime(request_time); |
649 return OK; | 566 return OK; |
650 } | 567 } |
651 | 568 |
652 if (err == ERR_IO_PENDING) { | 569 if (err == ERR_IO_PENDING) { |
653 // We are waiting for async DB lookup. Create a job & request to track it. | 570 // We are waiting for async DB lookup. Create a job & request to track it. |
654 ChannelIDServiceJob* job = new ChannelIDServiceJob(create_if_missing); | 571 ChannelIDServiceJob* job = new ChannelIDServiceJob(create_if_missing); |
655 inflight_[domain] = job; | 572 inflight_[domain] = job; |
656 | 573 |
657 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( | 574 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( |
658 request_start, | 575 request_start, base::Bind(&RequestHandle::OnRequestComplete, |
659 base::Bind(&RequestHandle::OnRequestComplete, | 576 base::Unretained(out_req)), |
660 base::Unretained(out_req)), | 577 key); |
661 private_key, | |
662 cert); | |
663 job->AddRequest(request); | 578 job->AddRequest(request); |
664 out_req->RequestStarted(this, request, callback); | 579 out_req->RequestStarted(this, request, callback); |
665 return ERR_IO_PENDING; | 580 return ERR_IO_PENDING; |
666 } | 581 } |
667 | 582 |
668 return err; | 583 return err; |
669 } | 584 } |
670 | 585 |
671 int ChannelIDService::cert_count() { | 586 int ChannelIDService::cert_count() { |
672 return channel_id_store_->GetChannelIDCount(); | 587 return channel_id_store_->GetChannelIDCount(); |
673 } | 588 } |
674 | 589 |
675 } // namespace net | 590 } // namespace net |
OLD | NEW |