OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/channel_id_service.h" | 5 #include "net/ssl/channel_id_service.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <limits> | 8 #include <limits> |
9 | 9 |
10 #include "base/bind.h" | 10 #include "base/bind.h" |
(...skipping 17 matching lines...) Expand all Loading... |
28 #include "url/gurl.h" | 28 #include "url/gurl.h" |
29 | 29 |
30 #if !defined(USE_OPENSSL) | 30 #if !defined(USE_OPENSSL) |
31 #include <private/pprthred.h> // PR_DetachThread | 31 #include <private/pprthred.h> // PR_DetachThread |
32 #endif | 32 #endif |
33 | 33 |
34 namespace net { | 34 namespace net { |
35 | 35 |
36 namespace { | 36 namespace { |
37 | 37 |
38 const int kValidityPeriodInDays = 365; | |
39 // When we check the system time, we add this many days to the end of the check | |
40 // so the result will still hold even after chrome has been running for a | |
41 // while. | |
42 const int kSystemTimeValidityBufferInDays = 90; | |
43 | |
44 // Used by the GetDomainBoundCertResult histogram to record the final | 38 // Used by the GetDomainBoundCertResult histogram to record the final |
45 // outcome of each GetChannelID or GetOrCreateChannelID call. | 39 // outcome of each GetChannelID or GetOrCreateChannelID call. |
46 // Do not re-use values. | 40 // Do not re-use values. |
47 enum GetChannelIDResult { | 41 enum GetChannelIDResult { |
48 // Synchronously found and returned an existing domain bound cert. | 42 // Synchronously found and returned an existing domain bound cert. |
49 SYNC_SUCCESS = 0, | 43 SYNC_SUCCESS = 0, |
50 // Retrieved or generated and returned a domain bound cert asynchronously. | 44 // Retrieved or generated and returned a domain bound cert asynchronously. |
51 ASYNC_SUCCESS = 1, | 45 ASYNC_SUCCESS = 1, |
52 // Retrieval/generation request was cancelled before the cert generation | 46 // Retrieval/generation request was cancelled before the cert generation |
53 // completed. | 47 // completed. |
(...skipping 27 matching lines...) Expand all Loading... |
81 base::TimeDelta::FromMinutes(5), | 75 base::TimeDelta::FromMinutes(5), |
82 50); | 76 50); |
83 } | 77 } |
84 | 78 |
85 // On success, returns a ChannelID object and sets |*error| to OK. | 79 // On success, returns a ChannelID object and sets |*error| to OK. |
86 // Otherwise, returns NULL, and |*error| will be set to a net error code. | 80 // Otherwise, returns NULL, and |*error| will be set to a net error code. |
87 // |serial_number| is passed in because base::RandInt cannot be called from an | 81 // |serial_number| is passed in because base::RandInt cannot be called from an |
88 // unjoined thread, due to relying on a non-leaked LazyInstance | 82 // unjoined thread, due to relying on a non-leaked LazyInstance |
89 scoped_ptr<ChannelIDStore::ChannelID> GenerateChannelID( | 83 scoped_ptr<ChannelIDStore::ChannelID> GenerateChannelID( |
90 const std::string& server_identifier, | 84 const std::string& server_identifier, |
91 uint32 serial_number, | |
92 int* error) { | 85 int* error) { |
93 scoped_ptr<ChannelIDStore::ChannelID> result; | 86 scoped_ptr<ChannelIDStore::ChannelID> result; |
94 | 87 |
95 base::TimeTicks start = base::TimeTicks::Now(); | 88 base::TimeTicks start = base::TimeTicks::Now(); |
96 base::Time not_valid_before = base::Time::Now(); | 89 base::Time not_valid_before = base::Time::Now(); |
97 base::Time not_valid_after = | 90 scoped_ptr<crypto::ECPrivateKey> key(crypto::ECPrivateKey::Create()); |
98 not_valid_before + base::TimeDelta::FromDays(kValidityPeriodInDays); | 91 |
99 std::string der_cert; | 92 if (!key) { |
100 std::vector<uint8> private_key_info; | 93 DLOG(ERROR) << "Unable to create channel ID key pair"; |
101 scoped_ptr<crypto::ECPrivateKey> key; | 94 *error = ERR_KEY_GENERATION_FAILED; |
102 if (!x509_util::CreateKeyAndChannelIDEC(server_identifier, | |
103 serial_number, | |
104 not_valid_before, | |
105 not_valid_after, | |
106 &key, | |
107 &der_cert)) { | |
108 DLOG(ERROR) << "Unable to create x509 cert for client"; | |
109 *error = ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED; | |
110 return result.Pass(); | 95 return result.Pass(); |
111 } | 96 } |
112 | 97 |
113 if (!key->ExportEncryptedPrivateKey(ChannelIDService::kEPKIPassword, | 98 std::string private_key_out; |
114 1, &private_key_info)) { | 99 std::string public_key_out; |
115 DLOG(ERROR) << "Unable to export private key"; | 100 *error = ExportKeyPair(key, &public_key_out, &private_key_out); |
116 *error = ERR_PRIVATE_KEY_EXPORT_FAILED; | 101 if (*error != OK) |
117 return result.Pass(); | 102 return result.Pass(); |
118 } | |
119 | |
120 // TODO(rkn): Perhaps ExportPrivateKey should be changed to output a | |
121 // std::string* to prevent this copying. | |
122 std::string key_out(private_key_info.begin(), private_key_info.end()); | |
123 | 103 |
124 result.reset(new ChannelIDStore::ChannelID( | 104 result.reset(new ChannelIDStore::ChannelID( |
125 server_identifier, | 105 server_identifier, not_valid_before, private_key_out, public_key_out)); |
126 not_valid_before, | |
127 not_valid_after, | |
128 key_out, | |
129 der_cert)); | |
130 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GenerateCertTime", | 106 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GenerateCertTime", |
131 base::TimeTicks::Now() - start, | 107 base::TimeTicks::Now() - start, |
132 base::TimeDelta::FromMilliseconds(1), | 108 base::TimeDelta::FromMilliseconds(1), |
133 base::TimeDelta::FromMinutes(5), | 109 base::TimeDelta::FromMinutes(5), |
134 50); | 110 50); |
135 *error = OK; | 111 *error = OK; |
136 return result.Pass(); | 112 return result.Pass(); |
137 } | 113 } |
138 | 114 |
139 } // namespace | 115 } // namespace |
140 | 116 |
| 117 int CreateECPrivateKeyFromSerializedKey( |
| 118 const std::string& public_key, |
| 119 const std::string& private_key, |
| 120 scoped_ptr<crypto::ECPrivateKey>* key_out) { |
| 121 if (public_key.empty() || private_key.empty()) |
| 122 return ERR_UNEXPECTED; |
| 123 |
| 124 std::vector<uint8> public_key_vector(public_key.size()); |
| 125 memcpy(&public_key_vector[0], public_key.data(), public_key.size()); |
| 126 std::vector<uint8> private_key_vector(private_key.size()); |
| 127 memcpy(&private_key_vector[0], private_key.data(), private_key.size()); |
| 128 crypto::ECPrivateKey* key = |
| 129 crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( |
| 130 ChannelIDService::kEPKIPassword, private_key_vector, |
| 131 public_key_vector); |
| 132 if (key == nullptr) |
| 133 return ERR_UNEXPECTED; |
| 134 key_out->reset(key); |
| 135 return OK; |
| 136 } |
| 137 |
| 138 int ExportKeyPair(const scoped_ptr<crypto::ECPrivateKey>& key, |
| 139 std::string* public_key, |
| 140 std::string* private_key) { |
| 141 std::vector<uint8> public_key_vector; |
| 142 std::vector<uint8> private_key_vector; |
| 143 |
| 144 if (!key) |
| 145 return ERR_UNEXPECTED; |
| 146 |
| 147 if (!key->ExportEncryptedPrivateKey(ChannelIDService::kEPKIPassword, 1, |
| 148 &private_key_vector) || |
| 149 !key->ExportPublicKey(&public_key_vector)) { |
| 150 DLOG(ERROR) << "Unable to export key"; |
| 151 return ERR_PRIVATE_KEY_EXPORT_FAILED; |
| 152 } |
| 153 |
| 154 // TODO(rkn): Perhaps ExportPrivateKey should be changed to output a |
| 155 // std::string* to prevent this copying. |
| 156 *public_key = std::string(public_key_vector.begin(), public_key_vector.end()); |
| 157 *private_key = |
| 158 std::string(private_key_vector.begin(), private_key_vector.end()); |
| 159 return OK; |
| 160 } |
| 161 |
141 // Represents the output and result callback of a request. | 162 // Represents the output and result callback of a request. |
142 class ChannelIDServiceRequest { | 163 class ChannelIDServiceRequest { |
143 public: | 164 public: |
144 ChannelIDServiceRequest(base::TimeTicks request_start, | 165 ChannelIDServiceRequest(base::TimeTicks request_start, |
145 const CompletionCallback& callback, | 166 const CompletionCallback& callback, |
146 std::string* private_key, | 167 scoped_ptr<crypto::ECPrivateKey>* key) |
147 std::string* cert) | 168 : request_start_(request_start), callback_(callback), key_(key) {} |
148 : request_start_(request_start), | |
149 callback_(callback), | |
150 private_key_(private_key), | |
151 cert_(cert) { | |
152 } | |
153 | 169 |
154 // Ensures that the result callback will never be made. | 170 // Ensures that the result callback will never be made. |
155 void Cancel() { | 171 void Cancel() { |
156 RecordGetChannelIDResult(ASYNC_CANCELLED); | 172 RecordGetChannelIDResult(ASYNC_CANCELLED); |
157 callback_.Reset(); | 173 callback_.Reset(); |
158 private_key_ = NULL; | 174 key_->reset(); |
159 cert_ = NULL; | |
160 } | 175 } |
161 | 176 |
162 // Copies the contents of |private_key| and |cert| to the caller's output | 177 // Copies the contents of |private_key| and |cert| to the caller's output |
163 // arguments and calls the callback. | 178 // arguments and calls the callback. |
164 void Post(int error, | 179 void Post(int error, |
165 const std::string& private_key, | 180 const std::string& private_key, |
166 const std::string& cert) { | 181 const std::string& public_key) { |
167 switch (error) { | 182 switch (error) { |
168 case OK: { | 183 case OK: { |
169 base::TimeDelta request_time = base::TimeTicks::Now() - request_start_; | 184 base::TimeDelta request_time = base::TimeTicks::Now() - request_start_; |
170 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GetCertTimeAsync", | 185 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GetCertTimeAsync", |
171 request_time, | 186 request_time, |
172 base::TimeDelta::FromMilliseconds(1), | 187 base::TimeDelta::FromMilliseconds(1), |
173 base::TimeDelta::FromMinutes(5), | 188 base::TimeDelta::FromMinutes(5), |
174 50); | 189 50); |
175 RecordGetChannelIDTime(request_time); | 190 RecordGetChannelIDTime(request_time); |
176 RecordGetChannelIDResult(ASYNC_SUCCESS); | 191 RecordGetChannelIDResult(ASYNC_SUCCESS); |
177 break; | 192 break; |
178 } | 193 } |
179 case ERR_KEY_GENERATION_FAILED: | 194 case ERR_KEY_GENERATION_FAILED: |
180 RecordGetChannelIDResult(ASYNC_FAILURE_KEYGEN); | 195 RecordGetChannelIDResult(ASYNC_FAILURE_KEYGEN); |
181 break; | 196 break; |
182 case ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED: | 197 case ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED: |
183 RecordGetChannelIDResult(ASYNC_FAILURE_CREATE_CERT); | 198 RecordGetChannelIDResult(ASYNC_FAILURE_CREATE_CERT); |
184 break; | 199 break; |
185 case ERR_PRIVATE_KEY_EXPORT_FAILED: | 200 case ERR_PRIVATE_KEY_EXPORT_FAILED: |
186 RecordGetChannelIDResult(ASYNC_FAILURE_EXPORT_KEY); | 201 RecordGetChannelIDResult(ASYNC_FAILURE_EXPORT_KEY); |
187 break; | 202 break; |
188 case ERR_INSUFFICIENT_RESOURCES: | 203 case ERR_INSUFFICIENT_RESOURCES: |
189 RecordGetChannelIDResult(WORKER_FAILURE); | 204 RecordGetChannelIDResult(WORKER_FAILURE); |
190 break; | 205 break; |
191 default: | 206 default: |
192 RecordGetChannelIDResult(ASYNC_FAILURE_UNKNOWN); | 207 RecordGetChannelIDResult(ASYNC_FAILURE_UNKNOWN); |
193 break; | 208 break; |
194 } | 209 } |
195 if (!callback_.is_null()) { | 210 if (!callback_.is_null()) { |
196 *private_key_ = private_key; | 211 if (error == OK) { |
197 *cert_ = cert; | 212 callback_.Run( |
198 callback_.Run(error); | 213 CreateECPrivateKeyFromSerializedKey(public_key, private_key, key_)); |
| 214 } else { |
| 215 callback_.Run(error); |
| 216 } |
199 } | 217 } |
200 delete this; | 218 delete this; |
201 } | 219 } |
202 | 220 |
203 bool canceled() const { return callback_.is_null(); } | 221 bool canceled() const { return callback_.is_null(); } |
204 | 222 |
205 private: | 223 private: |
206 base::TimeTicks request_start_; | 224 base::TimeTicks request_start_; |
207 CompletionCallback callback_; | 225 CompletionCallback callback_; |
208 std::string* private_key_; | 226 scoped_ptr<crypto::ECPrivateKey>* key_; |
209 std::string* cert_; | |
210 }; | 227 }; |
211 | 228 |
212 // ChannelIDServiceWorker runs on a worker thread and takes care of the | 229 // ChannelIDServiceWorker runs on a worker thread and takes care of the |
213 // blocking process of performing key generation. Will take care of deleting | 230 // blocking process of performing key generation. Will take care of deleting |
214 // itself once Start() is called. | 231 // itself once Start() is called. |
215 class ChannelIDServiceWorker { | 232 class ChannelIDServiceWorker { |
216 public: | 233 public: |
217 typedef base::Callback<void( | 234 typedef base::Callback<void( |
218 const std::string&, | 235 const std::string&, |
219 int, | 236 int, |
220 scoped_ptr<ChannelIDStore::ChannelID>)> WorkerDoneCallback; | 237 scoped_ptr<ChannelIDStore::ChannelID>)> WorkerDoneCallback; |
221 | 238 |
222 ChannelIDServiceWorker( | 239 ChannelIDServiceWorker( |
223 const std::string& server_identifier, | 240 const std::string& server_identifier, |
224 const WorkerDoneCallback& callback) | 241 const WorkerDoneCallback& callback) |
225 : server_identifier_(server_identifier), | 242 : server_identifier_(server_identifier), |
226 serial_number_(base::RandInt(0, std::numeric_limits<int>::max())), | |
227 origin_loop_(base::MessageLoopProxy::current()), | 243 origin_loop_(base::MessageLoopProxy::current()), |
228 callback_(callback) { | 244 callback_(callback) { |
229 } | 245 } |
230 | 246 |
231 // Starts the worker on |task_runner|. If the worker fails to start, such as | 247 // Starts the worker on |task_runner|. If the worker fails to start, such as |
232 // if the task runner is shutting down, then it will take care of deleting | 248 // if the task runner is shutting down, then it will take care of deleting |
233 // itself. | 249 // itself. |
234 bool Start(const scoped_refptr<base::TaskRunner>& task_runner) { | 250 bool Start(const scoped_refptr<base::TaskRunner>& task_runner) { |
235 DCHECK(origin_loop_->RunsTasksOnCurrentThread()); | 251 DCHECK(origin_loop_->RunsTasksOnCurrentThread()); |
236 | 252 |
237 return task_runner->PostTask( | 253 return task_runner->PostTask( |
238 FROM_HERE, | 254 FROM_HERE, |
239 base::Bind(&ChannelIDServiceWorker::Run, base::Owned(this))); | 255 base::Bind(&ChannelIDServiceWorker::Run, base::Owned(this))); |
240 } | 256 } |
241 | 257 |
242 private: | 258 private: |
243 void Run() { | 259 void Run() { |
244 // Runs on a worker thread. | 260 // Runs on a worker thread. |
245 int error = ERR_FAILED; | 261 int error = ERR_FAILED; |
246 scoped_ptr<ChannelIDStore::ChannelID> cert = | 262 scoped_ptr<ChannelIDStore::ChannelID> cert = |
247 GenerateChannelID(server_identifier_, serial_number_, &error); | 263 GenerateChannelID(server_identifier_, &error); |
248 DVLOG(1) << "GenerateCert " << server_identifier_ << " returned " << error; | 264 DVLOG(1) << "GenerateCert " << server_identifier_ << " returned " << error; |
249 #if !defined(USE_OPENSSL) | 265 #if !defined(USE_OPENSSL) |
250 // Detach the thread from NSPR. | 266 // Detach the thread from NSPR. |
251 // Calling NSS functions attaches the thread to NSPR, which stores | 267 // Calling NSS functions attaches the thread to NSPR, which stores |
252 // the NSPR thread ID in thread-specific data. | 268 // the NSPR thread ID in thread-specific data. |
253 // The threads in our thread pool terminate after we have called | 269 // The threads in our thread pool terminate after we have called |
254 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets | 270 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets |
255 // segfaults on shutdown when the threads' thread-specific data | 271 // segfaults on shutdown when the threads' thread-specific data |
256 // destructors run. | 272 // destructors run. |
257 PR_DetachThread(); | 273 PR_DetachThread(); |
258 #endif | 274 #endif |
259 origin_loop_->PostTask(FROM_HERE, | 275 origin_loop_->PostTask(FROM_HERE, |
260 base::Bind(callback_, server_identifier_, error, | 276 base::Bind(callback_, server_identifier_, error, |
261 base::Passed(&cert))); | 277 base::Passed(&cert))); |
262 } | 278 } |
263 | 279 |
264 const std::string server_identifier_; | 280 const std::string server_identifier_; |
265 // Note that serial_number_ must be initialized on a non-worker thread | |
266 // (see documentation for GenerateCert). | |
267 uint32 serial_number_; | |
268 scoped_refptr<base::SequencedTaskRunner> origin_loop_; | 281 scoped_refptr<base::SequencedTaskRunner> origin_loop_; |
269 WorkerDoneCallback callback_; | 282 WorkerDoneCallback callback_; |
270 | 283 |
271 DISALLOW_COPY_AND_ASSIGN(ChannelIDServiceWorker); | 284 DISALLOW_COPY_AND_ASSIGN(ChannelIDServiceWorker); |
272 }; | 285 }; |
273 | 286 |
274 // A ChannelIDServiceJob is a one-to-one counterpart of an | 287 // A ChannelIDServiceJob is a one-to-one counterpart of an |
275 // ChannelIDServiceWorker. It lives only on the ChannelIDService's | 288 // ChannelIDServiceWorker. It lives only on the ChannelIDService's |
276 // origin message loop. | 289 // origin message loop. |
277 class ChannelIDServiceJob { | 290 class ChannelIDServiceJob { |
278 public: | 291 public: |
279 ChannelIDServiceJob(bool create_if_missing) | 292 ChannelIDServiceJob(bool create_if_missing) |
280 : create_if_missing_(create_if_missing) { | 293 : create_if_missing_(create_if_missing) { |
281 } | 294 } |
282 | 295 |
283 ~ChannelIDServiceJob() { | 296 ~ChannelIDServiceJob() { |
284 if (!requests_.empty()) | 297 if (!requests_.empty()) |
285 DeleteAllCanceled(); | 298 DeleteAllCanceled(); |
286 } | 299 } |
287 | 300 |
288 void AddRequest(ChannelIDServiceRequest* request, | 301 void AddRequest(ChannelIDServiceRequest* request, |
289 bool create_if_missing = false) { | 302 bool create_if_missing = false) { |
290 create_if_missing_ |= create_if_missing; | 303 create_if_missing_ |= create_if_missing; |
291 requests_.push_back(request); | 304 requests_.push_back(request); |
292 } | 305 } |
293 | 306 |
294 void HandleResult(int error, | 307 void HandleResult(int error, |
295 const std::string& private_key, | 308 const std::string& private_key, |
296 const std::string& cert) { | 309 const std::string& public_key) { |
297 PostAll(error, private_key, cert); | 310 PostAll(error, private_key, public_key); |
298 } | 311 } |
299 | 312 |
300 bool CreateIfMissing() const { return create_if_missing_; } | 313 bool CreateIfMissing() const { return create_if_missing_; } |
301 | 314 |
302 private: | 315 private: |
303 void PostAll(int error, | 316 void PostAll(int error, |
304 const std::string& private_key, | 317 const std::string& private_key, |
305 const std::string& cert) { | 318 const std::string& public_key) { |
306 std::vector<ChannelIDServiceRequest*> requests; | 319 std::vector<ChannelIDServiceRequest*> requests; |
307 requests_.swap(requests); | 320 requests_.swap(requests); |
308 | 321 |
309 for (std::vector<ChannelIDServiceRequest*>::iterator | 322 for (std::vector<ChannelIDServiceRequest*>::iterator |
310 i = requests.begin(); i != requests.end(); i++) { | 323 i = requests.begin(); i != requests.end(); i++) { |
311 (*i)->Post(error, private_key, cert); | 324 (*i)->Post(error, private_key, public_key); |
312 // Post() causes the ChannelIDServiceRequest to delete itself. | 325 // Post() causes the ChannelIDServiceRequest to delete itself. |
313 } | 326 } |
314 } | 327 } |
315 | 328 |
316 void DeleteAllCanceled() { | 329 void DeleteAllCanceled() { |
317 for (std::vector<ChannelIDServiceRequest*>::iterator | 330 for (std::vector<ChannelIDServiceRequest*>::iterator |
318 i = requests_.begin(); i != requests_.end(); i++) { | 331 i = requests_.begin(); i != requests_.end(); i++) { |
319 if ((*i)->canceled()) { | 332 if ((*i)->canceled()) { |
320 delete *i; | 333 delete *i; |
321 } else { | 334 } else { |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
363 // members afterwards. Reset callback_ first. | 376 // members afterwards. Reset callback_ first. |
364 base::ResetAndReturn(&callback_).Run(result); | 377 base::ResetAndReturn(&callback_).Run(result); |
365 } | 378 } |
366 | 379 |
367 ChannelIDService::ChannelIDService( | 380 ChannelIDService::ChannelIDService( |
368 ChannelIDStore* channel_id_store, | 381 ChannelIDStore* channel_id_store, |
369 const scoped_refptr<base::TaskRunner>& task_runner) | 382 const scoped_refptr<base::TaskRunner>& task_runner) |
370 : channel_id_store_(channel_id_store), | 383 : channel_id_store_(channel_id_store), |
371 task_runner_(task_runner), | 384 task_runner_(task_runner), |
372 requests_(0), | 385 requests_(0), |
373 cert_store_hits_(0), | 386 key_store_hits_(0), |
374 inflight_joins_(0), | 387 inflight_joins_(0), |
375 workers_created_(0), | 388 workers_created_(0), |
376 weak_ptr_factory_(this) { | 389 weak_ptr_factory_(this) { |
377 base::Time start = base::Time::Now(); | |
378 base::Time end = start + base::TimeDelta::FromDays( | |
379 kValidityPeriodInDays + kSystemTimeValidityBufferInDays); | |
380 is_system_time_valid_ = x509_util::IsSupportedValidityRange(start, end); | |
381 } | 390 } |
382 | 391 |
383 ChannelIDService::~ChannelIDService() { | 392 ChannelIDService::~ChannelIDService() { |
384 STLDeleteValues(&inflight_); | 393 STLDeleteValues(&inflight_); |
385 } | 394 } |
386 | 395 |
387 //static | 396 //static |
388 std::string ChannelIDService::GetDomainForHost(const std::string& host) { | 397 std::string ChannelIDService::GetDomainForHost(const std::string& host) { |
389 std::string domain = | 398 std::string domain = |
390 registry_controlled_domains::GetDomainAndRegistry( | 399 registry_controlled_domains::GetDomainAndRegistry( |
391 host, registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); | 400 host, registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); |
392 if (domain.empty()) | 401 if (domain.empty()) |
393 return host; | 402 return host; |
394 return domain; | 403 return domain; |
395 } | 404 } |
396 | 405 |
397 int ChannelIDService::GetOrCreateChannelID( | 406 int ChannelIDService::GetOrCreateChannelID( |
398 const std::string& host, | 407 const std::string& host, |
399 std::string* private_key, | 408 scoped_ptr<crypto::ECPrivateKey>* key, |
400 std::string* cert, | |
401 const CompletionCallback& callback, | 409 const CompletionCallback& callback, |
402 RequestHandle* out_req) { | 410 RequestHandle* out_req) { |
403 DVLOG(1) << __FUNCTION__ << " " << host; | 411 DVLOG(1) << __FUNCTION__ << " " << host; |
404 DCHECK(CalledOnValidThread()); | 412 DCHECK(CalledOnValidThread()); |
405 base::TimeTicks request_start = base::TimeTicks::Now(); | 413 base::TimeTicks request_start = base::TimeTicks::Now(); |
406 | 414 |
407 if (callback.is_null() || !private_key || !cert || host.empty()) { | 415 if (callback.is_null() || !key || host.empty()) { |
408 RecordGetChannelIDResult(INVALID_ARGUMENT); | 416 RecordGetChannelIDResult(INVALID_ARGUMENT); |
409 return ERR_INVALID_ARGUMENT; | 417 return ERR_INVALID_ARGUMENT; |
410 } | 418 } |
411 | 419 |
412 std::string domain = GetDomainForHost(host); | 420 std::string domain = GetDomainForHost(host); |
413 if (domain.empty()) { | 421 if (domain.empty()) { |
414 RecordGetChannelIDResult(INVALID_ARGUMENT); | 422 RecordGetChannelIDResult(INVALID_ARGUMENT); |
415 return ERR_INVALID_ARGUMENT; | 423 return ERR_INVALID_ARGUMENT; |
416 } | 424 } |
417 | 425 |
418 requests_++; | 426 requests_++; |
419 | 427 |
420 // See if a request for the same domain is currently in flight. | 428 // See if a request for the same domain is currently in flight. |
421 bool create_if_missing = true; | 429 bool create_if_missing = true; |
422 if (JoinToInFlightRequest(request_start, domain, private_key, cert, | 430 if (JoinToInFlightRequest(request_start, domain, key, create_if_missing, |
423 create_if_missing, callback, out_req)) { | 431 callback, out_req)) { |
424 return ERR_IO_PENDING; | 432 return ERR_IO_PENDING; |
425 } | 433 } |
426 | 434 |
427 int err = LookupChannelID(request_start, domain, private_key, cert, | 435 int err = LookupChannelID(request_start, domain, key, create_if_missing, |
428 create_if_missing, callback, out_req); | 436 callback, out_req); |
429 if (err == ERR_FILE_NOT_FOUND) { | 437 if (err == ERR_FILE_NOT_FOUND) { |
430 // Sync lookup did not find a valid cert. Start generating a new one. | 438 // Sync lookup did not find a valid cert. Start generating a new one. |
431 workers_created_++; | 439 workers_created_++; |
432 ChannelIDServiceWorker* worker = new ChannelIDServiceWorker( | 440 ChannelIDServiceWorker* worker = new ChannelIDServiceWorker( |
433 domain, | 441 domain, |
434 base::Bind(&ChannelIDService::GeneratedChannelID, | 442 base::Bind(&ChannelIDService::GeneratedChannelID, |
435 weak_ptr_factory_.GetWeakPtr())); | 443 weak_ptr_factory_.GetWeakPtr())); |
436 if (!worker->Start(task_runner_)) { | 444 if (!worker->Start(task_runner_)) { |
437 // TODO(rkn): Log to the NetLog. | 445 // TODO(rkn): Log to the NetLog. |
438 LOG(ERROR) << "ChannelIDServiceWorker couldn't be started."; | 446 LOG(ERROR) << "ChannelIDServiceWorker couldn't be started."; |
439 RecordGetChannelIDResult(WORKER_FAILURE); | 447 RecordGetChannelIDResult(WORKER_FAILURE); |
440 return ERR_INSUFFICIENT_RESOURCES; | 448 return ERR_INSUFFICIENT_RESOURCES; |
441 } | 449 } |
442 // We are waiting for cert generation. Create a job & request to track it. | 450 // We are waiting for cert generation. Create a job & request to track it. |
443 ChannelIDServiceJob* job = new ChannelIDServiceJob(create_if_missing); | 451 ChannelIDServiceJob* job = new ChannelIDServiceJob(create_if_missing); |
444 inflight_[domain] = job; | 452 inflight_[domain] = job; |
445 | 453 |
446 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( | 454 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( |
447 request_start, | 455 request_start, base::Bind(&RequestHandle::OnRequestComplete, |
448 base::Bind(&RequestHandle::OnRequestComplete, | 456 base::Unretained(out_req)), |
449 base::Unretained(out_req)), | 457 key); |
450 private_key, | |
451 cert); | |
452 job->AddRequest(request); | 458 job->AddRequest(request); |
453 out_req->RequestStarted(this, request, callback); | 459 out_req->RequestStarted(this, request, callback); |
454 return ERR_IO_PENDING; | 460 return ERR_IO_PENDING; |
455 } | 461 } |
456 | 462 |
457 return err; | 463 return err; |
458 } | 464 } |
459 | 465 |
460 int ChannelIDService::GetChannelID( | 466 int ChannelIDService::GetChannelID(const std::string& host, |
461 const std::string& host, | 467 scoped_ptr<crypto::ECPrivateKey>* key, |
462 std::string* private_key, | 468 const CompletionCallback& callback, |
463 std::string* cert, | 469 RequestHandle* out_req) { |
464 const CompletionCallback& callback, | |
465 RequestHandle* out_req) { | |
466 DVLOG(1) << __FUNCTION__ << " " << host; | 470 DVLOG(1) << __FUNCTION__ << " " << host; |
467 DCHECK(CalledOnValidThread()); | 471 DCHECK(CalledOnValidThread()); |
468 base::TimeTicks request_start = base::TimeTicks::Now(); | 472 base::TimeTicks request_start = base::TimeTicks::Now(); |
469 | 473 |
470 if (callback.is_null() || !private_key || !cert || host.empty()) { | 474 if (callback.is_null() || !key || host.empty()) { |
471 RecordGetChannelIDResult(INVALID_ARGUMENT); | 475 RecordGetChannelIDResult(INVALID_ARGUMENT); |
472 return ERR_INVALID_ARGUMENT; | 476 return ERR_INVALID_ARGUMENT; |
473 } | 477 } |
474 | 478 |
475 std::string domain = GetDomainForHost(host); | 479 std::string domain = GetDomainForHost(host); |
476 if (domain.empty()) { | 480 if (domain.empty()) { |
477 RecordGetChannelIDResult(INVALID_ARGUMENT); | 481 RecordGetChannelIDResult(INVALID_ARGUMENT); |
478 return ERR_INVALID_ARGUMENT; | 482 return ERR_INVALID_ARGUMENT; |
479 } | 483 } |
480 | 484 |
481 requests_++; | 485 requests_++; |
482 | 486 |
483 // See if a request for the same domain currently in flight. | 487 // See if a request for the same domain currently in flight. |
484 bool create_if_missing = false; | 488 bool create_if_missing = false; |
485 if (JoinToInFlightRequest(request_start, domain, private_key, cert, | 489 if (JoinToInFlightRequest(request_start, domain, key, create_if_missing, |
486 create_if_missing, callback, out_req)) { | 490 callback, out_req)) { |
487 return ERR_IO_PENDING; | 491 return ERR_IO_PENDING; |
488 } | 492 } |
489 | 493 |
490 int err = LookupChannelID(request_start, domain, private_key, cert, | 494 int err = LookupChannelID(request_start, domain, key, create_if_missing, |
491 create_if_missing, callback, out_req); | 495 callback, out_req); |
492 return err; | 496 return err; |
493 } | 497 } |
494 | 498 |
495 void ChannelIDService::GotChannelID( | 499 void ChannelIDService::GotChannelID(int err, |
496 int err, | 500 const std::string& server_identifier, |
497 const std::string& server_identifier, | 501 const std::string& private_key, |
498 base::Time expiration_time, | 502 const std::string& public_key) { |
499 const std::string& key, | |
500 const std::string& cert) { | |
501 DCHECK(CalledOnValidThread()); | 503 DCHECK(CalledOnValidThread()); |
502 | 504 |
503 std::map<std::string, ChannelIDServiceJob*>::iterator j; | 505 std::map<std::string, ChannelIDServiceJob*>::iterator j; |
504 j = inflight_.find(server_identifier); | 506 j = inflight_.find(server_identifier); |
505 if (j == inflight_.end()) { | 507 if (j == inflight_.end()) { |
506 NOTREACHED(); | 508 NOTREACHED(); |
507 return; | 509 return; |
508 } | 510 } |
509 | 511 |
510 if (err == OK) { | 512 if (err == OK) { |
511 // Async DB lookup found a valid cert. | 513 // Async DB lookup found a valid cert. |
512 DVLOG(1) << "Cert store had valid cert for " << server_identifier; | 514 DVLOG(1) << "Cert store had valid key for " << server_identifier; |
513 cert_store_hits_++; | 515 key_store_hits_++; |
514 // ChannelIDServiceRequest::Post will do the histograms and stuff. | 516 // ChannelIDServiceRequest::Post will do the histograms and stuff. |
515 HandleResult(OK, server_identifier, key, cert); | 517 HandleResult(OK, server_identifier, private_key, public_key); |
516 return; | 518 return; |
517 } | 519 } |
518 // Async lookup failed or the certificate was missing. Return the error | 520 // Async lookup failed or the certificate was missing. Return the error |
519 // directly, unless the certificate was missing and a request asked to create | 521 // directly, unless the certificate was missing and a request asked to create |
520 // one. | 522 // one. |
521 if (err != ERR_FILE_NOT_FOUND || !j->second->CreateIfMissing()) { | 523 if (err != ERR_FILE_NOT_FOUND || !j->second->CreateIfMissing()) { |
522 HandleResult(err, server_identifier, key, cert); | 524 HandleResult(err, server_identifier, private_key, public_key); |
523 return; | 525 return; |
524 } | 526 } |
525 // At least one request asked to create a cert => start generating a new one. | 527 // At least one request asked to create a cert => start generating a new one. |
526 workers_created_++; | 528 workers_created_++; |
527 ChannelIDServiceWorker* worker = new ChannelIDServiceWorker( | 529 ChannelIDServiceWorker* worker = new ChannelIDServiceWorker( |
528 server_identifier, | 530 server_identifier, |
529 base::Bind(&ChannelIDService::GeneratedChannelID, | 531 base::Bind(&ChannelIDService::GeneratedChannelID, |
530 weak_ptr_factory_.GetWeakPtr())); | 532 weak_ptr_factory_.GetWeakPtr())); |
531 if (!worker->Start(task_runner_)) { | 533 if (!worker->Start(task_runner_)) { |
532 // TODO(rkn): Log to the NetLog. | 534 // TODO(rkn): Log to the NetLog. |
(...skipping 16 matching lines...) Expand all Loading... |
549 | 551 |
550 void ChannelIDService::GeneratedChannelID( | 552 void ChannelIDService::GeneratedChannelID( |
551 const std::string& server_identifier, | 553 const std::string& server_identifier, |
552 int error, | 554 int error, |
553 scoped_ptr<ChannelIDStore::ChannelID> cert) { | 555 scoped_ptr<ChannelIDStore::ChannelID> cert) { |
554 DCHECK(CalledOnValidThread()); | 556 DCHECK(CalledOnValidThread()); |
555 | 557 |
556 if (error == OK) { | 558 if (error == OK) { |
557 // TODO(mattm): we should just Pass() the cert object to | 559 // TODO(mattm): we should just Pass() the cert object to |
558 // SetChannelID(). | 560 // SetChannelID(). |
559 channel_id_store_->SetChannelID( | 561 channel_id_store_->SetChannelID(cert->server_identifier(), |
560 cert->server_identifier(), | 562 cert->creation_time(), cert->private_key(), |
561 cert->creation_time(), | 563 cert->public_key()); |
562 cert->expiration_time(), | |
563 cert->private_key(), | |
564 cert->cert()); | |
565 | 564 |
566 HandleResult(error, server_identifier, cert->private_key(), cert->cert()); | 565 HandleResult(error, server_identifier, cert->private_key(), |
| 566 cert->public_key()); |
567 } else { | 567 } else { |
568 HandleResult(error, server_identifier, std::string(), std::string()); | 568 HandleResult(error, server_identifier, std::string(), std::string()); |
569 } | 569 } |
570 } | 570 } |
571 | 571 |
572 void ChannelIDService::HandleResult( | 572 void ChannelIDService::HandleResult(int error, |
573 int error, | 573 const std::string& server_identifier, |
574 const std::string& server_identifier, | 574 const std::string& private_key, |
575 const std::string& private_key, | 575 const std::string& public_key) { |
576 const std::string& cert) { | |
577 DCHECK(CalledOnValidThread()); | 576 DCHECK(CalledOnValidThread()); |
578 | 577 |
579 std::map<std::string, ChannelIDServiceJob*>::iterator j; | 578 std::map<std::string, ChannelIDServiceJob*>::iterator j; |
580 j = inflight_.find(server_identifier); | 579 j = inflight_.find(server_identifier); |
581 if (j == inflight_.end()) { | 580 if (j == inflight_.end()) { |
582 NOTREACHED(); | 581 NOTREACHED(); |
583 return; | 582 return; |
584 } | 583 } |
585 ChannelIDServiceJob* job = j->second; | 584 ChannelIDServiceJob* job = j->second; |
586 inflight_.erase(j); | 585 inflight_.erase(j); |
587 | 586 |
588 job->HandleResult(error, private_key, cert); | 587 job->HandleResult(error, private_key, public_key); |
589 delete job; | 588 delete job; |
590 } | 589 } |
591 | 590 |
592 bool ChannelIDService::JoinToInFlightRequest( | 591 bool ChannelIDService::JoinToInFlightRequest( |
593 const base::TimeTicks& request_start, | 592 const base::TimeTicks& request_start, |
594 const std::string& domain, | 593 const std::string& domain, |
595 std::string* private_key, | 594 scoped_ptr<crypto::ECPrivateKey>* key, |
596 std::string* cert, | |
597 bool create_if_missing, | 595 bool create_if_missing, |
598 const CompletionCallback& callback, | 596 const CompletionCallback& callback, |
599 RequestHandle* out_req) { | 597 RequestHandle* out_req) { |
600 ChannelIDServiceJob* job = NULL; | 598 ChannelIDServiceJob* job = NULL; |
601 std::map<std::string, ChannelIDServiceJob*>::const_iterator j = | 599 std::map<std::string, ChannelIDServiceJob*>::const_iterator j = |
602 inflight_.find(domain); | 600 inflight_.find(domain); |
603 if (j != inflight_.end()) { | 601 if (j != inflight_.end()) { |
604 // A request for the same domain is in flight already. We'll attach our | 602 // A request for the same domain is in flight already. We'll attach our |
605 // callback, but we'll also mark it as requiring a cert if one's mising. | 603 // callback, but we'll also mark it as requiring a cert if one's mising. |
606 job = j->second; | 604 job = j->second; |
607 inflight_joins_++; | 605 inflight_joins_++; |
608 | 606 |
609 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( | 607 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( |
610 request_start, | 608 request_start, base::Bind(&RequestHandle::OnRequestComplete, |
611 base::Bind(&RequestHandle::OnRequestComplete, | 609 base::Unretained(out_req)), |
612 base::Unretained(out_req)), | 610 key); |
613 private_key, | |
614 cert); | |
615 job->AddRequest(request, create_if_missing); | 611 job->AddRequest(request, create_if_missing); |
616 out_req->RequestStarted(this, request, callback); | 612 out_req->RequestStarted(this, request, callback); |
617 return true; | 613 return true; |
618 } | 614 } |
619 return false; | 615 return false; |
620 } | 616 } |
621 | 617 |
622 int ChannelIDService::LookupChannelID( | 618 int ChannelIDService::LookupChannelID(const base::TimeTicks& request_start, |
623 const base::TimeTicks& request_start, | 619 const std::string& domain, |
624 const std::string& domain, | 620 scoped_ptr<crypto::ECPrivateKey>* key, |
625 std::string* private_key, | 621 bool create_if_missing, |
626 std::string* cert, | 622 const CompletionCallback& callback, |
627 bool create_if_missing, | 623 RequestHandle* out_req) { |
628 const CompletionCallback& callback, | |
629 RequestHandle* out_req) { | |
630 // Check if a domain bound cert already exists for this domain. Note that | 624 // Check if a domain bound cert already exists for this domain. Note that |
631 // |expiration_time| is ignored, and expired certs are considered valid. | 625 // |expiration_time| is ignored, and expired certs are considered valid. |
632 base::Time expiration_time; | 626 std::string public_key; |
| 627 std::string private_key; |
633 int err = channel_id_store_->GetChannelID( | 628 int err = channel_id_store_->GetChannelID( |
634 domain, | 629 domain, &private_key, &public_key, |
635 &expiration_time /* ignored */, | |
636 private_key, | |
637 cert, | |
638 base::Bind(&ChannelIDService::GotChannelID, | 630 base::Bind(&ChannelIDService::GotChannelID, |
639 weak_ptr_factory_.GetWeakPtr())); | 631 weak_ptr_factory_.GetWeakPtr())); |
640 | 632 |
641 if (err == OK) { | 633 if (err == OK) { |
| 634 err = CreateECPrivateKeyFromSerializedKey(public_key, private_key, key); |
| 635 if (err != OK) { |
| 636 return err; |
| 637 } |
642 // Sync lookup found a valid cert. | 638 // Sync lookup found a valid cert. |
643 DVLOG(1) << "Cert store had valid cert for " << domain; | 639 DVLOG(1) << "Cert store had valid key for " << domain; |
644 cert_store_hits_++; | 640 key_store_hits_++; |
645 RecordGetChannelIDResult(SYNC_SUCCESS); | 641 RecordGetChannelIDResult(SYNC_SUCCESS); |
646 base::TimeDelta request_time = base::TimeTicks::Now() - request_start; | 642 base::TimeDelta request_time = base::TimeTicks::Now() - request_start; |
647 UMA_HISTOGRAM_TIMES("DomainBoundCerts.GetCertTimeSync", request_time); | 643 UMA_HISTOGRAM_TIMES("DomainBoundCerts.GetCertTimeSync", request_time); |
648 RecordGetChannelIDTime(request_time); | 644 RecordGetChannelIDTime(request_time); |
649 return OK; | 645 return OK; |
650 } | 646 } |
651 | 647 |
652 if (err == ERR_IO_PENDING) { | 648 if (err == ERR_IO_PENDING) { |
653 // We are waiting for async DB lookup. Create a job & request to track it. | 649 // We are waiting for async DB lookup. Create a job & request to track it. |
654 ChannelIDServiceJob* job = new ChannelIDServiceJob(create_if_missing); | 650 ChannelIDServiceJob* job = new ChannelIDServiceJob(create_if_missing); |
655 inflight_[domain] = job; | 651 inflight_[domain] = job; |
656 | 652 |
657 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( | 653 ChannelIDServiceRequest* request = new ChannelIDServiceRequest( |
658 request_start, | 654 request_start, base::Bind(&RequestHandle::OnRequestComplete, |
659 base::Bind(&RequestHandle::OnRequestComplete, | 655 base::Unretained(out_req)), |
660 base::Unretained(out_req)), | 656 key); |
661 private_key, | |
662 cert); | |
663 job->AddRequest(request); | 657 job->AddRequest(request); |
664 out_req->RequestStarted(this, request, callback); | 658 out_req->RequestStarted(this, request, callback); |
665 return ERR_IO_PENDING; | 659 return ERR_IO_PENDING; |
666 } | 660 } |
667 | 661 |
668 return err; | 662 return err; |
669 } | 663 } |
670 | 664 |
671 int ChannelIDService::cert_count() { | 665 int ChannelIDService::cert_count() { |
672 return channel_id_store_->GetChannelIDCount(); | 666 return channel_id_store_->GetChannelIDCount(); |
673 } | 667 } |
674 | 668 |
675 } // namespace net | 669 } // namespace net |
OLD | NEW |