OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SSL_CHANNEL_ID_SERVICE_H_ | 5 #ifndef NET_SSL_CHANNEL_ID_SERVICE_H_ |
6 #define NET_SSL_CHANNEL_ID_SERVICE_H_ | 6 #define NET_SSL_CHANNEL_ID_SERVICE_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <string> | 9 #include <string> |
10 #include <vector> | 10 #include <vector> |
11 | 11 |
12 #include "base/basictypes.h" | 12 #include "base/basictypes.h" |
13 #include "base/memory/scoped_ptr.h" | 13 #include "base/memory/scoped_ptr.h" |
14 #include "base/memory/weak_ptr.h" | 14 #include "base/memory/weak_ptr.h" |
15 #include "base/threading/non_thread_safe.h" | 15 #include "base/threading/non_thread_safe.h" |
16 #include "base/time/time.h" | 16 #include "base/time/time.h" |
17 #include "net/base/completion_callback.h" | 17 #include "net/base/completion_callback.h" |
18 #include "net/base/net_export.h" | 18 #include "net/base/net_export.h" |
19 #include "net/ssl/channel_id_store.h" | 19 #include "net/ssl/channel_id_store.h" |
20 | 20 |
21 namespace base { | 21 namespace base { |
22 class TaskRunner; | 22 class TaskRunner; |
23 } | 23 } |
24 | 24 |
| 25 namespace crypto { |
| 26 class ECPrivateKey; |
| 27 } |
| 28 |
25 namespace net { | 29 namespace net { |
26 | 30 |
27 class ChannelIDServiceJob; | 31 class ChannelIDServiceJob; |
28 class ChannelIDServiceRequest; | 32 class ChannelIDServiceRequest; |
29 class ChannelIDServiceWorker; | 33 class ChannelIDServiceWorker; |
30 | 34 |
31 // A class for creating and fetching domain bound certs. They are used | 35 // A class for creating and fetching domain bound certs. They are used |
32 // to identify users' machines; their public keys are used as channel IDs in | 36 // to identify users' machines; their public keys are used as channel IDs in |
33 // http://tools.ietf.org/html/draft-balfanz-tls-channelid-00. | 37 // http://tools.ietf.org/html/draft-balfanz-tls-channelid-00. |
34 // As a result although certs are set to be invalid after one year, we don't | 38 // As a result although certs are set to be invalid after one year, we don't |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
78 ChannelIDStore* channel_id_store, | 82 ChannelIDStore* channel_id_store, |
79 const scoped_refptr<base::TaskRunner>& task_runner); | 83 const scoped_refptr<base::TaskRunner>& task_runner); |
80 | 84 |
81 ~ChannelIDService(); | 85 ~ChannelIDService(); |
82 | 86 |
83 // Returns the domain to be used for |host|. The domain is the | 87 // Returns the domain to be used for |host|. The domain is the |
84 // "registry controlled domain", or the "ETLD + 1" where one exists, or | 88 // "registry controlled domain", or the "ETLD + 1" where one exists, or |
85 // the origin otherwise. | 89 // the origin otherwise. |
86 static std::string GetDomainForHost(const std::string& host); | 90 static std::string GetDomainForHost(const std::string& host); |
87 | 91 |
88 // Tests whether the system time is within the supported range for | |
89 // certificate generation. This value is cached when ChannelIDService | |
90 // is created, so if the system time is changed by a huge amount, this may no | |
91 // longer hold. | |
92 bool IsSystemTimeValid() const { return is_system_time_valid_; } | |
93 | |
94 // Fetches the domain bound cert for the specified host if one exists and | 92 // Fetches the domain bound cert for the specified host if one exists and |
95 // creates one otherwise. Returns OK if successful or an error code upon | 93 // creates one otherwise. Returns OK if successful or an error code upon |
96 // failure. | 94 // failure. |
97 // | 95 // |
98 // On successful completion, |private_key| stores a DER-encoded | 96 // On successful completion, |private_key| stores a DER-encoded |
99 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. | 97 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. |
100 // The PrivateKeyInfo is always an ECDSA private key. | 98 // The PrivateKeyInfo is always an ECDSA private key. |
101 // | 99 // |
102 // |callback| must not be null. ERR_IO_PENDING is returned if the operation | 100 // |callback| must not be null. ERR_IO_PENDING is returned if the operation |
103 // could not be completed immediately, in which case the result code will | 101 // could not be completed immediately, in which case the result code will |
104 // be passed to the callback when available. | 102 // be passed to the callback when available. |
105 // | 103 // |
106 // |*out_req| will be initialized with a handle to the async request. This | 104 // |*out_req| will be initialized with a handle to the async request. This |
107 // RequestHandle object must be cancelled or destroyed before the | 105 // RequestHandle object must be cancelled or destroyed before the |
108 // ChannelIDService is destroyed. | 106 // ChannelIDService is destroyed. |
109 int GetOrCreateChannelID( | 107 int GetOrCreateChannelID(const std::string& host, |
110 const std::string& host, | 108 scoped_ptr<crypto::ECPrivateKey>* key, |
111 std::string* private_key, | 109 const CompletionCallback& callback, |
112 std::string* cert, | 110 RequestHandle* out_req); |
113 const CompletionCallback& callback, | |
114 RequestHandle* out_req); | |
115 | 111 |
116 // Fetches the domain bound cert for the specified host if one exists. | 112 // Fetches the domain bound cert for the specified host if one exists. |
117 // Returns OK if successful, ERR_FILE_NOT_FOUND if none exists, or an error | 113 // Returns OK if successful, ERR_FILE_NOT_FOUND if none exists, or an error |
118 // code upon failure. | 114 // code upon failure. |
119 // | 115 // |
120 // On successful completion, |private_key| stores a DER-encoded | 116 // On successful completion, |private_key| stores a DER-encoded |
121 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. | 117 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. |
122 // The PrivateKeyInfo is always an ECDSA private key. | 118 // The PrivateKeyInfo is always an ECDSA private key. |
123 // | 119 // |
124 // |callback| must not be null. ERR_IO_PENDING is returned if the operation | 120 // |callback| must not be null. ERR_IO_PENDING is returned if the operation |
125 // could not be completed immediately, in which case the result code will | 121 // could not be completed immediately, in which case the result code will |
126 // be passed to the callback when available. If an in-flight | 122 // be passed to the callback when available. If an in-flight |
127 // GetChannelID is pending, and a new GetOrCreateDomainBoundCert | 123 // GetChannelID is pending, and a new GetOrCreateDomainBoundCert |
128 // request arrives for the same domain, the GetChannelID request will | 124 // request arrives for the same domain, the GetChannelID request will |
129 // not complete until a new cert is created. | 125 // not complete until a new cert is created. |
130 // | 126 // |
131 // |*out_req| will be initialized with a handle to the async request. This | 127 // |*out_req| will be initialized with a handle to the async request. This |
132 // RequestHandle object must be cancelled or destroyed before the | 128 // RequestHandle object must be cancelled or destroyed before the |
133 // ChannelIDService is destroyed. | 129 // ChannelIDService is destroyed. |
134 int GetChannelID( | 130 int GetChannelID(const std::string& host, |
135 const std::string& host, | 131 scoped_ptr<crypto::ECPrivateKey>* key, |
136 std::string* private_key, | 132 const CompletionCallback& callback, |
137 std::string* cert, | 133 RequestHandle* out_req); |
138 const CompletionCallback& callback, | |
139 RequestHandle* out_req); | |
140 | 134 |
141 // Returns the backing ChannelIDStore. | 135 // Returns the backing ChannelIDStore. |
142 ChannelIDStore* GetChannelIDStore(); | 136 ChannelIDStore* GetChannelIDStore(); |
143 | 137 |
144 // Public only for unit testing. | 138 // Public only for unit testing. |
145 int cert_count(); | 139 int cert_count(); |
146 uint64 requests() const { return requests_; } | 140 uint64 requests() const { return requests_; } |
147 uint64 cert_store_hits() const { return cert_store_hits_; } | 141 uint64 key_store_hits() const { return key_store_hits_; } |
148 uint64 inflight_joins() const { return inflight_joins_; } | 142 uint64 inflight_joins() const { return inflight_joins_; } |
149 uint64 workers_created() const { return workers_created_; } | 143 uint64 workers_created() const { return workers_created_; } |
150 | 144 |
151 private: | 145 private: |
152 // Cancels the specified request. |req| is the handle stored by | 146 // Cancels the specified request. |req| is the handle stored by |
153 // GetChannelID(). After a request is canceled, its completion | 147 // GetChannelID(). After a request is canceled, its completion |
154 // callback will not be called. | 148 // callback will not be called. |
155 void CancelRequest(ChannelIDServiceRequest* req); | 149 void CancelRequest(ChannelIDServiceRequest* req); |
156 | 150 |
157 void GotChannelID(int err, | 151 void GotChannelID(int err, |
158 const std::string& server_identifier, | 152 const std::string& server_identifier, |
159 base::Time expiration_time, | 153 const std::string& private_key, |
160 const std::string& key, | 154 const std::string& public_key); |
161 const std::string& cert); | |
162 void GeneratedChannelID( | 155 void GeneratedChannelID( |
163 const std::string& server_identifier, | 156 const std::string& server_identifier, |
164 int error, | 157 int error, |
165 scoped_ptr<ChannelIDStore::ChannelID> channel_id); | 158 scoped_ptr<ChannelIDStore::ChannelID> channel_id); |
166 void HandleResult(int error, | 159 void HandleResult(int error, |
167 const std::string& server_identifier, | 160 const std::string& server_identifier, |
168 const std::string& private_key, | 161 const std::string& private_key, |
169 const std::string& cert); | 162 const std::string& public_key); |
170 | 163 |
171 // Searches for an in-flight request for the same domain. If found, | 164 // Searches for an in-flight request for the same domain. If found, |
172 // attaches to the request and returns true. Returns false if no in-flight | 165 // attaches to the request and returns true. Returns false if no in-flight |
173 // request is found. | 166 // request is found. |
174 bool JoinToInFlightRequest(const base::TimeTicks& request_start, | 167 bool JoinToInFlightRequest(const base::TimeTicks& request_start, |
175 const std::string& domain, | 168 const std::string& domain, |
176 std::string* private_key, | 169 scoped_ptr<crypto::ECPrivateKey>* key, |
177 std::string* cert, | |
178 bool create_if_missing, | 170 bool create_if_missing, |
179 const CompletionCallback& callback, | 171 const CompletionCallback& callback, |
180 RequestHandle* out_req); | 172 RequestHandle* out_req); |
181 | 173 |
182 // Looks for the domain bound cert for |domain| in this service's store. | 174 // Looks for the domain bound cert for |domain| in this service's store. |
183 // Returns OK if it can be found synchronously, ERR_IO_PENDING if the | 175 // Returns OK if it can be found synchronously, ERR_IO_PENDING if the |
184 // result cannot be obtained synchronously, or a network error code on | 176 // result cannot be obtained synchronously, or a network error code on |
185 // failure (including failure to find a domain-bound cert of |domain|). | 177 // failure (including failure to find a domain-bound cert of |domain|). |
186 int LookupChannelID(const base::TimeTicks& request_start, | 178 int LookupChannelID(const base::TimeTicks& request_start, |
187 const std::string& domain, | 179 const std::string& domain, |
188 std::string* private_key, | 180 scoped_ptr<crypto::ECPrivateKey>* key, |
189 std::string* cert, | |
190 bool create_if_missing, | 181 bool create_if_missing, |
191 const CompletionCallback& callback, | 182 const CompletionCallback& callback, |
192 RequestHandle* out_req); | 183 RequestHandle* out_req); |
193 | 184 |
194 scoped_ptr<ChannelIDStore> channel_id_store_; | 185 scoped_ptr<ChannelIDStore> channel_id_store_; |
195 scoped_refptr<base::TaskRunner> task_runner_; | 186 scoped_refptr<base::TaskRunner> task_runner_; |
196 | 187 |
197 // inflight_ maps from a server to an active generation which is taking | 188 // inflight_ maps from a server to an active generation which is taking |
198 // place. | 189 // place. |
199 std::map<std::string, ChannelIDServiceJob*> inflight_; | 190 std::map<std::string, ChannelIDServiceJob*> inflight_; |
200 | 191 |
201 uint64 requests_; | 192 uint64 requests_; |
202 uint64 cert_store_hits_; | 193 uint64 key_store_hits_; |
203 uint64 inflight_joins_; | 194 uint64 inflight_joins_; |
204 uint64 workers_created_; | 195 uint64 workers_created_; |
205 | 196 |
206 bool is_system_time_valid_; | |
207 | |
208 base::WeakPtrFactory<ChannelIDService> weak_ptr_factory_; | 197 base::WeakPtrFactory<ChannelIDService> weak_ptr_factory_; |
209 | 198 |
210 DISALLOW_COPY_AND_ASSIGN(ChannelIDService); | 199 DISALLOW_COPY_AND_ASSIGN(ChannelIDService); |
211 }; | 200 }; |
212 | 201 |
| 202 // This function is the opposite of ExportKeyPair. It takes DER encoded public |
| 203 // and private keys |public_key| and |private_key| and creates a |
| 204 // crypto::ECPrivateKey. If there is an issue creating the crypto::ECPrivateKey, |
| 205 // this function returns ERR_UNEXPECTED. Otherwise it returns OK. |
| 206 // |
| 207 // This function is only exposed here so that it can be used in unittests. |
| 208 NET_EXPORT_PRIVATE int CreateECPrivateKeyFromSerializedKey( |
| 209 const std::string& public_key, |
| 210 const std::string& private_key, |
| 211 scoped_ptr<crypto::ECPrivateKey>* key_out); |
| 212 |
| 213 // Exports the public and private keys from the provided crypto::ECPrivateKey |
| 214 // |key| and writes them to |public_key| and |private_key|. If there's an error |
| 215 // calling ExportEncryptedPrivateKey or ExportPublicKey on the ECPrivateKey, |
| 216 // then this function returns ERR_PRIVATE_KEY_EXPORT_FAILED. Otherwise it |
| 217 // returns OK. |
| 218 // |
| 219 // This function is only exposed here so that it can be used in unittests. |
| 220 NET_EXPORT_PRIVATE int ExportKeyPair( |
| 221 const scoped_ptr<crypto::ECPrivateKey>& key, |
| 222 std::string* public_key, |
| 223 std::string* private_key); |
| 224 |
213 } // namespace net | 225 } // namespace net |
214 | 226 |
215 #endif // NET_SSL_CHANNEL_ID_SERVICE_H_ | 227 #endif // NET_SSL_CHANNEL_ID_SERVICE_H_ |
OLD | NEW |