OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SSL_CHANNEL_ID_SERVICE_H_ | 5 #ifndef NET_SSL_CHANNEL_ID_SERVICE_H_ |
6 #define NET_SSL_CHANNEL_ID_SERVICE_H_ | 6 #define NET_SSL_CHANNEL_ID_SERVICE_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <string> | 9 #include <string> |
10 #include <vector> | 10 #include <vector> |
11 | 11 |
12 #include "base/basictypes.h" | 12 #include "base/basictypes.h" |
13 #include "base/memory/scoped_ptr.h" | 13 #include "base/memory/scoped_ptr.h" |
14 #include "base/memory/weak_ptr.h" | 14 #include "base/memory/weak_ptr.h" |
15 #include "base/threading/non_thread_safe.h" | 15 #include "base/threading/non_thread_safe.h" |
16 #include "base/time/time.h" | 16 #include "base/time/time.h" |
17 #include "net/base/completion_callback.h" | 17 #include "net/base/completion_callback.h" |
18 #include "net/base/net_export.h" | 18 #include "net/base/net_export.h" |
19 #include "net/ssl/channel_id_store.h" | 19 #include "net/ssl/channel_id_store.h" |
20 | 20 |
21 namespace base { | 21 namespace base { |
22 class TaskRunner; | 22 class TaskRunner; |
23 } | 23 } // namespace base |
| 24 |
| 25 namespace crypto { |
| 26 class ECPrivateKey; |
| 27 } // namespace crypto |
24 | 28 |
25 namespace net { | 29 namespace net { |
26 | 30 |
27 class ChannelIDServiceJob; | 31 class ChannelIDServiceJob; |
28 class ChannelIDServiceRequest; | 32 class ChannelIDServiceRequest; |
29 class ChannelIDServiceWorker; | 33 class ChannelIDServiceWorker; |
30 | 34 |
31 // A class for creating and fetching domain bound certs. They are used | 35 // A class for creating and fetching Channel IDs. |
32 // to identify users' machines; their public keys are used as channel IDs in | |
33 // http://tools.ietf.org/html/draft-balfanz-tls-channelid-00. | |
34 // As a result although certs are set to be invalid after one year, we don't | |
35 // actually expire them. Once generated, certs are valid as long as the users | |
36 // want. Users can delete existing certs, and new certs will be generated | |
37 // automatically. | |
38 | 36 |
39 // Inherits from NonThreadSafe in order to use the function | 37 // Inherits from NonThreadSafe in order to use the function |
40 // |CalledOnValidThread|. | 38 // |CalledOnValidThread|. |
41 class NET_EXPORT ChannelIDService | 39 class NET_EXPORT ChannelIDService |
42 : NON_EXPORTED_BASE(public base::NonThreadSafe) { | 40 : NON_EXPORTED_BASE(public base::NonThreadSafe) { |
43 public: | 41 public: |
44 class NET_EXPORT RequestHandle { | 42 class NET_EXPORT RequestHandle { |
45 public: | 43 public: |
46 RequestHandle(); | 44 RequestHandle(); |
47 ~RequestHandle(); | 45 ~RequestHandle(); |
(...skipping 17 matching lines...) Expand all Loading... |
65 ChannelIDServiceRequest* request_; | 63 ChannelIDServiceRequest* request_; |
66 CompletionCallback callback_; | 64 CompletionCallback callback_; |
67 }; | 65 }; |
68 | 66 |
69 // Password used on EncryptedPrivateKeyInfo data stored in EC private_key | 67 // Password used on EncryptedPrivateKeyInfo data stored in EC private_key |
70 // values. (This is not used to provide any security, but to workaround NSS | 68 // values. (This is not used to provide any security, but to workaround NSS |
71 // being unable to import unencrypted PrivateKeyInfo for EC keys.) | 69 // being unable to import unencrypted PrivateKeyInfo for EC keys.) |
72 static const char kEPKIPassword[]; | 70 static const char kEPKIPassword[]; |
73 | 71 |
74 // This object owns |channel_id_store|. |task_runner| will | 72 // This object owns |channel_id_store|. |task_runner| will |
75 // be used to post certificate generation worker tasks. The tasks are | 73 // be used to post channel ID generation worker tasks. The tasks are |
76 // safe for use with WorkerPool and SequencedWorkerPool::CONTINUE_ON_SHUTDOWN. | 74 // safe for use with WorkerPool and SequencedWorkerPool::CONTINUE_ON_SHUTDOWN. |
77 ChannelIDService( | 75 ChannelIDService( |
78 ChannelIDStore* channel_id_store, | 76 ChannelIDStore* channel_id_store, |
79 const scoped_refptr<base::TaskRunner>& task_runner); | 77 const scoped_refptr<base::TaskRunner>& task_runner); |
80 | 78 |
81 ~ChannelIDService(); | 79 ~ChannelIDService(); |
82 | 80 |
83 // Returns the domain to be used for |host|. The domain is the | 81 // Returns the domain to be used for |host|. The domain is the |
84 // "registry controlled domain", or the "ETLD + 1" where one exists, or | 82 // "registry controlled domain", or the "ETLD + 1" where one exists, or |
85 // the origin otherwise. | 83 // the origin otherwise. |
86 static std::string GetDomainForHost(const std::string& host); | 84 static std::string GetDomainForHost(const std::string& host); |
87 | 85 |
88 // Tests whether the system time is within the supported range for | 86 // Fetches the channel ID for the specified host if one exists and |
89 // certificate generation. This value is cached when ChannelIDService | |
90 // is created, so if the system time is changed by a huge amount, this may no | |
91 // longer hold. | |
92 bool IsSystemTimeValid() const { return is_system_time_valid_; } | |
93 | |
94 // Fetches the domain bound cert for the specified host if one exists and | |
95 // creates one otherwise. Returns OK if successful or an error code upon | 87 // creates one otherwise. Returns OK if successful or an error code upon |
96 // failure. | 88 // failure. |
97 // | 89 // |
98 // On successful completion, |private_key| stores a DER-encoded | 90 // On successful completion, |key| holds the ECDSA keypair used for this |
99 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. | 91 // channel ID. |
100 // The PrivateKeyInfo is always an ECDSA private key. | |
101 // | 92 // |
102 // |callback| must not be null. ERR_IO_PENDING is returned if the operation | 93 // |callback| must not be null. ERR_IO_PENDING is returned if the operation |
103 // could not be completed immediately, in which case the result code will | 94 // could not be completed immediately, in which case the result code will |
104 // be passed to the callback when available. | 95 // be passed to the callback when available. |
105 // | 96 // |
106 // |*out_req| will be initialized with a handle to the async request. This | 97 // |*out_req| will be initialized with a handle to the async request. This |
107 // RequestHandle object must be cancelled or destroyed before the | 98 // RequestHandle object must be cancelled or destroyed before the |
108 // ChannelIDService is destroyed. | 99 // ChannelIDService is destroyed. |
109 int GetOrCreateChannelID( | 100 int GetOrCreateChannelID(const std::string& host, |
110 const std::string& host, | 101 scoped_ptr<crypto::ECPrivateKey>* key, |
111 std::string* private_key, | 102 const CompletionCallback& callback, |
112 std::string* cert, | 103 RequestHandle* out_req); |
113 const CompletionCallback& callback, | |
114 RequestHandle* out_req); | |
115 | 104 |
116 // Fetches the domain bound cert for the specified host if one exists. | 105 // Fetches the channel ID for the specified host if one exists. |
117 // Returns OK if successful, ERR_FILE_NOT_FOUND if none exists, or an error | 106 // Returns OK if successful, ERR_FILE_NOT_FOUND if none exists, or an error |
118 // code upon failure. | 107 // code upon failure. |
119 // | 108 // |
120 // On successful completion, |private_key| stores a DER-encoded | 109 // On successful completion, |key| holds the ECDSA keypair used for this |
121 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate. | 110 // channel ID. |
122 // The PrivateKeyInfo is always an ECDSA private key. | |
123 // | 111 // |
124 // |callback| must not be null. ERR_IO_PENDING is returned if the operation | 112 // |callback| must not be null. ERR_IO_PENDING is returned if the operation |
125 // could not be completed immediately, in which case the result code will | 113 // could not be completed immediately, in which case the result code will |
126 // be passed to the callback when available. If an in-flight | 114 // be passed to the callback when available. If an in-flight |
127 // GetChannelID is pending, and a new GetOrCreateDomainBoundCert | 115 // GetChannelID is pending, and a new GetOrCreateChannelID |
128 // request arrives for the same domain, the GetChannelID request will | 116 // request arrives for the same domain, the GetChannelID request will |
129 // not complete until a new cert is created. | 117 // not complete until a new channel ID is created. |
130 // | 118 // |
131 // |*out_req| will be initialized with a handle to the async request. This | 119 // |*out_req| will be initialized with a handle to the async request. This |
132 // RequestHandle object must be cancelled or destroyed before the | 120 // RequestHandle object must be cancelled or destroyed before the |
133 // ChannelIDService is destroyed. | 121 // ChannelIDService is destroyed. |
134 int GetChannelID( | 122 int GetChannelID(const std::string& host, |
135 const std::string& host, | 123 scoped_ptr<crypto::ECPrivateKey>* key, |
136 std::string* private_key, | 124 const CompletionCallback& callback, |
137 std::string* cert, | 125 RequestHandle* out_req); |
138 const CompletionCallback& callback, | |
139 RequestHandle* out_req); | |
140 | 126 |
141 // Returns the backing ChannelIDStore. | 127 // Returns the backing ChannelIDStore. |
142 ChannelIDStore* GetChannelIDStore(); | 128 ChannelIDStore* GetChannelIDStore(); |
143 | 129 |
144 // Public only for unit testing. | 130 // Public only for unit testing. |
145 int cert_count(); | 131 int channel_id_count(); |
146 uint64 requests() const { return requests_; } | 132 uint64 requests() const { return requests_; } |
147 uint64 cert_store_hits() const { return cert_store_hits_; } | 133 uint64 key_store_hits() const { return key_store_hits_; } |
148 uint64 inflight_joins() const { return inflight_joins_; } | 134 uint64 inflight_joins() const { return inflight_joins_; } |
149 uint64 workers_created() const { return workers_created_; } | 135 uint64 workers_created() const { return workers_created_; } |
150 | 136 |
151 private: | 137 private: |
152 // Cancels the specified request. |req| is the handle stored by | 138 // Cancels the specified request. |req| is the handle stored by |
153 // GetChannelID(). After a request is canceled, its completion | 139 // GetChannelID(). After a request is canceled, its completion |
154 // callback will not be called. | 140 // callback will not be called. |
155 void CancelRequest(ChannelIDServiceRequest* req); | 141 void CancelRequest(ChannelIDServiceRequest* req); |
156 | 142 |
157 void GotChannelID(int err, | 143 void GotChannelID(int err, |
158 const std::string& server_identifier, | 144 const std::string& server_identifier, |
159 base::Time expiration_time, | 145 scoped_ptr<crypto::ECPrivateKey> key); |
160 const std::string& key, | |
161 const std::string& cert); | |
162 void GeneratedChannelID( | 146 void GeneratedChannelID( |
163 const std::string& server_identifier, | 147 const std::string& server_identifier, |
164 int error, | 148 int error, |
165 scoped_ptr<ChannelIDStore::ChannelID> channel_id); | 149 scoped_ptr<ChannelIDStore::ChannelID> channel_id); |
166 void HandleResult(int error, | 150 void HandleResult(int error, |
167 const std::string& server_identifier, | 151 const std::string& server_identifier, |
168 const std::string& private_key, | 152 scoped_ptr<crypto::ECPrivateKey> key); |
169 const std::string& cert); | |
170 | 153 |
171 // Searches for an in-flight request for the same domain. If found, | 154 // Searches for an in-flight request for the same domain. If found, |
172 // attaches to the request and returns true. Returns false if no in-flight | 155 // attaches to the request and returns true. Returns false if no in-flight |
173 // request is found. | 156 // request is found. |
174 bool JoinToInFlightRequest(const base::TimeTicks& request_start, | 157 bool JoinToInFlightRequest(const base::TimeTicks& request_start, |
175 const std::string& domain, | 158 const std::string& domain, |
176 std::string* private_key, | 159 scoped_ptr<crypto::ECPrivateKey>* key, |
177 std::string* cert, | |
178 bool create_if_missing, | 160 bool create_if_missing, |
179 const CompletionCallback& callback, | 161 const CompletionCallback& callback, |
180 RequestHandle* out_req); | 162 RequestHandle* out_req); |
181 | 163 |
182 // Looks for the domain bound cert for |domain| in this service's store. | 164 // Looks for the channel ID for |domain| in this service's store. |
183 // Returns OK if it can be found synchronously, ERR_IO_PENDING if the | 165 // Returns OK if it can be found synchronously, ERR_IO_PENDING if the |
184 // result cannot be obtained synchronously, or a network error code on | 166 // result cannot be obtained synchronously, or a network error code on |
185 // failure (including failure to find a domain-bound cert of |domain|). | 167 // failure (including failure to find a channel ID of |domain|). |
186 int LookupChannelID(const base::TimeTicks& request_start, | 168 int LookupChannelID(const base::TimeTicks& request_start, |
187 const std::string& domain, | 169 const std::string& domain, |
188 std::string* private_key, | 170 scoped_ptr<crypto::ECPrivateKey>* key, |
189 std::string* cert, | |
190 bool create_if_missing, | 171 bool create_if_missing, |
191 const CompletionCallback& callback, | 172 const CompletionCallback& callback, |
192 RequestHandle* out_req); | 173 RequestHandle* out_req); |
193 | 174 |
194 scoped_ptr<ChannelIDStore> channel_id_store_; | 175 scoped_ptr<ChannelIDStore> channel_id_store_; |
195 scoped_refptr<base::TaskRunner> task_runner_; | 176 scoped_refptr<base::TaskRunner> task_runner_; |
196 | 177 |
197 // inflight_ maps from a server to an active generation which is taking | 178 // inflight_ maps from a server to an active generation which is taking |
198 // place. | 179 // place. |
199 std::map<std::string, ChannelIDServiceJob*> inflight_; | 180 std::map<std::string, ChannelIDServiceJob*> inflight_; |
200 | 181 |
201 uint64 requests_; | 182 uint64 requests_; |
202 uint64 cert_store_hits_; | 183 uint64 key_store_hits_; |
203 uint64 inflight_joins_; | 184 uint64 inflight_joins_; |
204 uint64 workers_created_; | 185 uint64 workers_created_; |
205 | 186 |
206 bool is_system_time_valid_; | |
207 | |
208 base::WeakPtrFactory<ChannelIDService> weak_ptr_factory_; | 187 base::WeakPtrFactory<ChannelIDService> weak_ptr_factory_; |
209 | 188 |
210 DISALLOW_COPY_AND_ASSIGN(ChannelIDService); | 189 DISALLOW_COPY_AND_ASSIGN(ChannelIDService); |
211 }; | 190 }; |
212 | 191 |
213 } // namespace net | 192 } // namespace net |
214 | 193 |
215 #endif // NET_SSL_CHANNEL_ID_SERVICE_H_ | 194 #endif // NET_SSL_CHANNEL_ID_SERVICE_H_ |
OLD | NEW |