OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "components/certificate_transparency/log_proofs_fetcher.h" | |
6 | |
7 #include "base/base64.h" | |
8 #include "base/json/json_reader.h" | |
9 #include "base/logging.h" | |
10 #include "base/stl_util.h" | |
11 #include "base/strings/string_piece.h" | |
12 #include "base/time/time.h" | |
13 #include "base/values.h" | |
14 #include "net/base/load_flags.h" | |
15 #include "net/base/request_priority.h" | |
16 #include "net/cert/ct_log_verifier.h" | |
17 #include "net/cert/ct_serialization.h" | |
18 #include "net/cert/signed_tree_head.h" | |
19 #include "net/url_request/url_request_context.h" | |
20 | |
21 const int kMaxSTHSize = 600; | |
Ryan Sleevi
2015/04/24 10:42:07
1) Document
2) SizeIn.... Bytes? Kb?
kMaxSTHSizeI
Eran Messeri
2015/06/18 15:18:40
Done.
| |
22 | |
23 namespace certificate_transparency { | |
24 | |
25 LogProofsFetcher::LogProofsFetcher(net::URLRequestContext* request_context) | |
26 : request_context_(request_context) { | |
27 } | |
28 | |
29 LogProofsFetcher::~LogProofsFetcher() { | |
30 STLDeleteContainerPairPointers(inflight_requests_.begin(), | |
31 inflight_requests_.end()); | |
32 } | |
Ryan Sleevi
2015/04/24 10:42:06
SPECIAL NOTE: Because you have a URLRequestContext
Eran Messeri
2015/06/18 15:18:41
Done - cancelled all requests.
| |
33 | |
34 scoped_ptr<net::URLRequest> LogProofsFetcher::CreateURLRequest( | |
35 GURL fetch_sth_url) { | |
36 scoped_ptr<net::URLRequest> request = request_context_->CreateRequest( | |
37 fetch_sth_url, net::DEFAULT_PRIORITY, this); | |
38 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | | |
39 net::LOAD_DO_NOT_SAVE_COOKIES); | |
40 return request.Pass(); | |
41 } | |
42 | |
43 void LogProofsFetcher::FetchSTH(net::CTLogVerifier* verifier) { | |
44 std::string fetch_sth_url = verifier->url() + "/get-sth"; | |
45 GURL fetch_url(fetch_sth_url); | |
Ryan Sleevi
2015/04/24 10:42:06
SOMETHING: I suspect we have something for appendi
Eran Messeri
2015/06/18 15:18:41
Found it - GURL has a Resolve method that does tha
| |
46 scoped_ptr<net::URLRequest> request = CreateURLRequest(fetch_url); | |
47 request->set_method("GET"); | |
48 | |
49 net::URLRequest* raw_request = request.get(); | |
50 FetchParams* params = new FetchParams(verifier); | |
51 inflight_requests_.insert(std::make_pair(request.release(), params)); | |
52 raw_request->Start(); | |
53 } | |
54 | |
55 void LogProofsFetcher::OnResponseStarted(net::URLRequest* request) { | |
56 const net::URLRequestStatus& status(request->status()); | |
57 VLOG(0) << "Response started for fetch-sth from " << request->original_url(); | |
Ryan Sleevi
2015/04/24 10:42:06
VLOG(0) is wrong; VLOG(1) at best.
That said, thi
Eran Messeri
2015/06/18 15:18:40
I've changed all VLOGs in this file to VLOG(1), ho
| |
58 if (!status.is_success()) { | |
59 LOG(WARNING) << "Fetching STH from " << request->original_url() | |
60 << " failed. status:" << status.status() | |
61 << " error:" << status.error(); | |
Ryan Sleevi
2015/04/24 10:42:06
ditto; net-internals will have this (since it'll h
Eran Messeri
2015/06/18 15:18:41
Acknowledged.
| |
62 RequestCleanup(request); | |
63 } else if (request->GetResponseCode() != 200) { | |
64 LOG(WARNING) << "Fetch STH HTTP status: " << request->GetResponseCode(); | |
Ryan Sleevi
2015/04/24 10:42:07
ditto; net-internals will have this.
Eran Messeri
2015/06/18 15:18:41
Acknowledged.
| |
65 RequestCleanup(request); | |
66 return; | |
67 } | |
68 | |
69 RequestsMap::iterator it(inflight_requests_.find(request)); | |
Ryan Sleevi
2015/04/24 10:42:06
auto it = inflight_requests_.find(request);
Eran Messeri
2015/06/18 15:18:40
Done.
| |
70 DCHECK(it != inflight_requests_.end()); | |
71 scoped_refptr<net::IOBufferWithSize> buffer(it->second->sth_buffer); | |
72 VLOG(0) << "Kicking off read."; | |
Ryan Sleevi
2015/04/24 10:42:07
all these vlogs are in net-internals; I'll stop wh
Eran Messeri
2015/06/18 15:18:40
Acknowledged.
| |
73 request->Read(buffer.get(), buffer->size(), &(it->second->read_bytes)); | |
74 if (request->status().is_io_pending()) { | |
75 VLOG(0) << "IO Pending: Will wait."; | |
76 return; | |
77 } else { | |
78 VLOG(0) << "Data available: Invoking OnReadComplete."; | |
79 OnReadCompleted(request, it->second->read_bytes); | |
80 } | |
81 } | |
82 | |
83 void LogProofsFetcher::OnReadCompleted(net::URLRequest* request, | |
84 int bytes_read) { | |
85 VLOG(0) << "Read complete, got " << bytes_read << " bytes."; | |
86 RequestComplete(request, bytes_read); | |
87 } | |
88 | |
89 void LogProofsFetcher::RequestComplete(net::URLRequest* request, | |
90 int bytes_read) { | |
91 RequestsMap::iterator it(inflight_requests_.find(request)); | |
Ryan Sleevi
2015/04/24 10:42:06
auto it = inflight_requests_.find(request)
Eran Messeri
2015/06/18 15:18:41
Done.
| |
92 DCHECK(it != inflight_requests_.end()); | |
93 if (it->first != request) { | |
Ryan Sleevi
2015/04/24 10:42:06
seems like a fatal error here, right?
if (it->fir
Eran Messeri
2015/06/18 15:18:40
Done.
| |
94 LOG(WARNING) << "Different requests?!"; | |
95 } | |
96 | |
97 FetchParams* params(it->second); | |
98 VLOG(0) << "Got " << bytes_read << " bytes."; | |
99 | |
100 // Extract STH json an parse it | |
101 base::StringPiece json_sth(params->sth_buffer->data(), bytes_read); | |
102 VLOG(0) << "STH data: " << json_sth; | |
103 scoped_ptr<net::ct::SignedTreeHead> sth; | |
104 if (CTLogResponseParser::FillSignedTreeHead(json_sth, sth.get())) { | |
Ryan Sleevi
2015/04/24 10:42:06
DESIGN: Crap, I forgot the important thing to note
Ryan Sleevi
2015/04/24 10:42:06
STYLE: We tend to put error control *before* the r
Ryan Sleevi
2015/04/24 10:42:06
SECURITY BUG: You forgot to allocate |sth|, but Fi
Eran Messeri
2015/06/18 15:18:40
Done.
Eran Messeri
2015/06/18 15:18:40
Done.
Eran Messeri
2015/06/18 15:18:41
Done.
| |
105 VLOG(0) << "Parsed STH successfully."; | |
106 if (params->verifier->VerifySignedTreeHead(sth.get())) { | |
Ryan Sleevi
2015/04/24 10:42:06
ditto here, whenever this "becomes something impor
Eran Messeri
2015/06/18 15:18:41
Ack,Done.
| |
107 VLOG(0) << "Received valid STH."; | |
108 } else { | |
109 VLOG(0) << "Received invalid STH."; | |
110 } | |
111 } else { | |
112 LOG(ERROR) << "Invalid STH."; | |
113 } | |
114 RequestCleanup(request); | |
115 } | |
116 | |
117 void LogProofsFetcher::RequestCleanup(net::URLRequest* request) { | |
118 VLOG(0) << "Cleaning up request to " << request->original_url(); | |
119 RequestsMap::iterator it(inflight_requests_.find(request)); | |
Ryan Sleevi
2015/04/24 10:42:07
auto
Eran Messeri
2015/06/18 15:18:41
Done.
| |
120 DCHECK(it != inflight_requests_.end()); | |
121 | |
122 scoped_ptr<FetchParams> params(it->second); | |
123 // Delete the request, remove from map. | |
124 scoped_ptr<net::URLRequest> url_request(it->first); | |
125 // Both pointers will be deleted when exiting the method. | |
126 VLOG(0) << "Erasing iterator."; | |
Ryan Sleevi
2015/04/24 10:42:06
too chatty (as with all the VLOGs), so hushing on
Eran Messeri
2015/06/18 15:18:40
Acknowledged.
| |
127 inflight_requests_.erase(it); | |
128 } | |
129 | |
130 LogProofsFetcher::FetchParams::FetchParams(net::CTLogVerifier* verifier) | |
131 : verifier(verifier), sth_buffer(new net::IOBufferWithSize(kMaxSTHSize)) { | |
132 } | |
133 | |
134 LogProofsFetcher::FetchParams::~FetchParams() { | |
135 } | |
136 | |
137 bool CTLogResponseParser::FillSignedTreeHead(const base::StringPiece& json_sth, | |
138 net::ct::SignedTreeHead* sth) { | |
139 base::JSONReader json_reader; | |
140 base::Value* json = json_reader.Read(json_sth); | |
141 if (json == NULL) { | |
Ryan Sleevi
2015/04/24 10:42:06
s/NULL/nullptr
Eran Messeri
2015/06/18 15:18:41
Done.
| |
142 LOG(WARNING) << "Empty JSON."; | |
143 return false; | |
144 } | |
145 | |
146 const base::DictionaryValue* json_dict; | |
147 if (!json->GetAsDictionary(&json_dict)) { | |
148 LOG(WARNING) << "Json value not a dictionary."; | |
149 return false; | |
150 } | |
151 | |
152 int tree_size; | |
153 if (!json_dict->GetInteger("tree_size", &tree_size)) { | |
154 LOG(WARNING) << "Json dictionary does not contain tree_size"; | |
155 return false; | |
156 } | |
157 | |
158 double timestamp; | |
159 if (!json_dict->GetDouble("timestamp", ×tamp)) { | |
160 LOG(WARNING) << "Json dictionary does not contain timestamp"; | |
161 return false; | |
162 } | |
163 | |
164 std::string sha256_root_hash; | |
165 if (!json_dict->GetString("sha256_root_hash", &sha256_root_hash)) { | |
166 LOG(WARNING) << "Json dictionary does not contain sha256_root_hash"; | |
167 return false; | |
168 } | |
169 | |
170 std::string tree_head_signature; | |
171 if (!json_dict->GetString("tree_head_signature", &tree_head_signature)) { | |
172 LOG(WARNING) << "Json dictionary does not contain tree_head_signature"; | |
173 return false; | |
174 } | |
175 | |
176 std::string decoded_root_hash; | |
177 if (!base::Base64Decode(sha256_root_hash, &decoded_root_hash)) { | |
178 LOG(WARNING) << "Failed decoding sha256_root_hash"; | |
179 return false; | |
180 } | |
181 | |
182 if (decoded_root_hash.length() != net::ct::kSthRootHashLength) { | |
183 LOG(WARNING) << "sha256_root_hash must be exactly 32 bit."; | |
184 return false; | |
185 } | |
186 | |
187 std::string decoded_signature; | |
188 if (!base::Base64Decode(tree_head_signature, &decoded_signature)) { | |
189 LOG(WARNING) << "Failed decoding tree_head_signature"; | |
190 return false; | |
191 } | |
192 | |
193 base::StringPiece sp(decoded_signature); | |
194 if (!DecodeDigitallySigned(&sp, &(sth->signature))) { | |
195 LOG(WARNING) << "Failed decoding signature to DigitallySigned"; | |
196 return false; | |
197 } | |
198 | |
199 sth->version = net::ct::SignedTreeHead::V1; | |
200 sth->tree_size = tree_size; | |
201 sth->timestamp = | |
202 base::Time::UnixEpoch() + base::TimeDelta::FromMilliseconds(timestamp); | |
203 memcpy(sth->sha256_root_hash, decoded_root_hash.c_str(), | |
204 net::ct::kSthRootHashLength); | |
205 return true; | |
206 } | |
207 | |
208 } // namespace certificate_transparency | |
OLD | NEW |