Certificate Transparency: Fetching of Signed Tree Heads (DRAFT)

components/certificate_transparency/tree_state_tracker.cc

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/certificate_transparency/tree_state_tracker.h"
+
+#include "base/strings/string_number_conversions.h"
+#include "base/thread_task_runner_handle.h"
+#include "components/certificate_transparency/log_proof_fetcher.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/signed_tree_head.h"
+#include "net/cert/x509_certificate.h"
+
+namespace certificate_transparency {
+
+TreeStateTracker::TreeStateTracker(
+    scoped_ptr<LogProofFetcher> fetcher,
+    const std::vector<scoped_refptr<net::CTLogVerifier>>& ct_logs)
+    : fetcher_(fetcher.Pass()) {
+  for (auto it = ct_logs.begin(); it != ct_logs.end(); ++it) {
+    scoped_refptr<net::CTLogVerifier> log(*it);
+    ct_logs_[log->key_id()] = log;
+  }
+  content::BrowserThread::PostAfterStartupTask(
+      FROM_HERE, base::ThreadTaskRunnerHandle::Get(),
+      base::Bind(&TreeStateTracker::RefreshSTHs, base::Unretained(this)));
+}
+
+TreeStateTracker::~TreeStateTracker() {}
+
+void TreeStateTracker::OnSCTVerified(
+    net::X509Certificate* cert,
+    const net::ct::SignedCertificateTimestamp* sct) {
+  VLOG(0) << "Verified SCT observed.";
+  const auto& it = verified_sths_.find(sct->log_id);
+  std::string log_id_hex =
+      base::HexEncode(sct->log_id.data(), sct->log_id.size());
+  if (it == verified_sths_.end()) {
+    VLOG(0) << "No STH found for log " << log_id_hex;
+    // TODO(eranm): Enqueue SCT for inclusion check later.
+    return;
+  }
+
+  VLOG(0) << "Found STH for log " << log_id_hex;
+  const net::ct::SignedTreeHead& sth(it->second);
+  if (sth.timestamp > sct->timestamp) {
+    VLOG(0) << "STH timestamp (" << sth.timestamp << ") is newer than SCT "
+            << "timestamp (" << sct->timestamp << "), could check inclusion.";
+    // TODO(eranm): Perform actual inclusion check.
+  } else {
+    VLOG(0) << "STH timestamp (" << sth.timestamp << ") is OLDER than SCT "
+            << "timestamp (" << sct->timestamp << "), need fresh STH.";
+    // TODO(eranm): Enqueue SCT for inclusion check later.
+  }
+}
+
+void TreeStateTracker::RefreshSTHs() {
+  // TODO(eranm): Verify that base::Unretained usage here is fine since
+  // this class owns the fetcher and the fetcher, when deleted, will delete
+  // all pending requests, so this class always outlives the fetcher.
+  LogProofFetcher::SignedTreeHeadFetchedCallback success_callback =
+      base::Bind(&TreeStateTracker::OnSTHFetched, base::Unretained(this));
+  LogProofFetcher::FetchFailedCallback error_callback = base::Bind(
+      &TreeStateTracker::OnSTHFetchingFailed, base::Unretained(this));
+  for (auto it = ct_logs_.begin(); it != ct_logs_.end(); ++it) {
+    VLOG(0) << "Fetching STH for log " << it->second.get()->description();
+    net::CTLogVerifier* log(it->second.get());
+    fetcher_->FetchSignedTreeHead(log->url(), log->key_id(), success_callback,
+                                  error_callback);
+  }
+}
+
+void TreeStateTracker::OnSTHFetched(
+    const std::string& log_id,
+    const net::ct::SignedTreeHead& unverified_sth) {
+  VLOG(0) << "Received unverified sth.";
+  auto it = ct_logs_.find(log_id);
+  if (it == ct_logs_.end()) {
+    VLOG(0) << "STH is for unknown log!.";
+    return;
+  }
+
+  net::CTLogVerifier* log(it->second.get());
+  if (!log->VerifySignedTreeHead(unverified_sth)) {
+    VLOG(0) << "STH is for " << log->url() << " could not be verified.";
+    return;
+  }
+  VLOG(0) << "Signature for STH from " << log->url() << " for tree size "
+          << unverified_sth.tree_size << " verified.";
+
+  if (verified_sths_.find(log_id) == verified_sths_.end()) {
+    // No STHs currently known for this log, consider this one
+    // as verified.
+    verified_sths_[log_id] = unverified_sth;
+  } else {
+    // TODO(eranm): Request a consistency proof.
+    sths_pending_consistency_check_[log_id] = unverified_sth;
+  }
+}
+
+void TreeStateTracker::OnSTHFetchingFailed(const std::string& log_id,
+                                           int net_error,
+                                           int http_response_code) {
+  const auto& it = ct_logs_.find(log_id);
+  if (it == ct_logs_.end()) {
+    VLOG(0) << "STH fetch failure for unknown log!.";
+    return;
+  }
+
+  net::CTLogVerifier* log(it->second.get());
+  // TODO(eranm): UMA
+  VLOG(0) << "Fetching of STH from " << log->description() << " failed because "
+          << net_error << " " << http_response_code;
+}
+
+}  // namespace certificate_transparency