Index: components/certificate_transparency/log_proofs_fetcher.cc |
diff --git a/components/certificate_transparency/log_proofs_fetcher.cc b/components/certificate_transparency/log_proofs_fetcher.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..7915774c9800e2484dbb0dcd1398fb1510b63d79 |
--- /dev/null |
+++ b/components/certificate_transparency/log_proofs_fetcher.cc |
@@ -0,0 +1,208 @@ |
+// Copyright 2015 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "components/certificate_transparency/log_proofs_fetcher.h" |
+ |
+#include "base/base64.h" |
+#include "base/json/json_reader.h" |
+#include "base/logging.h" |
+#include "base/stl_util.h" |
+#include "base/strings/string_piece.h" |
+#include "base/time/time.h" |
+#include "base/values.h" |
+#include "net/base/load_flags.h" |
+#include "net/base/request_priority.h" |
+#include "net/cert/ct_log_verifier.h" |
+#include "net/cert/ct_serialization.h" |
+#include "net/cert/signed_tree_head.h" |
+#include "net/url_request/url_request_context.h" |
+ |
+const int kMaxSTHSize = 600; |
Ryan Sleevi
2015/04/24 10:42:07
1) Document
2) SizeIn.... Bytes? Kb?
kMaxSTHSizeI
Eran Messeri
2015/06/18 15:18:40
Done.
|
+ |
+namespace certificate_transparency { |
+ |
+LogProofsFetcher::LogProofsFetcher(net::URLRequestContext* request_context) |
+ : request_context_(request_context) { |
+} |
+ |
+LogProofsFetcher::~LogProofsFetcher() { |
+ STLDeleteContainerPairPointers(inflight_requests_.begin(), |
+ inflight_requests_.end()); |
+} |
Ryan Sleevi
2015/04/24 10:42:06
SPECIAL NOTE: Because you have a URLRequestContext
Eran Messeri
2015/06/18 15:18:41
Done - cancelled all requests.
|
+ |
+scoped_ptr<net::URLRequest> LogProofsFetcher::CreateURLRequest( |
+ GURL fetch_sth_url) { |
+ scoped_ptr<net::URLRequest> request = request_context_->CreateRequest( |
+ fetch_sth_url, net::DEFAULT_PRIORITY, this); |
+ request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | |
+ net::LOAD_DO_NOT_SAVE_COOKIES); |
+ return request.Pass(); |
+} |
+ |
+void LogProofsFetcher::FetchSTH(net::CTLogVerifier* verifier) { |
+ std::string fetch_sth_url = verifier->url() + "/get-sth"; |
+ GURL fetch_url(fetch_sth_url); |
Ryan Sleevi
2015/04/24 10:42:06
SOMETHING: I suspect we have something for appendi
Eran Messeri
2015/06/18 15:18:41
Found it - GURL has a Resolve method that does tha
|
+ scoped_ptr<net::URLRequest> request = CreateURLRequest(fetch_url); |
+ request->set_method("GET"); |
+ |
+ net::URLRequest* raw_request = request.get(); |
+ FetchParams* params = new FetchParams(verifier); |
+ inflight_requests_.insert(std::make_pair(request.release(), params)); |
+ raw_request->Start(); |
+} |
+ |
+void LogProofsFetcher::OnResponseStarted(net::URLRequest* request) { |
+ const net::URLRequestStatus& status(request->status()); |
+ VLOG(0) << "Response started for fetch-sth from " << request->original_url(); |
Ryan Sleevi
2015/04/24 10:42:06
VLOG(0) is wrong; VLOG(1) at best.
That said, thi
Eran Messeri
2015/06/18 15:18:40
I've changed all VLOGs in this file to VLOG(1), ho
|
+ if (!status.is_success()) { |
+ LOG(WARNING) << "Fetching STH from " << request->original_url() |
+ << " failed. status:" << status.status() |
+ << " error:" << status.error(); |
Ryan Sleevi
2015/04/24 10:42:06
ditto; net-internals will have this (since it'll h
Eran Messeri
2015/06/18 15:18:41
Acknowledged.
|
+ RequestCleanup(request); |
+ } else if (request->GetResponseCode() != 200) { |
+ LOG(WARNING) << "Fetch STH HTTP status: " << request->GetResponseCode(); |
Ryan Sleevi
2015/04/24 10:42:07
ditto; net-internals will have this.
Eran Messeri
2015/06/18 15:18:41
Acknowledged.
|
+ RequestCleanup(request); |
+ return; |
+ } |
+ |
+ RequestsMap::iterator it(inflight_requests_.find(request)); |
Ryan Sleevi
2015/04/24 10:42:06
auto it = inflight_requests_.find(request);
Eran Messeri
2015/06/18 15:18:40
Done.
|
+ DCHECK(it != inflight_requests_.end()); |
+ scoped_refptr<net::IOBufferWithSize> buffer(it->second->sth_buffer); |
+ VLOG(0) << "Kicking off read."; |
Ryan Sleevi
2015/04/24 10:42:07
all these vlogs are in net-internals; I'll stop wh
Eran Messeri
2015/06/18 15:18:40
Acknowledged.
|
+ request->Read(buffer.get(), buffer->size(), &(it->second->read_bytes)); |
+ if (request->status().is_io_pending()) { |
+ VLOG(0) << "IO Pending: Will wait."; |
+ return; |
+ } else { |
+ VLOG(0) << "Data available: Invoking OnReadComplete."; |
+ OnReadCompleted(request, it->second->read_bytes); |
+ } |
+} |
+ |
+void LogProofsFetcher::OnReadCompleted(net::URLRequest* request, |
+ int bytes_read) { |
+ VLOG(0) << "Read complete, got " << bytes_read << " bytes."; |
+ RequestComplete(request, bytes_read); |
+} |
+ |
+void LogProofsFetcher::RequestComplete(net::URLRequest* request, |
+ int bytes_read) { |
+ RequestsMap::iterator it(inflight_requests_.find(request)); |
Ryan Sleevi
2015/04/24 10:42:06
auto it = inflight_requests_.find(request)
Eran Messeri
2015/06/18 15:18:41
Done.
|
+ DCHECK(it != inflight_requests_.end()); |
+ if (it->first != request) { |
Ryan Sleevi
2015/04/24 10:42:06
seems like a fatal error here, right?
if (it->fir
Eran Messeri
2015/06/18 15:18:40
Done.
|
+ LOG(WARNING) << "Different requests?!"; |
+ } |
+ |
+ FetchParams* params(it->second); |
+ VLOG(0) << "Got " << bytes_read << " bytes."; |
+ |
+ // Extract STH json an parse it |
+ base::StringPiece json_sth(params->sth_buffer->data(), bytes_read); |
+ VLOG(0) << "STH data: " << json_sth; |
+ scoped_ptr<net::ct::SignedTreeHead> sth; |
+ if (CTLogResponseParser::FillSignedTreeHead(json_sth, sth.get())) { |
Ryan Sleevi
2015/04/24 10:42:06
DESIGN: Crap, I forgot the important thing to note
Ryan Sleevi
2015/04/24 10:42:06
STYLE: We tend to put error control *before* the r
Ryan Sleevi
2015/04/24 10:42:06
SECURITY BUG: You forgot to allocate |sth|, but Fi
Eran Messeri
2015/06/18 15:18:40
Done.
Eran Messeri
2015/06/18 15:18:40
Done.
Eran Messeri
2015/06/18 15:18:41
Done.
|
+ VLOG(0) << "Parsed STH successfully."; |
+ if (params->verifier->VerifySignedTreeHead(sth.get())) { |
Ryan Sleevi
2015/04/24 10:42:06
ditto here, whenever this "becomes something impor
Eran Messeri
2015/06/18 15:18:41
Ack,Done.
|
+ VLOG(0) << "Received valid STH."; |
+ } else { |
+ VLOG(0) << "Received invalid STH."; |
+ } |
+ } else { |
+ LOG(ERROR) << "Invalid STH."; |
+ } |
+ RequestCleanup(request); |
+} |
+ |
+void LogProofsFetcher::RequestCleanup(net::URLRequest* request) { |
+ VLOG(0) << "Cleaning up request to " << request->original_url(); |
+ RequestsMap::iterator it(inflight_requests_.find(request)); |
Ryan Sleevi
2015/04/24 10:42:07
auto
Eran Messeri
2015/06/18 15:18:41
Done.
|
+ DCHECK(it != inflight_requests_.end()); |
+ |
+ scoped_ptr<FetchParams> params(it->second); |
+ // Delete the request, remove from map. |
+ scoped_ptr<net::URLRequest> url_request(it->first); |
+ // Both pointers will be deleted when exiting the method. |
+ VLOG(0) << "Erasing iterator."; |
Ryan Sleevi
2015/04/24 10:42:06
too chatty (as with all the VLOGs), so hushing on
Eran Messeri
2015/06/18 15:18:40
Acknowledged.
|
+ inflight_requests_.erase(it); |
+} |
+ |
+LogProofsFetcher::FetchParams::FetchParams(net::CTLogVerifier* verifier) |
+ : verifier(verifier), sth_buffer(new net::IOBufferWithSize(kMaxSTHSize)) { |
+} |
+ |
+LogProofsFetcher::FetchParams::~FetchParams() { |
+} |
+ |
+bool CTLogResponseParser::FillSignedTreeHead(const base::StringPiece& json_sth, |
+ net::ct::SignedTreeHead* sth) { |
+ base::JSONReader json_reader; |
+ base::Value* json = json_reader.Read(json_sth); |
+ if (json == NULL) { |
Ryan Sleevi
2015/04/24 10:42:06
s/NULL/nullptr
Eran Messeri
2015/06/18 15:18:41
Done.
|
+ LOG(WARNING) << "Empty JSON."; |
+ return false; |
+ } |
+ |
+ const base::DictionaryValue* json_dict; |
+ if (!json->GetAsDictionary(&json_dict)) { |
+ LOG(WARNING) << "Json value not a dictionary."; |
+ return false; |
+ } |
+ |
+ int tree_size; |
+ if (!json_dict->GetInteger("tree_size", &tree_size)) { |
+ LOG(WARNING) << "Json dictionary does not contain tree_size"; |
+ return false; |
+ } |
+ |
+ double timestamp; |
+ if (!json_dict->GetDouble("timestamp", ×tamp)) { |
+ LOG(WARNING) << "Json dictionary does not contain timestamp"; |
+ return false; |
+ } |
+ |
+ std::string sha256_root_hash; |
+ if (!json_dict->GetString("sha256_root_hash", &sha256_root_hash)) { |
+ LOG(WARNING) << "Json dictionary does not contain sha256_root_hash"; |
+ return false; |
+ } |
+ |
+ std::string tree_head_signature; |
+ if (!json_dict->GetString("tree_head_signature", &tree_head_signature)) { |
+ LOG(WARNING) << "Json dictionary does not contain tree_head_signature"; |
+ return false; |
+ } |
+ |
+ std::string decoded_root_hash; |
+ if (!base::Base64Decode(sha256_root_hash, &decoded_root_hash)) { |
+ LOG(WARNING) << "Failed decoding sha256_root_hash"; |
+ return false; |
+ } |
+ |
+ if (decoded_root_hash.length() != net::ct::kSthRootHashLength) { |
+ LOG(WARNING) << "sha256_root_hash must be exactly 32 bit."; |
+ return false; |
+ } |
+ |
+ std::string decoded_signature; |
+ if (!base::Base64Decode(tree_head_signature, &decoded_signature)) { |
+ LOG(WARNING) << "Failed decoding tree_head_signature"; |
+ return false; |
+ } |
+ |
+ base::StringPiece sp(decoded_signature); |
+ if (!DecodeDigitallySigned(&sp, &(sth->signature))) { |
+ LOG(WARNING) << "Failed decoding signature to DigitallySigned"; |
+ return false; |
+ } |
+ |
+ sth->version = net::ct::SignedTreeHead::V1; |
+ sth->tree_size = tree_size; |
+ sth->timestamp = |
+ base::Time::UnixEpoch() + base::TimeDelta::FromMilliseconds(timestamp); |
+ memcpy(sth->sha256_root_hash, decoded_root_hash.c_str(), |
+ net::ct::kSthRootHashLength); |
+ return true; |
+} |
+ |
+} // namespace certificate_transparency |