Index: components/certificate_transparency/tree_state_tracker.cc |
diff --git a/components/certificate_transparency/tree_state_tracker.cc b/components/certificate_transparency/tree_state_tracker.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..0fed445ee86450f59c694685619d47e457524a70 |
--- /dev/null |
+++ b/components/certificate_transparency/tree_state_tracker.cc |
@@ -0,0 +1,118 @@ |
+// Copyright 2015 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "components/certificate_transparency/tree_state_tracker.h" |
+ |
+#include "base/strings/string_number_conversions.h" |
+#include "base/thread_task_runner_handle.h" |
+#include "components/certificate_transparency/log_proof_fetcher.h" |
+#include "content/public/browser/browser_thread.h" |
+#include "net/cert/ct_log_verifier.h" |
+#include "net/cert/signed_certificate_timestamp.h" |
+#include "net/cert/signed_tree_head.h" |
+#include "net/cert/x509_certificate.h" |
+ |
+namespace certificate_transparency { |
+ |
+TreeStateTracker::TreeStateTracker( |
+ scoped_ptr<LogProofFetcher> fetcher, |
+ const std::vector<scoped_refptr<net::CTLogVerifier>>& ct_logs) |
+ : fetcher_(fetcher.Pass()) { |
+ for (auto it = ct_logs.begin(); it != ct_logs.end(); ++it) { |
+ scoped_refptr<net::CTLogVerifier> log(*it); |
+ ct_logs_[log->key_id()] = log; |
+ } |
+ content::BrowserThread::PostAfterStartupTask( |
+ FROM_HERE, base::ThreadTaskRunnerHandle::Get(), |
+ base::Bind(&TreeStateTracker::RefreshSTHs, base::Unretained(this))); |
+} |
+ |
+TreeStateTracker::~TreeStateTracker() {} |
+ |
+void TreeStateTracker::OnSCTVerified( |
+ net::X509Certificate* cert, |
+ const net::ct::SignedCertificateTimestamp* sct) { |
+ VLOG(0) << "Verified SCT observed."; |
+ const auto& it = verified_sths_.find(sct->log_id); |
+ std::string log_id_hex = |
+ base::HexEncode(sct->log_id.data(), sct->log_id.size()); |
+ if (it == verified_sths_.end()) { |
+ VLOG(0) << "No STH found for log " << log_id_hex; |
+ // TODO(eranm): Enqueue SCT for inclusion check later. |
+ return; |
+ } |
+ |
+ VLOG(0) << "Found STH for log " << log_id_hex; |
+ const net::ct::SignedTreeHead& sth(it->second); |
+ if (sth.timestamp > sct->timestamp) { |
+ VLOG(0) << "STH timestamp (" << sth.timestamp << ") is newer than SCT " |
+ << "timestamp (" << sct->timestamp << "), could check inclusion."; |
+ // TODO(eranm): Perform actual inclusion check. |
+ } else { |
+ VLOG(0) << "STH timestamp (" << sth.timestamp << ") is OLDER than SCT " |
+ << "timestamp (" << sct->timestamp << "), need fresh STH."; |
+ // TODO(eranm): Enqueue SCT for inclusion check later. |
+ } |
+} |
+ |
+void TreeStateTracker::RefreshSTHs() { |
+ // TODO(eranm): Verify that base::Unretained usage here is fine since |
+ // this class owns the fetcher and the fetcher, when deleted, will delete |
+ // all pending requests, so this class always outlives the fetcher. |
+ LogProofFetcher::SignedTreeHeadFetchedCallback success_callback = |
+ base::Bind(&TreeStateTracker::OnSTHFetched, base::Unretained(this)); |
+ LogProofFetcher::FetchFailedCallback error_callback = base::Bind( |
+ &TreeStateTracker::OnSTHFetchingFailed, base::Unretained(this)); |
+ for (auto it = ct_logs_.begin(); it != ct_logs_.end(); ++it) { |
+ VLOG(0) << "Fetching STH for log " << it->second.get()->description(); |
+ net::CTLogVerifier* log(it->second.get()); |
+ fetcher_->FetchSignedTreeHead(log->url(), log->key_id(), success_callback, |
+ error_callback); |
+ } |
+} |
+ |
+void TreeStateTracker::OnSTHFetched( |
+ const std::string& log_id, |
+ const net::ct::SignedTreeHead& unverified_sth) { |
+ VLOG(0) << "Received unverified sth."; |
+ auto it = ct_logs_.find(log_id); |
+ if (it == ct_logs_.end()) { |
+ VLOG(0) << "STH is for unknown log!."; |
+ return; |
+ } |
+ |
+ net::CTLogVerifier* log(it->second.get()); |
+ if (!log->VerifySignedTreeHead(unverified_sth)) { |
+ VLOG(0) << "STH is for " << log->url() << " could not be verified."; |
+ return; |
+ } |
+ VLOG(0) << "Signature for STH from " << log->url() << " for tree size " |
+ << unverified_sth.tree_size << " verified."; |
+ |
+ if (verified_sths_.find(log_id) == verified_sths_.end()) { |
+ // No STHs currently known for this log, consider this one |
+ // as verified. |
+ verified_sths_[log_id] = unverified_sth; |
+ } else { |
+ // TODO(eranm): Request a consistency proof. |
+ sths_pending_consistency_check_[log_id] = unverified_sth; |
+ } |
+} |
+ |
+void TreeStateTracker::OnSTHFetchingFailed(const std::string& log_id, |
+ int net_error, |
+ int http_response_code) { |
+ const auto& it = ct_logs_.find(log_id); |
+ if (it == ct_logs_.end()) { |
+ VLOG(0) << "STH fetch failure for unknown log!."; |
+ return; |
+ } |
+ |
+ net::CTLogVerifier* log(it->second.get()); |
+ // TODO(eranm): UMA |
+ VLOG(0) << "Fetching of STH from " << log->description() << " failed because " |
+ << net_error << " " << http_response_code; |
+} |
+ |
+} // namespace certificate_transparency |