| Index: components/certificate_transparency/tree_state_tracker.cc
|
| diff --git a/components/certificate_transparency/tree_state_tracker.cc b/components/certificate_transparency/tree_state_tracker.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..0fed445ee86450f59c694685619d47e457524a70
|
| --- /dev/null
|
| +++ b/components/certificate_transparency/tree_state_tracker.cc
|
| @@ -0,0 +1,118 @@
|
| +// Copyright 2015 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "components/certificate_transparency/tree_state_tracker.h"
|
| +
|
| +#include "base/strings/string_number_conversions.h"
|
| +#include "base/thread_task_runner_handle.h"
|
| +#include "components/certificate_transparency/log_proof_fetcher.h"
|
| +#include "content/public/browser/browser_thread.h"
|
| +#include "net/cert/ct_log_verifier.h"
|
| +#include "net/cert/signed_certificate_timestamp.h"
|
| +#include "net/cert/signed_tree_head.h"
|
| +#include "net/cert/x509_certificate.h"
|
| +
|
| +namespace certificate_transparency {
|
| +
|
| +TreeStateTracker::TreeStateTracker(
|
| + scoped_ptr<LogProofFetcher> fetcher,
|
| + const std::vector<scoped_refptr<net::CTLogVerifier>>& ct_logs)
|
| + : fetcher_(fetcher.Pass()) {
|
| + for (auto it = ct_logs.begin(); it != ct_logs.end(); ++it) {
|
| + scoped_refptr<net::CTLogVerifier> log(*it);
|
| + ct_logs_[log->key_id()] = log;
|
| + }
|
| + content::BrowserThread::PostAfterStartupTask(
|
| + FROM_HERE, base::ThreadTaskRunnerHandle::Get(),
|
| + base::Bind(&TreeStateTracker::RefreshSTHs, base::Unretained(this)));
|
| +}
|
| +
|
| +TreeStateTracker::~TreeStateTracker() {}
|
| +
|
| +void TreeStateTracker::OnSCTVerified(
|
| + net::X509Certificate* cert,
|
| + const net::ct::SignedCertificateTimestamp* sct) {
|
| + VLOG(0) << "Verified SCT observed.";
|
| + const auto& it = verified_sths_.find(sct->log_id);
|
| + std::string log_id_hex =
|
| + base::HexEncode(sct->log_id.data(), sct->log_id.size());
|
| + if (it == verified_sths_.end()) {
|
| + VLOG(0) << "No STH found for log " << log_id_hex;
|
| + // TODO(eranm): Enqueue SCT for inclusion check later.
|
| + return;
|
| + }
|
| +
|
| + VLOG(0) << "Found STH for log " << log_id_hex;
|
| + const net::ct::SignedTreeHead& sth(it->second);
|
| + if (sth.timestamp > sct->timestamp) {
|
| + VLOG(0) << "STH timestamp (" << sth.timestamp << ") is newer than SCT "
|
| + << "timestamp (" << sct->timestamp << "), could check inclusion.";
|
| + // TODO(eranm): Perform actual inclusion check.
|
| + } else {
|
| + VLOG(0) << "STH timestamp (" << sth.timestamp << ") is OLDER than SCT "
|
| + << "timestamp (" << sct->timestamp << "), need fresh STH.";
|
| + // TODO(eranm): Enqueue SCT for inclusion check later.
|
| + }
|
| +}
|
| +
|
| +void TreeStateTracker::RefreshSTHs() {
|
| + // TODO(eranm): Verify that base::Unretained usage here is fine since
|
| + // this class owns the fetcher and the fetcher, when deleted, will delete
|
| + // all pending requests, so this class always outlives the fetcher.
|
| + LogProofFetcher::SignedTreeHeadFetchedCallback success_callback =
|
| + base::Bind(&TreeStateTracker::OnSTHFetched, base::Unretained(this));
|
| + LogProofFetcher::FetchFailedCallback error_callback = base::Bind(
|
| + &TreeStateTracker::OnSTHFetchingFailed, base::Unretained(this));
|
| + for (auto it = ct_logs_.begin(); it != ct_logs_.end(); ++it) {
|
| + VLOG(0) << "Fetching STH for log " << it->second.get()->description();
|
| + net::CTLogVerifier* log(it->second.get());
|
| + fetcher_->FetchSignedTreeHead(log->url(), log->key_id(), success_callback,
|
| + error_callback);
|
| + }
|
| +}
|
| +
|
| +void TreeStateTracker::OnSTHFetched(
|
| + const std::string& log_id,
|
| + const net::ct::SignedTreeHead& unverified_sth) {
|
| + VLOG(0) << "Received unverified sth.";
|
| + auto it = ct_logs_.find(log_id);
|
| + if (it == ct_logs_.end()) {
|
| + VLOG(0) << "STH is for unknown log!.";
|
| + return;
|
| + }
|
| +
|
| + net::CTLogVerifier* log(it->second.get());
|
| + if (!log->VerifySignedTreeHead(unverified_sth)) {
|
| + VLOG(0) << "STH is for " << log->url() << " could not be verified.";
|
| + return;
|
| + }
|
| + VLOG(0) << "Signature for STH from " << log->url() << " for tree size "
|
| + << unverified_sth.tree_size << " verified.";
|
| +
|
| + if (verified_sths_.find(log_id) == verified_sths_.end()) {
|
| + // No STHs currently known for this log, consider this one
|
| + // as verified.
|
| + verified_sths_[log_id] = unverified_sth;
|
| + } else {
|
| + // TODO(eranm): Request a consistency proof.
|
| + sths_pending_consistency_check_[log_id] = unverified_sth;
|
| + }
|
| +}
|
| +
|
| +void TreeStateTracker::OnSTHFetchingFailed(const std::string& log_id,
|
| + int net_error,
|
| + int http_response_code) {
|
| + const auto& it = ct_logs_.find(log_id);
|
| + if (it == ct_logs_.end()) {
|
| + VLOG(0) << "STH fetch failure for unknown log!.";
|
| + return;
|
| + }
|
| +
|
| + net::CTLogVerifier* log(it->second.get());
|
| + // TODO(eranm): UMA
|
| + VLOG(0) << "Fetching of STH from " << log->description() << " failed because "
|
| + << net_error << " " << http_response_code;
|
| +}
|
| +
|
| +} // namespace certificate_transparency
|
|
|
Chromium Code Reviews
Issue 1100003006:
Certificate Transparency: Fetching of Signed Tree Heads (DRAFT) (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master