OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
erikwright (departed)
2013/01/04 19:20:10
Any reason why the changes in this file are lumped
mattm
2013/01/08 04:53:21
The interface to the ServerBoundCertStore is chang
| |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/server_bound_cert_service.h" | 5 #include "net/base/server_bound_cert_service.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <limits> | 8 #include <limits> |
9 | 9 |
10 #include "base/bind.h" | 10 #include "base/bind.h" |
11 #include "base/bind_helpers.h" | 11 #include "base/bind_helpers.h" |
(...skipping 26 matching lines...) Expand all Loading... | |
38 const int kValidityPeriodInDays = 365; | 38 const int kValidityPeriodInDays = 365; |
39 // When we check the system time, we add this many days to the end of the check | 39 // When we check the system time, we add this many days to the end of the check |
40 // so the result will still hold even after chrome has been running for a | 40 // so the result will still hold even after chrome has been running for a |
41 // while. | 41 // while. |
42 const int kSystemTimeValidityBufferInDays = 90; | 42 const int kSystemTimeValidityBufferInDays = 90; |
43 | 43 |
44 bool IsSupportedCertType(uint8 type) { | 44 bool IsSupportedCertType(uint8 type) { |
45 switch(type) { | 45 switch(type) { |
46 case CLIENT_CERT_ECDSA_SIGN: | 46 case CLIENT_CERT_ECDSA_SIGN: |
47 return true; | 47 return true; |
48 // If we add any more supported types, CertIsValid will need to be updated | |
49 // to check that the returned type matches one of the requested types. | |
48 default: | 50 default: |
49 return false; | 51 return false; |
50 } | 52 } |
51 } | 53 } |
52 | 54 |
55 bool CertIsValid(const std::string& domain, | |
56 SSLClientCertType type, | |
57 base::Time expiration_time) { | |
58 if (expiration_time < base::Time::Now()) { | |
59 DVLOG(1) << "Cert store had expired cert for " << domain; | |
60 return false; | |
61 } else if (!IsSupportedCertType(type)) { | |
62 DVLOG(1) << "Cert store had cert of wrong type " << type << " for " | |
63 << domain; | |
64 return false; | |
65 } | |
66 return true; | |
67 } | |
68 | |
53 // Used by the GetDomainBoundCertResult histogram to record the final | 69 // Used by the GetDomainBoundCertResult histogram to record the final |
54 // outcome of each GetDomainBoundCert call. Do not re-use values. | 70 // outcome of each GetDomainBoundCert call. Do not re-use values. |
55 enum GetCertResult { | 71 enum GetCertResult { |
56 // Synchronously found and returned an existing domain bound cert. | 72 // Synchronously found and returned an existing domain bound cert. |
57 SYNC_SUCCESS = 0, | 73 SYNC_SUCCESS = 0, |
58 // Generated and returned a domain bound cert asynchronously. | 74 // Retrieved or generated and returned a domain bound cert asynchronously. |
59 ASYNC_SUCCESS = 1, | 75 ASYNC_SUCCESS = 1, |
60 // Generation request was cancelled before the cert generation completed. | 76 // Retrieval/generation request was cancelled before the cert generation |
77 // completed. | |
61 ASYNC_CANCELLED = 2, | 78 ASYNC_CANCELLED = 2, |
62 // Cert generation failed. | 79 // Cert generation failed. |
63 ASYNC_FAILURE_KEYGEN = 3, | 80 ASYNC_FAILURE_KEYGEN = 3, |
64 ASYNC_FAILURE_CREATE_CERT = 4, | 81 ASYNC_FAILURE_CREATE_CERT = 4, |
65 ASYNC_FAILURE_EXPORT_KEY = 5, | 82 ASYNC_FAILURE_EXPORT_KEY = 5, |
66 ASYNC_FAILURE_UNKNOWN = 6, | 83 ASYNC_FAILURE_UNKNOWN = 6, |
67 // GetDomainBoundCert was called with invalid arguments. | 84 // GetDomainBoundCert was called with invalid arguments. |
68 INVALID_ARGUMENT = 7, | 85 INVALID_ARGUMENT = 7, |
69 // We don't support any of the cert types the server requested. | 86 // We don't support any of the cert types the server requested. |
70 UNSUPPORTED_TYPE = 8, | 87 UNSUPPORTED_TYPE = 8, |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
197 } | 214 } |
198 case ERR_KEY_GENERATION_FAILED: | 215 case ERR_KEY_GENERATION_FAILED: |
199 RecordGetDomainBoundCertResult(ASYNC_FAILURE_KEYGEN); | 216 RecordGetDomainBoundCertResult(ASYNC_FAILURE_KEYGEN); |
200 break; | 217 break; |
201 case ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED: | 218 case ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED: |
202 RecordGetDomainBoundCertResult(ASYNC_FAILURE_CREATE_CERT); | 219 RecordGetDomainBoundCertResult(ASYNC_FAILURE_CREATE_CERT); |
203 break; | 220 break; |
204 case ERR_PRIVATE_KEY_EXPORT_FAILED: | 221 case ERR_PRIVATE_KEY_EXPORT_FAILED: |
205 RecordGetDomainBoundCertResult(ASYNC_FAILURE_EXPORT_KEY); | 222 RecordGetDomainBoundCertResult(ASYNC_FAILURE_EXPORT_KEY); |
206 break; | 223 break; |
224 case ERR_INSUFFICIENT_RESOURCES: | |
225 RecordGetDomainBoundCertResult(WORKER_FAILURE); | |
226 break; | |
207 default: | 227 default: |
208 RecordGetDomainBoundCertResult(ASYNC_FAILURE_UNKNOWN); | 228 RecordGetDomainBoundCertResult(ASYNC_FAILURE_UNKNOWN); |
209 break; | 229 break; |
210 } | 230 } |
211 if (!callback_.is_null()) { | 231 if (!callback_.is_null()) { |
212 *type_ = type; | 232 *type_ = type; |
213 *private_key_ = private_key; | 233 *private_key_ = private_key; |
214 *cert_ = cert; | 234 *cert_ = cert; |
215 callback_.Run(error); | 235 callback_.Run(error); |
216 } | 236 } |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
288 WorkerDoneCallback callback_; | 308 WorkerDoneCallback callback_; |
289 | 309 |
290 DISALLOW_COPY_AND_ASSIGN(ServerBoundCertServiceWorker); | 310 DISALLOW_COPY_AND_ASSIGN(ServerBoundCertServiceWorker); |
291 }; | 311 }; |
292 | 312 |
293 // A ServerBoundCertServiceJob is a one-to-one counterpart of an | 313 // A ServerBoundCertServiceJob is a one-to-one counterpart of an |
294 // ServerBoundCertServiceWorker. It lives only on the ServerBoundCertService's | 314 // ServerBoundCertServiceWorker. It lives only on the ServerBoundCertService's |
295 // origin message loop. | 315 // origin message loop. |
296 class ServerBoundCertServiceJob { | 316 class ServerBoundCertServiceJob { |
297 public: | 317 public: |
298 ServerBoundCertServiceJob(SSLClientCertType type) : type_(type) { | 318 ServerBoundCertServiceJob(SSLClientCertType type) |
319 : type_(type) { | |
299 } | 320 } |
300 | 321 |
301 ~ServerBoundCertServiceJob() { | 322 ~ServerBoundCertServiceJob() { |
302 if (!requests_.empty()) | 323 if (!requests_.empty()) |
303 DeleteAllCanceled(); | 324 DeleteAllCanceled(); |
304 } | 325 } |
305 | 326 |
306 SSLClientCertType type() const { return type_; } | 327 SSLClientCertType type() const { return type_; } |
307 | 328 |
308 void AddRequest(ServerBoundCertServiceRequest* request) { | 329 void AddRequest(ServerBoundCertServiceRequest* request) { |
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
413 } | 434 } |
414 } | 435 } |
415 if (preferred_type == CLIENT_CERT_INVALID_TYPE) { | 436 if (preferred_type == CLIENT_CERT_INVALID_TYPE) { |
416 RecordGetDomainBoundCertResult(UNSUPPORTED_TYPE); | 437 RecordGetDomainBoundCertResult(UNSUPPORTED_TYPE); |
417 // None of the requested types are supported. | 438 // None of the requested types are supported. |
418 return ERR_CLIENT_AUTH_CERT_TYPE_UNSUPPORTED; | 439 return ERR_CLIENT_AUTH_CERT_TYPE_UNSUPPORTED; |
419 } | 440 } |
420 | 441 |
421 requests_++; | 442 requests_++; |
422 | 443 |
423 // Check if a domain bound cert of an acceptable type already exists for this | 444 // See if an identical request is currently in flight. |
424 // domain, and that it has not expired. | |
425 base::Time now = base::Time::Now(); | |
426 base::Time creation_time; | |
427 base::Time expiration_time; | |
428 if (server_bound_cert_store_->GetServerBoundCert(domain, | |
429 type, | |
430 &creation_time, | |
431 &expiration_time, | |
432 private_key, | |
433 cert)) { | |
434 if (expiration_time < now) { | |
435 DVLOG(1) << "Cert store had expired cert for " << domain; | |
436 } else if (!IsSupportedCertType(*type) || | |
437 std::find(requested_types.begin(), requested_types.end(), | |
438 *type) == requested_types.end()) { | |
439 DVLOG(1) << "Cert store had cert of wrong type " << *type << " for " | |
440 << domain; | |
441 } else { | |
442 DVLOG(1) << "Cert store had valid cert for " << domain | |
443 << " of type " << *type; | |
444 cert_store_hits_++; | |
445 RecordGetDomainBoundCertResult(SYNC_SUCCESS); | |
446 base::TimeDelta request_time = base::TimeTicks::Now() - request_start; | |
447 UMA_HISTOGRAM_TIMES("DomainBoundCerts.GetCertTimeSync", request_time); | |
448 RecordGetCertTime(request_time); | |
449 return OK; | |
450 } | |
451 } | |
452 | |
453 // |server_bound_cert_store_| has no cert for this domain. See if an | |
454 // identical request is currently in flight. | |
455 ServerBoundCertServiceJob* job = NULL; | 445 ServerBoundCertServiceJob* job = NULL; |
456 std::map<std::string, ServerBoundCertServiceJob*>::const_iterator j; | 446 std::map<std::string, ServerBoundCertServiceJob*>::const_iterator j; |
457 j = inflight_.find(domain); | 447 j = inflight_.find(domain); |
458 if (j != inflight_.end()) { | 448 if (j != inflight_.end()) { |
459 // An identical request is in flight already. We'll just attach our | 449 // An identical request is in flight already. We'll just attach our |
460 // callback. | 450 // callback. |
461 job = j->second; | 451 job = j->second; |
462 // Check that the job is for an acceptable type of cert. | 452 // Check that the job is for an acceptable type of cert. |
463 if (std::find(requested_types.begin(), requested_types.end(), job->type()) | 453 if (std::find(requested_types.begin(), requested_types.end(), job->type()) |
464 == requested_types.end()) { | 454 == requested_types.end()) { |
465 DVLOG(1) << "Found inflight job of wrong type " << job->type() | 455 DVLOG(1) << "Found inflight job of wrong type " << job->type() |
466 << " for " << domain; | 456 << " for " << domain; |
467 // If we get here, the server is asking for different types of certs in | 457 // If we get here, the server is asking for different types of certs in |
468 // short succession. This probably means the server is broken or | 458 // short succession. This probably means the server is broken or |
469 // misconfigured. Since we only store one type of cert per domain, we | 459 // misconfigured. Since we only store one type of cert per domain, we |
470 // are unable to handle this well. Just return an error and let the first | 460 // are unable to handle this well. Just return an error and let the first |
471 // job finish. | 461 // job finish. |
472 RecordGetDomainBoundCertResult(TYPE_MISMATCH); | 462 RecordGetDomainBoundCertResult(TYPE_MISMATCH); |
473 return ERR_ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH; | 463 return ERR_ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH; |
474 } | 464 } |
475 inflight_joins_++; | 465 inflight_joins_++; |
476 } else { | 466 |
477 // Need to make a new request. | 467 ServerBoundCertServiceRequest* request = new ServerBoundCertServiceRequest( |
468 request_start, callback, type, private_key, cert); | |
469 job->AddRequest(request); | |
470 *out_req = request; | |
471 return ERR_IO_PENDING; | |
472 } | |
473 | |
474 // Check if a domain bound cert of an acceptable type already exists for this | |
475 // domain, and that it has not expired. | |
476 base::Time expiration_time; | |
477 if (server_bound_cert_store_->GetServerBoundCert( | |
478 domain, | |
479 type, | |
480 &expiration_time, | |
481 private_key, | |
482 cert, | |
483 base::Bind(&ServerBoundCertService::GotServerBoundCert, | |
484 weak_ptr_factory_.GetWeakPtr()))) { | |
485 if (*type != CLIENT_CERT_INVALID_TYPE) { | |
486 // Sync lookup found a cert. | |
487 if (CertIsValid(domain, *type, expiration_time)) { | |
488 DVLOG(1) << "Cert store had valid cert for " << domain | |
489 << " of type " << *type; | |
490 cert_store_hits_++; | |
491 RecordGetDomainBoundCertResult(SYNC_SUCCESS); | |
492 base::TimeDelta request_time = base::TimeTicks::Now() - request_start; | |
493 UMA_HISTOGRAM_TIMES("DomainBoundCerts.GetCertTimeSync", request_time); | |
494 RecordGetCertTime(request_time); | |
495 return OK; | |
496 } | |
497 } | |
498 | |
499 // Sync lookup did not find a cert, or it found an expired one. Start | |
500 // generating a new one. | |
478 ServerBoundCertServiceWorker* worker = new ServerBoundCertServiceWorker( | 501 ServerBoundCertServiceWorker* worker = new ServerBoundCertServiceWorker( |
479 domain, | 502 domain, |
480 preferred_type, | 503 preferred_type, |
481 base::Bind(&ServerBoundCertService::HandleResult, | 504 base::Bind(&ServerBoundCertService::GeneratedServerBoundCert, |
482 weak_ptr_factory_.GetWeakPtr())); | 505 weak_ptr_factory_.GetWeakPtr())); |
483 if (!worker->Start(task_runner_)) { | 506 if (!worker->Start(task_runner_)) { |
507 delete worker; | |
484 // TODO(rkn): Log to the NetLog. | 508 // TODO(rkn): Log to the NetLog. |
485 LOG(ERROR) << "ServerBoundCertServiceWorker couldn't be started."; | 509 LOG(ERROR) << "ServerBoundCertServiceWorker couldn't be started."; |
486 RecordGetDomainBoundCertResult(WORKER_FAILURE); | 510 RecordGetDomainBoundCertResult(WORKER_FAILURE); |
487 return ERR_INSUFFICIENT_RESOURCES; // Just a guess. | 511 return ERR_INSUFFICIENT_RESOURCES; |
488 } | 512 } |
489 job = new ServerBoundCertServiceJob(preferred_type); | |
490 inflight_[domain] = job; | |
491 } | 513 } |
492 | 514 |
515 // We are either waiting for async DB lookup, or waiting for cert generation. | |
516 // Create a job & request to track it. | |
517 job = new ServerBoundCertServiceJob(preferred_type); | |
518 inflight_[domain] = job; | |
519 | |
493 ServerBoundCertServiceRequest* request = new ServerBoundCertServiceRequest( | 520 ServerBoundCertServiceRequest* request = new ServerBoundCertServiceRequest( |
494 request_start, callback, type, private_key, cert); | 521 request_start, callback, type, private_key, cert); |
495 job->AddRequest(request); | 522 job->AddRequest(request); |
496 *out_req = request; | 523 *out_req = request; |
497 return ERR_IO_PENDING; | 524 return ERR_IO_PENDING; |
498 } | 525 } |
499 | 526 |
527 void ServerBoundCertService::GotServerBoundCert( | |
528 const std::string& server_identifier, | |
529 SSLClientCertType type, | |
530 base::Time expiration_time, | |
531 const std::string& key, | |
532 const std::string& cert) { | |
533 DCHECK(CalledOnValidThread()); | |
534 | |
535 std::map<std::string, ServerBoundCertServiceJob*>::iterator j; | |
536 j = inflight_.find(server_identifier); | |
537 if (j == inflight_.end()) { | |
538 NOTREACHED(); | |
539 return; | |
540 } | |
541 ServerBoundCertServiceJob* job = j->second; | |
542 | |
543 if (type != CLIENT_CERT_INVALID_TYPE) { | |
544 // Async DB lookup found a cert. | |
545 if (CertIsValid(server_identifier, type, expiration_time)) { | |
546 DVLOG(1) << "Cert store had valid cert for " << server_identifier | |
547 << " of type " << type; | |
548 cert_store_hits_++; | |
549 // ServerBoundCertServiceRequest::Post will do the histograms and stuff. | |
550 HandleResult(OK, server_identifier, type, key, cert); | |
551 return; | |
552 } | |
553 } | |
554 | |
555 // Async lookup did not find a cert, or it found an expired one. Start | |
556 // generating a new one. | |
557 ServerBoundCertServiceWorker* worker = new ServerBoundCertServiceWorker( | |
558 server_identifier, | |
559 job->type(), | |
560 base::Bind(&ServerBoundCertService::GeneratedServerBoundCert, | |
561 weak_ptr_factory_.GetWeakPtr())); | |
562 if (!worker->Start(task_runner_)) { | |
563 delete worker; | |
564 // TODO(rkn): Log to the NetLog. | |
565 LOG(ERROR) << "ServerBoundCertServiceWorker couldn't be started."; | |
566 HandleResult(ERR_INSUFFICIENT_RESOURCES, server_identifier, | |
567 CLIENT_CERT_INVALID_TYPE, "", ""); | |
568 return; | |
569 } | |
570 } | |
571 | |
500 ServerBoundCertStore* ServerBoundCertService::GetCertStore() { | 572 ServerBoundCertStore* ServerBoundCertService::GetCertStore() { |
501 return server_bound_cert_store_.get(); | 573 return server_bound_cert_store_.get(); |
502 } | 574 } |
503 | 575 |
504 void ServerBoundCertService::CancelRequest(RequestHandle req) { | 576 void ServerBoundCertService::CancelRequest(RequestHandle req) { |
505 DCHECK(CalledOnValidThread()); | 577 DCHECK(CalledOnValidThread()); |
506 ServerBoundCertServiceRequest* request = | 578 ServerBoundCertServiceRequest* request = |
507 reinterpret_cast<ServerBoundCertServiceRequest*>(req); | 579 reinterpret_cast<ServerBoundCertServiceRequest*>(req); |
508 request->Cancel(); | 580 request->Cancel(); |
509 } | 581 } |
510 | 582 |
511 // HandleResult is called by ServerBoundCertServiceWorker on the origin message | 583 void ServerBoundCertService::GeneratedServerBoundCert( |
512 // loop. It deletes ServerBoundCertServiceJob. | |
513 void ServerBoundCertService::HandleResult( | |
514 const std::string& server_identifier, | 584 const std::string& server_identifier, |
515 int error, | 585 int error, |
516 scoped_ptr<ServerBoundCertStore::ServerBoundCert> cert) { | 586 scoped_ptr<ServerBoundCertStore::ServerBoundCert> cert) { |
517 DCHECK(CalledOnValidThread()); | 587 DCHECK(CalledOnValidThread()); |
518 | 588 |
519 if (error == OK) { | 589 if (error == OK) { |
520 // TODO(mattm): we should just Pass() the cert object to | 590 // TODO(mattm): we should just Pass() the cert object to |
521 // SetServerBoundCert(). | 591 // SetServerBoundCert(). |
522 server_bound_cert_store_->SetServerBoundCert( | 592 server_bound_cert_store_->SetServerBoundCert( |
523 cert->server_identifier(), cert->type(), cert->creation_time(), | 593 cert->server_identifier(), cert->type(), cert->creation_time(), |
524 cert->expiration_time(), cert->private_key(), cert->cert()); | 594 cert->expiration_time(), cert->private_key(), cert->cert()); |
595 | |
596 HandleResult(error, server_identifier, cert->type(), cert->private_key(), | |
597 cert->cert()); | |
598 } else { | |
599 HandleResult(error, server_identifier, CLIENT_CERT_INVALID_TYPE, "", ""); | |
525 } | 600 } |
601 } | |
602 | |
603 void ServerBoundCertService::HandleResult( | |
604 int error, | |
605 const std::string& server_identifier, | |
606 SSLClientCertType type, | |
607 const std::string& private_key, | |
608 const std::string& cert) { | |
609 DCHECK(CalledOnValidThread()); | |
526 | 610 |
527 std::map<std::string, ServerBoundCertServiceJob*>::iterator j; | 611 std::map<std::string, ServerBoundCertServiceJob*>::iterator j; |
528 j = inflight_.find(server_identifier); | 612 j = inflight_.find(server_identifier); |
529 if (j == inflight_.end()) { | 613 if (j == inflight_.end()) { |
530 NOTREACHED(); | 614 NOTREACHED(); |
531 return; | 615 return; |
532 } | 616 } |
533 ServerBoundCertServiceJob* job = j->second; | 617 ServerBoundCertServiceJob* job = j->second; |
534 inflight_.erase(j); | 618 inflight_.erase(j); |
535 | 619 |
536 if (cert) | 620 job->HandleResult(error, type, private_key, cert); |
537 job->HandleResult(error, cert->type(), cert->private_key(), cert->cert()); | |
538 else | |
539 job->HandleResult(error, CLIENT_CERT_INVALID_TYPE, "", ""); | |
540 delete job; | 621 delete job; |
541 } | 622 } |
542 | 623 |
543 int ServerBoundCertService::cert_count() { | 624 int ServerBoundCertService::cert_count() { |
544 return server_bound_cert_store_->GetCertCount(); | 625 return server_bound_cert_store_->GetCertCount(); |
545 } | 626 } |
546 | 627 |
547 } // namespace net | 628 } // namespace net |
OLD | NEW |