Verify certificate of Privet v3 device

chrome/browser/local_discovery/privet_http_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/local_discovery/privet_http_impl.h"
 
 #include <algorithm>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/rand_util.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/thread_task_runner_handle.h"
 #include "chrome/browser/local_discovery/privet_constants.h"
+#include "chrome/common/chrome_content_client.h"
 #include "chrome/common/cloud_print/cloud_print_constants.h"
 #include "net/base/url_util.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/url_request/url_request_context.h"
+#include "net/url_request/url_request_context_builder.h"
 #include "url/gurl.h"
 
 #if defined(ENABLE_PRINT_PREVIEW)
 #include "chrome/browser/local_discovery/pwg_raster_converter.h"
 #include "components/cloud_devices/common/printer_description.h"
 #include "printing/pdf_render_settings.h"
 #include "printing/pwg_raster_settings.h"
 #include "ui/gfx/text_elider.h"
 #endif  // ENABLE_PRINT_PREVIEW
 
 namespace local_discovery {
 
 namespace {
+
 const char kUrlPlaceHolder[] = "http://host/";
 const char kPrivetRegisterActionArgName[] = "action";
 const char kPrivetRegisterUserArgName[] = "user";
 
 const int kPrivetCancelationTimeoutSeconds = 3;
 
 #if defined(ENABLE_PRINT_PREVIEW)
 const char kPrivetURLKeyUserName[] = "user_name";
 const char kPrivetURLKeyClientName[] = "client_name";
 const char kPrivetURLKeyJobname[] = "job_name";
@@ skipping 31 matching lines @@
                           const std::string& query_params) {
   GURL url(kUrlPlaceHolder);
   GURL::Replacements replacements;
   replacements.SetPathStr(path);
   if (!query_params.empty()) {
     replacements.SetQueryStr(query_params);
   }
   return url.ReplaceComponents(replacements);
 }
 
+// Used before we have any certificate fingerprint.
+class FailingCertVerifier : public net::CertVerifier {
+ public:
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             const std::string& ocsp_response,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             scoped_ptr<Request>* out_req,
+             const net::BoundNetLog& net_log) override {
+    verify_result->Reset();
+    verify_result->verified_cert = cert;
+    verify_result->cert_status = net::CERT_STATUS_INVALID;
+    return net::ERR_CERT_INVALID;
+  }
+};
+
+// Class verifies certificate by its fingerprint received using different
+// channel. It's the only know information about device with self-signed
+// certificate.
+class FingerprintVerifier : public net::CertVerifier {
+ public:
+  explicit FingerprintVerifier(
+      const net::SHA256HashValue& certificate_fingerprint)
+      : certificate_fingerprint_(certificate_fingerprint) {}
+
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             const std::string& ocsp_response,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             scoped_ptr<Request>* out_req,
+             const net::BoundNetLog& net_log) override {
+    // Mark certificate as invalid as we didn't check it.
+    verify_result->Reset();
+    verify_result->verified_cert = cert;
+    verify_result->cert_status = net::CERT_STATUS_INVALID;
+
+    auto fingerprint =
+        net::X509Certificate::CalculateFingerprint256(cert->os_cert_handle());
+
+    return certificate_fingerprint_.Equals(fingerprint) ? net::OK
+                                                        : net::ERR_CERT_INVALID;
+  }
+
+ private:
+  net::SHA256HashValue certificate_fingerprint_;
+
+  DISALLOW_COPY_AND_ASSIGN(FingerprintVerifier);
+};
+
+class PrivetContextGetter : public net::URLRequestContextGetter {
+ public:
+  PrivetContextGetter(
+      const scoped_refptr<base::SingleThreadTaskRunner>& net_task_runner,
+      const net::SHA256HashValue& certificate_fingerprint)
+      : verifier_(new FingerprintVerifier(certificate_fingerprint)),
+        net_task_runner_(net_task_runner) {}
+
+  // Don't allow any https without fingerprint. Device with valid certificate
+  // may be different from the one which user is trying to pair.
+  explicit PrivetContextGetter(
+      const scoped_refptr<base::SingleThreadTaskRunner>& net_task_runner)
+      : verifier_(new FailingCertVerifier()),
+        net_task_runner_(net_task_runner) {}
+
+  net::URLRequestContext* GetURLRequestContext() override {
+    if (!context_) {
+      net::URLRequestContextBuilder builder;
+      builder.set_proxy_service(net::ProxyService::CreateDirect());
+      builder.SetSpdyAndQuicEnabled(false, false);
+      builder.DisableHttpCache();
+      builder.SetCertVerifier(verifier_.Pass());
+      builder.set_user_agent(::GetUserAgent());
+      context_ = builder.Build();
+    }
+    return context_.get();
+  }
+
+  scoped_refptr<base::SingleThreadTaskRunner> GetNetworkTaskRunner()
+      const override {
+    return net_task_runner_;
+  }
+
+ protected:
+  ~PrivetContextGetter() override = default;

[mmenke, 2015/10/29 16:12:26]

BUG:  The URLRequestContext must be deleted on the network thread.  I guess your
tests are just using one thread?  The URLRequestContext should have caught this,
otherwise.  Suggest adding a network thread to your tests, for just such issues.

[Vitaly Buka (NO REVIEWS), 2015/10/29 18:37:12]

That's not what I see from code:
https://code.google.com/p/chromium/codesearch#chromium/src/net/url_request/ur...

context_ is deleted with PrivetContextGetter.
PrivetContextGetter is derived from net::URLRequestContextGetter which always
deletes itself on network thread.

Test uses real IO thread and main thread, adding
DCHECK(net_task_runner_->BelongsToCurrentThread()); does not trigger any issues

[mmenke, 2015/10/29 18:40:18]

You're right - I completely forgot about that magic (Now-a-days, none of the
primary contents are owned by their getters).

+
+ private:
+  scoped_ptr<net::CertVerifier> verifier_;
+  scoped_ptr<net::URLRequestContext> context_;
+  scoped_refptr<base::SingleThreadTaskRunner> net_task_runner_;
+
+  DISALLOW_COPY_AND_ASSIGN(PrivetContextGetter);
+};
+
 }  // namespace
 
 PrivetInfoOperationImpl::PrivetInfoOperationImpl(
     PrivetHTTPClient* privet_client,
     const PrivetJSONOperation::ResultCallback& callback)
     : privet_client_(privet_client), callback_(callback) {
 }
 
 PrivetInfoOperationImpl::~PrivetInfoOperationImpl() {
 }
@@ skipping 78 matching lines @@
   int visible_http_code = -1;
   FailureReason reason = FAILURE_NETWORK;
 
   if (error == PrivetURLFetcher::RESPONSE_CODE_ERROR) {
     visible_http_code = fetcher->response_code();
     reason = FAILURE_HTTP_ERROR;
   } else if (error == PrivetURLFetcher::JSON_PARSE_ERROR) {
     reason = FAILURE_MALFORMED_RESPONSE;
   } else if (error == PrivetURLFetcher::TOKEN_ERROR) {
     reason = FAILURE_TOKEN;
-  } else if (error == PrivetURLFetcher::RETRY_ERROR) {
-    reason = FAILURE_RETRY;
+  } else if (error == PrivetURLFetcher::UNKNOWN_ERROR) {
+    reason = FAILURE_UNKNOWN;
   }
 
   delegate_->OnPrivetRegisterError(this,
                                    current_action_,
                                    reason,
                                    visible_http_code,
                                    NULL);
 }
 
 void PrivetRegisterOperationImpl::OnParsedJson(
@@ skipping 490 matching lines @@
 void PrivetLocalPrintOperationImpl::SetPWGRasterConverterForTesting(
     scoped_ptr<PWGRasterConverter> pwg_raster_converter) {
   pwg_raster_converter_ = pwg_raster_converter.Pass();
 }
 #endif  // ENABLE_PRINT_PREVIEW
 
 PrivetHTTPClientImpl::PrivetHTTPClientImpl(
     const std::string& name,
     const net::HostPortPair& host_port,
     net::URLRequestContextGetter* request_context)
-    : name_(name), request_context_(request_context), host_port_(host_port) {}
+    : PrivetHTTPClientImpl(name,
+                           host_port,
+                           request_context->GetNetworkTaskRunner()) {}
+
+PrivetHTTPClientImpl::PrivetHTTPClientImpl(
+    const std::string& name,
+    const net::HostPortPair& host_port,
+    const scoped_refptr<base::SingleThreadTaskRunner>& net_task_runner)
+    : name_(name),
+      context_getter_(new PrivetContextGetter(net_task_runner)),

[mmenke, 2015/10/29 16:12:26]

URLRequestContexts are very heavy weight objects.  What's the lifetime of this
object?  How often are they created?  It's not clear from the code.

[Vitaly Buka (NO REVIEWS), 2015/10/29 18:37:12]

For PrivetHTTPClient printing functionality this can be created many times when
we enumerate devices. But I don't need any custom context, browser context is
OK. I undo this part.

We need own context only to do HTTPS, and it's only happening during device
setup. This happens once per SPAKE2 pinCode typed by user. So quite rare.

+      host_port_(host_port) {}
 
 PrivetHTTPClientImpl::~PrivetHTTPClientImpl() {
 }
 
 const std::string& PrivetHTTPClientImpl::GetName() {
   return name_;
 }
 
 scoped_ptr<PrivetJSONOperation> PrivetHTTPClientImpl::CreateInfoOperation(
     const PrivetJSONOperation::ResultCallback& callback) {
   return scoped_ptr<PrivetJSONOperation>(
       new PrivetInfoOperationImpl(this, callback));
 }
 
 scoped_ptr<PrivetURLFetcher> PrivetHTTPClientImpl::CreateURLFetcher(
     const GURL& url,
     net::URLFetcher::RequestType request_type,
     PrivetURLFetcher::Delegate* delegate) {
   GURL::Replacements replacements;
   replacements.SetHostStr(host_port_.host());
-  std::string port(
-      base::UintToString(host_port_.port()));  // Keep string alive.
+  std::string port = base::UintToString(host_port_.port());
   replacements.SetPortStr(port);
+  std::string scheme = IsInHttpsMode() ? "https" : "http";
+  replacements.SetSchemeStr(scheme);
   return scoped_ptr<PrivetURLFetcher>(
-      new PrivetURLFetcher(url.ReplaceComponents(replacements),
-                           request_type,
-                           request_context_.get(),
-                           delegate));
+      new PrivetURLFetcher(url.ReplaceComponents(replacements), request_type,
+                           context_getter_, delegate));
 }
 
 void PrivetHTTPClientImpl::RefreshPrivetToken(
     const PrivetURLFetcher::TokenCallback& callback) {
   token_callbacks_.push_back(callback);
 
   if (!info_operation_) {
     info_operation_ = CreateInfoOperation(
         base::Bind(&PrivetHTTPClientImpl::OnPrivetInfoDone,
                    base::Unretained(this)));
     info_operation_->Start();
   }
 }
 
+void PrivetHTTPClientImpl::SwitchToHttps(
+    uint16_t port,
+    const net::SHA256HashValue& certificate_fingerprint) {
+  use_https_ = true;
+  host_port_.set_port(port);
+  context_getter_ = new PrivetContextGetter(
+      context_getter_->GetNetworkTaskRunner(), certificate_fingerprint);
+}
+
+bool PrivetHTTPClientImpl::IsInHttpsMode() const {
+  return use_https_;
+}
+
 void PrivetHTTPClientImpl::OnPrivetInfoDone(
     const base::DictionaryValue* value) {
   info_operation_.reset();
   std::string token;
 
   // If this does not succeed, token will be empty, and an empty string
   // is our sentinel value, since empty X-Privet-Tokens are not allowed.
   if (value) {
     value->GetString(kPrivetInfoKeyToken, &token);
   }
@@ skipping 44 matching lines @@
     PrivetLocalPrintOperation::Delegate* delegate) {
 #if defined(ENABLE_PRINT_PREVIEW)
   return scoped_ptr<PrivetLocalPrintOperation>(
       new PrivetLocalPrintOperationImpl(info_client(), delegate));
 #else
   return scoped_ptr<PrivetLocalPrintOperation>();
 #endif  // ENABLE_PRINT_PREVIEW
 }
 
 }  // namespace local_discovery