OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ | 5 #ifndef NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ |
6 #define NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ | 6 #define NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ |
7 | 7 |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <stdint.h> | 9 #include <stdint.h> |
10 | 10 |
11 #include <set> | 11 #include <set> |
12 #include <string> | 12 #include <string> |
13 #include <vector> | 13 #include <vector> |
14 | 14 |
15 #include "base/gtest_prod_util.h" | 15 #include "base/gtest_prod_util.h" |
16 #include "base/macros.h" | 16 #include "base/macros.h" |
17 #include "base/memory/ref_counted.h" | 17 #include "base/memory/ref_counted.h" |
18 #include "base/pickle.h" | |
18 #include "base/threading/non_thread_safe.h" | 19 #include "base/threading/non_thread_safe.h" |
19 #include "net/base/completion_callback.h" | 20 #include "net/base/completion_callback.h" |
20 #include "net/base/expiring_cache.h" | 21 #include "net/base/expiring_cache.h" |
21 #include "net/base/hash_value.h" | 22 #include "net/base/hash_value.h" |
22 #include "net/base/net_export.h" | 23 #include "net/base/net_export.h" |
23 #include "net/cert/cert_database.h" | 24 #include "net/cert/cert_database.h" |
24 #include "net/cert/cert_verifier.h" | 25 #include "net/cert/cert_verifier.h" |
25 #include "net/cert/cert_verify_result.h" | 26 #include "net/cert/cert_verify_result.h" |
26 #include "net/cert/x509_cert_types.h" | 27 #include "net/cert/x509_cert_types.h" |
27 | 28 |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
74 friend class CertVerifierRequest; | 75 friend class CertVerifierRequest; |
75 friend class CertVerifierJob; | 76 friend class CertVerifierJob; |
76 friend class MultiThreadedCertVerifierTest; | 77 friend class MultiThreadedCertVerifierTest; |
77 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CacheHit); | 78 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CacheHit); |
78 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, DifferentCACerts); | 79 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, DifferentCACerts); |
79 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, InflightJoin); | 80 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, InflightJoin); |
80 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, MultipleInflightJoin); | 81 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, MultipleInflightJoin); |
81 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CancelRequest); | 82 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CancelRequest); |
82 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, | 83 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, |
83 RequestParamsComparators); | 84 RequestParamsComparators); |
85 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, PersistRequestParams); | |
84 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, | 86 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, |
85 CertTrustAnchorProvider); | 87 CertTrustAnchorProvider); |
88 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, PersistCache); | |
89 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, | |
90 PersistCacheExpiredEntry); | |
86 | 91 |
87 // Input parameters of a certificate verification request. | 92 // Input parameters of a certificate verification request. |
88 struct NET_EXPORT_PRIVATE RequestParams { | 93 struct NET_EXPORT_PRIVATE RequestParams { |
89 RequestParams(const SHA1HashValue& cert_fingerprint_arg, | 94 RequestParams(const SHA1HashValue& cert_fingerprint_arg, |
90 const SHA1HashValue& ca_fingerprint_arg, | 95 const SHA1HashValue& ca_fingerprint_arg, |
91 const std::string& hostname_arg, | 96 const std::string& hostname_arg, |
92 const std::string& ocsp_response_arg, | 97 const std::string& ocsp_response_arg, |
93 int flags_arg, | 98 int flags_arg, |
94 const CertificateList& additional_trust_anchors); | 99 const CertificateList& additional_trust_anchors); |
95 RequestParams(const RequestParams& other); | 100 RequestParams(const RequestParams& other); |
101 RequestParams(); | |
96 ~RequestParams(); | 102 ~RequestParams(); |
97 | 103 |
104 // Appends a representation of this object to the given pickle. | |
105 bool Persist(base::Pickle* pickle) const; | |
106 | |
107 // Create an RequestParams from the representation stored in the given | |
108 // pickle. The data for this object is found relative to the given | |
109 // pickle_iter, which should be passed to the pickle's various Read* | |
110 // methods. | |
111 // Returns false on failure. | |
112 static bool CreateFromPickle(base::PickleIterator* iter, | |
113 RequestParams* param); | |
Ryan Sleevi
2016/02/29 23:28:41
Same remarks
| |
114 | |
98 bool operator<(const RequestParams& other) const; | 115 bool operator<(const RequestParams& other) const; |
99 | 116 |
100 std::string hostname; | 117 std::string hostname; |
101 int flags; | 118 int flags; |
102 std::vector<SHA1HashValue> hash_values; | 119 std::vector<SHA1HashValue> hash_values; |
103 // The time when verification started. | 120 // The time when verification started. |
104 // Note: This uses base::Time, rather than base::TimeTicks, to | 121 // Note: This uses base::Time, rather than base::TimeTicks, to |
105 // account for system clock changes. | 122 // account for system clock changes. |
106 base::Time start_time; | 123 base::Time start_time; |
107 }; | 124 }; |
108 | 125 |
109 // CachedResult contains the result of a certificate verification. | 126 // CachedResult contains the result of a certificate verification. |
110 struct NET_EXPORT_PRIVATE CachedResult { | 127 struct NET_EXPORT_PRIVATE CachedResult { |
111 CachedResult(); | 128 CachedResult(); |
112 ~CachedResult(); | 129 ~CachedResult(); |
113 | 130 |
131 // Appends a representation of this object to the given pickle. | |
132 bool Persist(base::Pickle* pickle) const; | |
133 | |
134 // Create an CachedResult from the representation stored in the given | |
135 // pickle. The data for this object is found relative to the given | |
136 // pickle_iter, which should be passed to the pickle's various Read* | |
137 // methods. | |
138 // Returns false on failure. | |
139 static bool CreateFromPickle(base::PickleIterator* iter, | |
140 CachedResult* result); | |
141 | |
114 int error; // The return value of CertVerifier::Verify. | 142 int error; // The return value of CertVerifier::Verify. |
115 CertVerifyResult result; // The output of CertVerifier::Verify. | 143 CertVerifyResult result; // The output of CertVerifier::Verify. |
116 }; | 144 }; |
117 | 145 |
118 // Rather than having a single validity point along a monotonically increasing | 146 // Rather than having a single validity point along a monotonically increasing |
119 // timeline, certificate verification is based on falling within a range of | 147 // timeline, certificate verification is based on falling within a range of |
120 // the certificate's NotBefore and NotAfter and based on what the current | 148 // the certificate's NotBefore and NotAfter and based on what the current |
121 // system clock says (which may advance forwards or backwards as users correct | 149 // system clock says (which may advance forwards or backwards as users correct |
122 // clock skew). CacheValidityPeriod and CacheExpirationFunctor are helpers to | 150 // clock skew). CacheValidityPeriod and CacheExpirationFunctor are helpers to |
123 // ensure that expiration is measured both by the 'general' case (now + cache | 151 // ensure that expiration is measured both by the 'general' case (now + cache |
124 // TTL) and by whether or not significant enough clock skew was introduced | 152 // TTL) and by whether or not significant enough clock skew was introduced |
125 // since the last verification. | 153 // since the last verification. |
126 struct CacheValidityPeriod { | 154 struct NET_EXPORT_PRIVATE CacheValidityPeriod { |
127 explicit CacheValidityPeriod(const base::Time& now); | 155 explicit CacheValidityPeriod(const base::Time& now); |
128 CacheValidityPeriod(const base::Time& now, const base::Time& expiration); | 156 CacheValidityPeriod(const base::Time& now, const base::Time& expiration); |
129 | 157 |
158 // Appends a representation of this object to the given pickle. | |
159 bool Persist(base::Pickle* pickle) const; | |
160 | |
161 // Create an CacheValidityPeriod from the representation stored in the given | |
162 // pickle. The data for this object is found relative to the given | |
163 // pickle_iter, which should be passed to the pickle's various Read* | |
164 // methods. | |
165 // Returns false on failure. | |
166 static bool CreateFromPickle(base::PickleIterator* iter, | |
167 CacheValidityPeriod* valid_period); | |
168 | |
130 base::Time verification_time; | 169 base::Time verification_time; |
131 base::Time expiration_time; | 170 base::Time expiration_time; |
132 }; | 171 }; |
133 | 172 |
134 struct CacheExpirationFunctor { | 173 struct NET_EXPORT_PRIVATE CacheExpirationFunctor { |
135 // Returns true iff |now| is within the validity period of |expiration|. | 174 // Returns true iff |now| is within the validity period of |expiration|. |
136 bool operator()(const CacheValidityPeriod& now, | 175 bool operator()(const CacheValidityPeriod& now, |
137 const CacheValidityPeriod& expiration) const; | 176 const CacheValidityPeriod& expiration) const; |
138 }; | 177 }; |
139 | 178 |
140 struct JobComparator { | 179 struct JobComparator { |
141 bool operator()(const CertVerifierJob* job1, | 180 bool operator()(const CertVerifierJob* job1, |
142 const CertVerifierJob* job2) const; | 181 const CertVerifierJob* job2) const; |
143 }; | 182 }; |
144 | 183 |
145 using JobSet = std::set<CertVerifierJob*, JobComparator>; | 184 using JobSet = std::set<CertVerifierJob*, JobComparator>; |
146 | 185 |
147 typedef ExpiringCache<RequestParams, CachedResult, CacheValidityPeriod, | 186 typedef ExpiringCache<RequestParams, CachedResult, CacheValidityPeriod, |
148 CacheExpirationFunctor> CertVerifierCache; | 187 CacheExpirationFunctor> CertVerifierCache; |
149 | 188 |
150 // Saves |result| into the cache, keyed by |key|. | 189 // Saves |result| into the cache, keyed by |key|. |
151 void SaveResultToCache(const RequestParams& key, const CachedResult& result); | 190 void SaveResultToCache(const RequestParams& key, const CachedResult& result); |
152 | 191 |
192 // Appends a representation of |cache_| to the given pickle. | |
193 bool SerializeCache(base::Pickle* pickle); | |
194 | |
195 // Populates |cache_| from the representation stored in the given pickle. The | |
196 // data for this object is found relative to the given pickle_iter, which | |
197 // should be passed to the pickle's various Read* methods. | |
198 // Returns false on failure. | |
199 static bool CreateFromPickle(base::PickleIterator* iter, | |
200 MultiThreadedCertVerifier* cert_verifier); | |
201 | |
153 // CertDatabase::Observer methods: | 202 // CertDatabase::Observer methods: |
154 void OnCACertChanged(const X509Certificate* cert) override; | 203 void OnCACertChanged(const X509Certificate* cert) override; |
155 | 204 |
156 // Returns an inflight job for |key|. If there is no such job then returns | 205 // Returns an inflight job for |key|. If there is no such job then returns |
157 // null. | 206 // null. |
158 CertVerifierJob* FindJob(const RequestParams& key); | 207 CertVerifierJob* FindJob(const RequestParams& key); |
159 | 208 |
160 // Removes |job| from the inflight set, and passes ownership back to the | 209 // Removes |job| from the inflight set, and passes ownership back to the |
161 // caller. |job| must already be |inflight_|. | 210 // caller. |job| must already be |inflight_|. |
162 scoped_ptr<CertVerifierJob> RemoveJob(CertVerifierJob* job); | 211 scoped_ptr<CertVerifierJob> RemoveJob(CertVerifierJob* job); |
(...skipping 18 matching lines...) Expand all Loading... | |
181 scoped_refptr<CertVerifyProc> verify_proc_; | 230 scoped_refptr<CertVerifyProc> verify_proc_; |
182 | 231 |
183 CertTrustAnchorProvider* trust_anchor_provider_; | 232 CertTrustAnchorProvider* trust_anchor_provider_; |
184 | 233 |
185 DISALLOW_COPY_AND_ASSIGN(MultiThreadedCertVerifier); | 234 DISALLOW_COPY_AND_ASSIGN(MultiThreadedCertVerifier); |
186 }; | 235 }; |
187 | 236 |
188 } // namespace net | 237 } // namespace net |
189 | 238 |
190 #endif // NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ | 239 #endif // NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ |
OLD | NEW |