| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "components/certificate_transparency/single_tree_tracker.h" |
| 6 |
| 7 #include <utility> |
| 8 |
| 9 #include "base/strings/string_number_conversions.h" |
| 10 #include "net/cert/ct_log_verifier.h" |
| 11 #include "net/cert/signed_certificate_timestamp.h" |
| 12 #include "net/cert/x509_certificate.h" |
| 13 |
| 14 using net::ct::SignedTreeHead; |
| 15 |
| 16 namespace certificate_transparency { |
| 17 |
| 18 SingleTreeTracker::SingleTreeTracker( |
| 19 scoped_refptr<const net::CTLogVerifier> ct_log) |
| 20 : ct_log_(ct_log) {} |
| 21 |
| 22 SingleTreeTracker::~SingleTreeTracker() {} |
| 23 |
| 24 void SingleTreeTracker::OnSCTVerified( |
| 25 net::X509Certificate* cert, |
| 26 const net::ct::SignedCertificateTimestamp* sct) { |
| 27 CheckLogId(sct->log_id); |
| 28 |
| 29 if (entries_status_.find(sct->timestamp) != entries_status_.end()) |
| 30 return; |
| 31 |
| 32 if (verified_sth_.timestamp.is_null() || |
| 33 (verified_sth_.timestamp < |
| 34 (sct->timestamp + base::TimeDelta::FromHours(24)))) { |
| 35 // TODO(eranm): UMA - how often SCTs have to wait for a newer STH for |
| 36 // inclusion check. |
| 37 entries_status_.insert( |
| 38 std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH)); |
| 39 return; |
| 40 } |
| 41 |
| 42 // TODO(eranm): Check inclusion here. |
| 43 // TODO(eranm): UMA - how often inclusion can be checked immediately. |
| 44 entries_status_.insert( |
| 45 std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK)); |
| 46 } |
| 47 |
| 48 void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) { |
| 49 CheckLogId(sth.log_id); |
| 50 |
| 51 if (!ct_log_->VerifySignedTreeHead(sth)) { |
| 52 // This may be caused due to an operational error - STHs are expected |
| 53 // validated prior to being pushed via the component updater, so an |
| 54 // invalid STH should never be observed by Chrome clients. |
| 55 LOG(WARNING) << "STH is for " << ct_log_->url() |
| 56 << " could not be verified."; |
| 57 return; |
| 58 } |
| 59 |
| 60 bool sths_for_same_tree = (verified_sth_.tree_size == sth.tree_size); |
| 61 bool received_sth_is_for_larger_tree = |
| 62 (verified_sth_.tree_size > sth.tree_size); |
| 63 bool received_sth_is_newer = (sth.timestamp > verified_sth_.timestamp); |
| 64 |
| 65 if (verified_sth_.timestamp.is_null() || received_sth_is_for_larger_tree || |
| 66 (sths_for_same_tree && received_sth_is_newer)) { |
| 67 verified_sth_ = sth; |
| 68 } |
| 69 |
| 70 // Find out which SCTs can now be checked for inclusion. |
| 71 for (auto it = entries_status_.begin(); it != entries_status_.end(); ++it) { |
| 72 if (it->first < verified_sth_.timestamp) { |
| 73 it->second = SCT_PENDING_INCLUSION_CHECK; |
| 74 // TODO(eranm): Check inclusion here. |
| 75 } |
| 76 } |
| 77 } |
| 78 |
| 79 SingleTreeTracker::SCTInclusionStatus |
| 80 SingleTreeTracker::GetLogEntryInclusionStatus( |
| 81 net::X509Certificate* cert, |
| 82 const net::ct::SignedCertificateTimestamp* sct) { |
| 83 auto it = entries_status_.find(sct->timestamp); |
| 84 if (it == entries_status_.end()) |
| 85 return SCT_NOT_OBSERVED; |
| 86 |
| 87 return it->second; |
| 88 } |
| 89 |
| 90 void SingleTreeTracker::CheckLogId(const std::string& log_id) { |
| 91 DCHECK_EQ(ct_log_->key_id(), log_id) |
| 92 << "Got called for a different log: " |
| 93 << base::HexEncode(log_id.data(), log_id.size()) << " this log: " |
| 94 << base::HexEncode(ct_log_->key_id().data(), ct_log_->key_id().size()); |
| 95 } |
| 96 |
| 97 } // namespace certificate_transparency |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1845113003:
Certificate Transparency: Start tracking logs' state (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master