components/certificate_transparency/single_tree_tracker.cc - Issue 1845113003: Certificate Transparency: Start tracking logs' state

Side by Side Diff: components/certificate_transparency/single_tree_tracker.cc

Issue 1845113003: Certificate Transparency: Start tracking logs' state (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Catching up with master Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« chrome/browser/io_thread.cc ('K') | « components/certificate_transparency/single_tree_tracker.h ('k') | components/certificate_transparency/single_tree_tracker_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "components/certificate_transparency/single_tree_tracker.h"

	6

	7 #include <utility>

	8

	9 #include "base/strings/string_number_conversions.h"

	10 #include "net/cert/ct_log_verifier.h"

	11 #include "net/cert/signed_certificate_timestamp.h"

	12 #include "net/cert/x509_certificate.h"

	13

	14 using net::ct::SignedTreeHead;

	15

	16 namespace certificate_transparency {

	17

	18 SingleTreeTracker::SingleTreeTracker(

	19 scoped_refptr<const net::CTLogVerifier> ct_log)

	20 : ct_log_(ct_log) {}

	21

	22 SingleTreeTracker::~SingleTreeTracker() {}

	23

	24 void SingleTreeTracker::OnSCTVerified(

	25 net::X509Certificate* cert,

	26 const net::ct::SignedCertificateTimestamp* sct) {

	27 CheckLogId(sct->log_id);

	28

	29 if (entries_status_.find(sct->timestamp) != entries_status_.end())

	30 return;

	31

	32 if (verified_sth_.timestamp.is_null() \|\|

	33 (verified_sth_.timestamp <

	34 (sct->timestamp + base::TimeDelta::FromHours(24)))) {

	35 // TODO(eranm): UMA - how often SCTs have to wait for a newer STH for

	36 // inclusion check.

	37 entries_status_.insert(

	38 std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH));

	39 return;

	40 }

	41

	42 // TODO(eranm): Check inclusion here.

	43 // TODO(eranm): UMA - how often inclusion can be checked immediately.

	44 entries_status_.insert(

	45 std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK));

	46 }

	47

	48 void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) {

	49 CheckLogId(sth.log_id);

	50

	51 if (!ct_log_->VerifySignedTreeHead(sth)) {

	52 // This may be caused due to an operational error - STHs are expected

	53 // validated prior to being pushed via the component updater, so an

	54 // invalid STH should never be observed by Chrome clients.

	55 LOG(WARNING) << "STH is for " << ct_log_->url()

	56 << " could not be verified.";
	Ryan Sleevi 2016/04/27 23:05:59 So who is expected to look at this? Under what sce So who is expected to look at this? Under what scenarios? This is another example where I don't believe the logging is useful. Eran Messeri 2016/05/03 15:00:12 Removed. Show quoted text On 2016/04/27 23:05:59, Ryan Sleevi wrote: > So who is expected to look at this? Under what scenarios? > > This is another example where I don't believe the logging is useful. Removed.
	57 return;

	58 }

	59

	60 bool sths_for_same_tree = (verified_sth_.tree_size == sth.tree_size);

	61 bool received_sth_is_for_larger_tree =

	62 (verified_sth_.tree_size > sth.tree_size);

	63 bool received_sth_is_newer = (sth.timestamp > verified_sth_.timestamp);

	64

	65 if (verified_sth_.timestamp.is_null() \|\| received_sth_is_for_larger_tree \|\|

	66 (sths_for_same_tree && received_sth_is_newer)) {

	67 verified_sth_ = sth;

	68 }

	69

	70 // Find out which SCTs can now be checked for inclusion.

	71 for (auto& entry : entries_status_) {

	72 if (entry.first < verified_sth_.timestamp) {

	73 entry.second = SCT_PENDING_INCLUSION_CHECK;

	74 // TODO(eranm): Check inclusion here.

	75 }

	76 }

	77 }

	78

	79 SingleTreeTracker::SCTInclusionStatus

	80 SingleTreeTracker::GetLogEntryInclusionStatus(

	81 net::X509Certificate* cert,

	82 const net::ct::SignedCertificateTimestamp* sct) {

	83 auto it = entries_status_.find(sct->timestamp);

	84 if (it == entries_status_.end())

	85 return SCT_NOT_OBSERVED;

	86

	87 return it->second;

	88 }

	89

	90 void SingleTreeTracker::CheckLogId(const std::string& log_id) {

	91 DCHECK_EQ(ct_log_->key_id(), log_id)

	92 << "Got called for a different log: "

	93 << base::HexEncode(log_id.data(), log_id.size()) << " this log: "

	94 << base::HexEncode(ct_log_->key_id().data(), ct_log_->key_id().size());
	Ryan Sleevi 2016/04/27 23:05:59 Seems overly verbose for a DCHECK. Because it's a Seems overly verbose for a DCHECK. Because it's a developer error, and it triggers a debug breakpoint, anyone hitting this should just attach with a debugger. Eran Messeri 2016/05/03 15:00:13 Done, removed verbose printout, left only the DCHE Show quoted text On 2016/04/27 23:05:59, Ryan Sleevi wrote: > Seems overly verbose for a DCHECK. Because it's a developer error, and it > triggers a debug breakpoint, anyone hitting this should just attach with a > debugger. Done, removed verbose printout, left only the DCHECK_EQ.
	95 }

	96

	97 } // namespace certificate_transparency

OLD	NEW