Certificate Transparency: Start tracking logs' state

components/certificate_transparency/tree_state_tracker.cc

Index: components/certificate_transparency/tree_state_tracker.cc
diff --git a/components/certificate_transparency/tree_state_tracker.cc b/components/certificate_transparency/tree_state_tracker.cc
new file mode 100644
index 0000000000000000000000000000000000000000..32756739a9dd520da9aaecb6b35ab5eedb696296
--- /dev/null
+++ b/components/certificate_transparency/tree_state_tracker.cc
@@ -0,0 +1,175 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/certificate_transparency/tree_state_tracker.h"
+
+#include <sstream>
+
+#include "base/bind.h"
+#include "base/bind_helpers.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/thread_task_runner_handle.h"
+#include "base/time/time.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/merkle_consistency_proof.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/signed_tree_head.h"
+#include "net/cert/x509_certificate.h"
+
+using net::X509Certificate;
+using net::CTLogVerifier;
+using net::ct::SignedCertificateTimestamp;
+using net::ct::SignedTreeHead;
+
+namespace {
+
+bool STHIsTooOld(const SignedTreeHead& sth, const base::Time& sct_timestamp) {
+  return sth.timestamp < (sct_timestamp + base::TimeDelta::FromHours(24));
+}
+
+std::string StringifySTH(const SignedTreeHead& sth) {
+  std::ostringstream o;
+  PrintTo(sth, &o);
+  return o.str();
+}
+
+}  // namespace
+
+namespace certificate_transparency {
+
+TreeStateTracker::TreeStateTracker(
+    const std::vector<scoped_refptr<const CTLogVerifier>>& ct_logs)
+    : initial_load_pending_(true) {
+  for (auto it = ct_logs.begin(); it != ct_logs.end(); ++it) {
+    scoped_refptr<const CTLogVerifier> log(*it);
+    ct_logs_[log->key_id()] = log;
+    // TODO(eranm): initialize pending_scts_
+  }
+
+  /*
+  content::BrowserThread::PostAfterStartupTask(
+      FROM_HERE, base::ThreadTaskRunnerHandle::Get(),
+      base::Bind(&TreeStateTracker::LoadSTHs, base::Unretained(this)));
+      */
+}
+
+TreeStateTracker::~TreeStateTracker() {}
+
+void TreeStateTracker::OnSCTVerified(X509Certificate* cert,
+                                     const SignedCertificateTimestamp* sct) {
+  VLOG(0) << "Verified SCT observed: ";
+  if (initial_load_pending_) {
+    VLOG(0) << "But initial load pending. Skipping.";
+    // pending_scts_[sct.log_id].insert(*sct);
+    // TODO(eranm): Put in a queue.
+    return;
+  }
+
+  const auto& it = verified_sths_.find(sct->log_id);
+  std::string log_id(sct->log_id);
+  std::string log_id_hex =
+      base::HexEncode(sct->log_id.data(), sct->log_id.size());
+  if (it == verified_sths_.end() || STHIsTooOld(it->second, sct->timestamp)) {
+    VLOG(0) << "No STH found for log " << log_id_hex << " or STH is too old.";
+    // TODO(eranm): Enqueue SCT for inclusion check later.
+    return;
+  }
+
+  VLOG(0) << "Found STH for log " << log_id_hex;
+  const SignedTreeHead& sth(it->second);
+  if (!STHIsTooOld(sth, sct->timestamp)) {
+    VLOG(0) << "STH timestamp (" << sth.timestamp << ") is newer than SCT "
+            << "timestamp (" << sct->timestamp << "), could check inclusion.";
+    // TODO(eranm): Perform actual inclusion check.
+  } else {
+    VLOG(0) << "STH timestamp (" << sth.timestamp << ") is OLDER than SCT "
+            << "timestamp (" << sct->timestamp << "), need fresh STH.";
+    // TODO(eranm): Enqueue SCT for inclusion check later.
+  }
+}
+
+void TreeStateTracker::NewSTHObserved(const SignedTreeHead& sth) {
+  VLOG(0) << "New STH observed!" << StringifySTH(sth)
+          << " Initial load pending? " << initial_load_pending_;
+  initial_load_pending_ = false;
+  auto it = ct_logs_.find(sth.log_id);
+  if (it == ct_logs_.end()) {
+    VLOG(0) << "STH is for unknown log!.";
+    return;
+  }
+
+  const CTLogVerifier* log(it->second.get());
+  if (!log->VerifySignedTreeHead(sth)) {
+    VLOG(0) << "STH is for " << log->url() << " could not be verified.";
+    return;
+  }
+
+  VLOG(0) << "Signature for STH from " << log->url() << " for tree size "
+          << sth.tree_size << " verified.";
+
+  if (verified_sths_.find(sth.log_id) == verified_sths_.end()) {
+    VLOG(0) << "No STH for that log, adding.";
+    UpdateVerifiedSTH(sth.log_id, sth);
+  }
+
+  VLOG(0) << "But we already have an STH for that log."
+          << " Is that one more recent?";
+  const SignedTreeHead& known_sth = verified_sths_[sth.log_id];
+  bool sths_for_same_tree = (known_sth.tree_size == sth.tree_size);
+  bool received_sth_is_for_larger_tree = (known_sth.tree_size > sth.tree_size);
+  bool received_sth_is_newer = (sth.timestamp > known_sth.timestamp);
+
+  if (received_sth_is_for_larger_tree ||
+      (sths_for_same_tree && received_sth_is_newer)) {
+    VLOG(0) << "Observed STH is newer; replacing.";
+    UpdateVerifiedSTH(sth.log_id, sth);
+  } else {
+    VLOG(0) << "Known STH is same or newer, not replacing: "
+            << StringifySTH(known_sth);
+  }
+}
+
+/*
+void TreeStateTracker::LoadSTHs() {
+  TreeStateStorage::VerifiedSthCallback callback =
+      base::Bind(&TreeStateTracker::OnSTHLoaded, base::Unretained(this));
+
+  VLOG(0) << "Requesting load of all STHs.";
+  content::BrowserThread::PostBlockingPoolTask(
+      FROM_HERE,
+      base::Bind(base::IgnoreResult(&TreeStateStorage::LoadSTHs),
+                 base::Unretained(storage_.get()), callback));
+}
+*/
+
+void TreeStateTracker::OnSTHLoaded(const SignedTreeHead& sth) {
+  VLOG(0) << "Loaded Signed Tree Head: " << StringifySTH(sth);
+  initial_load_pending_ = false;
+  verified_sths_[sth.log_id] = sth;
+}
+
+void TreeStateTracker::UpdateVerifiedSTH(const std::string& log_id,
+                                         const SignedTreeHead& verified_sth) {
+  /*
+if (verified_sths_.find(log_id) != verified_sths_.end()) {
+  // Delete the old STH
+  old_sth = verified_sths_[log_id];
+  content::BrowserThread::PostBlockingPoolTask(
+      FROM_HERE,
+      base::Bind(base::IgnoreResult(&TreeStateStorage::DeleteSth),
+        base::Unretained(storage_.get()), old_sth));
+}
+        */
+  verified_sths_[log_id] = verified_sth;
+
+  /*
+  content::BrowserThread::PostBlockingPoolTask(
+      FROM_HERE,
+      base::Bind(base::IgnoreResult(&TreeStateStorage::SaveSth),
+                 base::Unretained(storage_.get()), verified_sth, true));
+                 */
+}
+
+}  // namespace certificate_transparency