Certificate Transparency: Start tracking logs' state

components/certificate_transparency/single_tree_tracker.cc

Index: components/certificate_transparency/single_tree_tracker.cc
diff --git a/components/certificate_transparency/single_tree_tracker.cc b/components/certificate_transparency/single_tree_tracker.cc
new file mode 100644
index 0000000000000000000000000000000000000000..14c9ed0060c4ca647965909763a417913c8fb3e9
--- /dev/null
+++ b/components/certificate_transparency/single_tree_tracker.cc
@@ -0,0 +1,109 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/certificate_transparency/single_tree_tracker.h"
+
+#include <utility>
+
+#include "base/strings/string_number_conversions.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/x509_certificate.h"
+
+using net::ct::SignedTreeHead;
+
+namespace {
+
+bool STHIsTooOld(const SignedTreeHead& sth, const base::Time& sct_timestamp) {

[Ryan Sleevi, 2016/04/14 16:56:15]

Doesn't seem like this needs to be a utility function, given it's one use in a
single conditional

[Eran Messeri, 2016/04/18 22:02:12]

Done, removed.

+  return sth.timestamp < (sct_timestamp + base::TimeDelta::FromHours(24));
+}
+
+}  // namespace
+
+namespace certificate_transparency {
+
+SingleTreeTracker::SingleTreeTracker(
+    scoped_refptr<const net::CTLogVerifier>& ct_log)
+    : ct_log_(ct_log) {}

[Ryan Sleevi, 2016/04/14 16:56:15]

When you update to be by-value, move

[Eran Messeri, 2016/04/18 22:02:12]

Done.

+
+SingleTreeTracker::~SingleTreeTracker() {}
+
+void SingleTreeTracker::OnSCTVerified(
+    net::X509Certificate* cert,
+    const net::ct::SignedCertificateTimestamp* sct) {
+  CheckLogId(sct->log_id);
+
+  if (entries_status_.find(sct->timestamp) != entries_status_.end())
+    return;
+
+  if (verified_sth_.timestamp.is_null() ||
+      STHIsTooOld(verified_sth_, sct->timestamp)) {
+    // TODO(eranm): UMA - how often SCTs have to wait for a newer STH for
+    // inclusion check.
+    entries_status_.insert(
+        std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH));
+    return;
+  }
+
+  // TODO(eranm): Check inclusion here.
+  // TODO(eranm): UMA - how often inclusion can be checked immediately.
+  entries_status_.insert(
+      std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK));
+}
+
+void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) {
+  CheckLogId(sth.log_id);
+
+  if (!ct_log_->VerifySignedTreeHead(sth)) {
+    // This is an error - STHs are validated prior to being pushed via the
+    // component updater.

[Ryan Sleevi, 2016/04/14 16:56:15]

What sort of error is this? Developer error? In which case, DCHECK and don't
have conditionals like this.

[Eran Messeri, 2016/04/18 22:02:12]

Operational error? This would only happen if we (Google) pushed an STH that was
not verified, I think that a DCHECK here would be inappropriate.
I have removed the TODO however as it should not be common occurrence at all and
below, in CheckLogID, added a DCHECK.

+    LOG(WARNING) << "STH is for " << ct_log_->url()
+                 << " could not be verified.";
+    // TODO(eranm): UMA
+    return;
+  }
+
+  bool sths_for_same_tree = (verified_sth_.tree_size == sth.tree_size);
+  bool received_sth_is_for_larger_tree =
+      (verified_sth_.tree_size > sth.tree_size);
+  bool received_sth_is_newer = (sth.timestamp > verified_sth_.timestamp);
+
+  if (verified_sth_.timestamp.is_null() || received_sth_is_for_larger_tree ||
+      (sths_for_same_tree && received_sth_is_newer)) {
+    verified_sth_ = sth;
+  }
+
+  // Find out which SCTs can now be checked for inclusion.
+  for (auto it = entries_status_.begin(); it != entries_status_.end(); ++it) {
+    const base::Time& timestamp(it->first);

[Ryan Sleevi, 2016/04/14 16:56:15]

Seems unnecessary

[Eran Messeri, 2016/04/18 22:02:12]

Done - removed.

+    if (timestamp < verified_sth_.timestamp) {
+      it->second = SCT_PENDING_INCLUSION_CHECK;
+      // TODO(eranm): Check inclusion here.
+    }
+  }
+}
+
+SingleTreeTracker::SCTInclusionStatus
+SingleTreeTracker::GetLogEntryInclusionStatus(
+    net::X509Certificate* cert,
+    const net::ct::SignedCertificateTimestamp* sct) {
+  auto it = entries_status_.find(sct->timestamp);
+  if (it == entries_status_.end())
+    return SCT_NOT_OBSERVED;
+
+  return it->second;
+}
+
+void SingleTreeTracker::CheckLogId(const std::string& log_id) {
+  if (log_id != ct_log_->key_id()) {

[Ryan Sleevi, 2016/04/14 16:56:16]

Explain why or when this happens.

As far as I can tell, it's developer error, and never legitimate, in which case,
drop this method entirely, and

DCHECK_EQ(ct_log->key_id(), log_id)

[Eran Messeri, 2016/04/18 22:02:12]

You're right - it's a developer error, so changed to DCHECK_EQ.

+    LOG(ERROR) << "Got called for a different log: "
+               << base::HexEncode(log_id.data(), log_id.size())
+               << " this log: " << base::HexEncode(ct_log_->key_id().data(),
+                                                   ct_log_->key_id().size());
+    NOTREACHED();
+    return;
+  }
+}
+
+}  // namespace certificate_transparency