Certificate Transparency: Start tracking logs' state

components/certificate_transparency/single_tree_tracker.cc

Index: components/certificate_transparency/single_tree_tracker.cc
diff --git a/components/certificate_transparency/single_tree_tracker.cc b/components/certificate_transparency/single_tree_tracker.cc
new file mode 100644
index 0000000000000000000000000000000000000000..d9ca13922a90d5e2d4d9d464fd40892461035fce
--- /dev/null
+++ b/components/certificate_transparency/single_tree_tracker.cc
@@ -0,0 +1,97 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/certificate_transparency/single_tree_tracker.h"
+
+#include <utility>
+
+#include "base/strings/string_number_conversions.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/x509_certificate.h"
+
+using net::ct::SignedTreeHead;
+
+namespace certificate_transparency {
+
+SingleTreeTracker::SingleTreeTracker(
+    scoped_refptr<const net::CTLogVerifier> ct_log)
+    : ct_log_(ct_log) {}
+
+SingleTreeTracker::~SingleTreeTracker() {}
+
+void SingleTreeTracker::OnSCTVerified(
+    net::X509Certificate* cert,
+    const net::ct::SignedCertificateTimestamp* sct) {
+  CheckLogId(sct->log_id);
+
+  if (entries_status_.find(sct->timestamp) != entries_status_.end())
+    return;
+
+  if (verified_sth_.timestamp.is_null() ||
+      (verified_sth_.timestamp <
+       (sct->timestamp + base::TimeDelta::FromHours(24)))) {
+    // TODO(eranm): UMA - how often SCTs have to wait for a newer STH for
+    // inclusion check.
+    entries_status_.insert(
+        std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH));
+    return;
+  }
+
+  // TODO(eranm): Check inclusion here.
+  // TODO(eranm): UMA - how often inclusion can be checked immediately.
+  entries_status_.insert(
+      std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK));
+}
+
+void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) {
+  CheckLogId(sth.log_id);
+
+  if (!ct_log_->VerifySignedTreeHead(sth)) {
+    // This may be caused due to an operational error - STHs are expected
+    // validated prior to being pushed via the component updater, so an
+    // invalid STH should never be observed by Chrome clients.
+    LOG(WARNING) << "STH is for " << ct_log_->url()
+                 << " could not be verified.";
+    return;
+  }
+
+  bool sths_for_same_tree = (verified_sth_.tree_size == sth.tree_size);
+  bool received_sth_is_for_larger_tree =
+      (verified_sth_.tree_size > sth.tree_size);
+  bool received_sth_is_newer = (sth.timestamp > verified_sth_.timestamp);
+
+  if (verified_sth_.timestamp.is_null() || received_sth_is_for_larger_tree ||
+      (sths_for_same_tree && received_sth_is_newer)) {
+    verified_sth_ = sth;
+  }
+
+  // Find out which SCTs can now be checked for inclusion.
+  for (auto it = entries_status_.begin(); it != entries_status_.end(); ++it) {
+    if (it->first < verified_sth_.timestamp) {
+      it->second = SCT_PENDING_INCLUSION_CHECK;
+      // TODO(eranm): Check inclusion here.
+    }
+  }
+}
+
+SingleTreeTracker::SCTInclusionStatus
+SingleTreeTracker::GetLogEntryInclusionStatus(
+    net::X509Certificate* cert,
+    const net::ct::SignedCertificateTimestamp* sct) {
+  auto it = entries_status_.find(sct->timestamp);
+  if (it == entries_status_.end())
+    return SCT_NOT_OBSERVED;
+
+  return it->second;
+}
+
+void SingleTreeTracker::CheckLogId(const std::string& log_id) {
+  DCHECK_EQ(ct_log_->key_id(), log_id)
+      << "Got called for a different log: "
+      << base::HexEncode(log_id.data(), log_id.size()) << " this log: "
+      << base::HexEncode(ct_log_->key_id().data(), ct_log_->key_id().size());
+}
+
+}  // namespace certificate_transparency