Certificate Transparency: Start tracking logs' state

components/certificate_transparency/single_tree_tracker.cc

Index: components/certificate_transparency/single_tree_tracker.cc
diff --git a/components/certificate_transparency/single_tree_tracker.cc b/components/certificate_transparency/single_tree_tracker.cc
new file mode 100644
index 0000000000000000000000000000000000000000..d928fcf463668736cc6cf760407331e349f33389
--- /dev/null
+++ b/components/certificate_transparency/single_tree_tracker.cc
@@ -0,0 +1,98 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/certificate_transparency/single_tree_tracker.h"
+
+#include <utility>
+
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/x509_certificate.h"
+
+using net::ct::SignedTreeHead;
+
+namespace certificate_transparency {
+
+SingleTreeTracker::SingleTreeTracker(
+    scoped_refptr<const net::CTLogVerifier> ct_log)
+    : ct_log_(std::move(ct_log)) {}
+
+SingleTreeTracker::~SingleTreeTracker() {}
+
+void SingleTreeTracker::OnSCTVerified(
+    net::X509Certificate* cert,
+    const net::ct::SignedCertificateTimestamp* sct) {
+  DCHECK_EQ(ct_log_->key_id(), sct->log_id)
+      << "Got called for a different log.";

[Ryan Sleevi, 2016/05/18 16:58:18]

Drop the <<  - the DCHECK message will have plenty of context showing these two
aren't equal.

[Eran Messeri, 2016/05/19 12:34:59]

Done.

+
+  // SCT was previously observed so its status should not be changed.

[Ryan Sleevi, 2016/05/18 16:58:18]

observed, so

[Eran Messeri, 2016/05/19 12:35:00]

Done.

+  if (entries_status_.find(sct->timestamp) != entries_status_.end())
+    return;
+
+  // Check if there's a valid, fresh-enough STH to check inclusion against.
+  if (verified_sth_.timestamp.is_null() ||

[Ryan Sleevi, 2016/05/18 16:58:18]

Why is timestamp.is_null() valid, out of curiousity?

[Eran Messeri, 2016/05/19 12:35:00]

My bad, documentation was bad - what we're checking here is if there's no valid
STH or the STH we have is too old. I've changed the comment to reflect it.

+      (verified_sth_.timestamp <
+       (sct->timestamp + base::TimeDelta::FromHours(24)))) {
+    // TODO(eranm): UMA - how often SCTs have to wait for a newer STH for
+    // inclusion check.
+    entries_status_.insert(
+        std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH));
+    return;
+  }
+
+  // TODO(eranm): Check inclusion here.
+  // TODO(eranm): UMA - how often inclusion can be checked immediately.
+  entries_status_.insert(
+      std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK));
+}
+
+void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) {
+  DCHECK_EQ(ct_log_->key_id(), sth.log_id) << "Got called for a different log.";

[Ryan Sleevi, 2016/05/18 16:58:18]

Drop the <<

[Eran Messeri, 2016/05/19 12:35:00]

Done.

+
+  if (!ct_log_->VerifySignedTreeHead(sth)) {
+    // This may be caused due to an operational error - STHs supposed to be
+    // validated prior to being pushed via the component updater, so an
+    // invalid STH should never be observed by Chrome clients.

[Ryan Sleevi, 2016/05/18 16:58:18]

Again, layering - Chrome, component updater - shouldn't be talked about here

// Sanity check the STH; the caller should have done this
// already, but being paranoid here.
if (!ct_log_->VerifySignedTreeHead(sth)) {
   ...
}

(I still don't think it's right to do here, so maybe a TODO if we think we'll
get a better place for this, or at least document that you don't think you'll
ever find a way to get rid of this check)

[Eran Messeri, 2016/05/19 12:35:00]

Done - switched to your suggested documentation and added a note saying we can't
get rid of this check here at the moment.

+    return;
+  }
+
+  // In order to avoid updating |verified_sth_| to an older STH in case
+  // an older STH is observed, check that either the observed STH is for
+  // a larger tree size or that it is for the same tree size but has
+  // a newer timestamp.
+  const bool sths_for_same_tree = verified_sth_.tree_size == sth.tree_size;
+  const bool received_sth_is_for_larger_tree =
+      (verified_sth_.tree_size > sth.tree_size);
+  const bool received_sth_is_newer = (sth.timestamp > verified_sth_.timestamp);
+
+  if (verified_sth_.timestamp.is_null() || received_sth_is_for_larger_tree ||
+      (sths_for_same_tree && received_sth_is_newer)) {
+    verified_sth_ = sth;
+  }
+
+  // Find out which SCTs can now be checked for inclusion.
+  // TODO(eranm): Keep two maps of MerkleTreeLeaf instances, one for leaves
+  // pending inclusion checks and one for leaves pending a new STH.
+  // The comparison function between MerkleTreeLeaf instances should use the
+  // timestamp to determine sorting order, so that bulk moving from one
+  // map to the other can happen.
+  auto entry = entries_status_.begin();
+  while (entry != entries_status_.end() &&
+         entry->first < verified_sth_.timestamp) {
+    entry->second = SCT_PENDING_INCLUSION_CHECK;
+    ++entry;
+    // TODO(eranm): Check inclusion here.
+  }
+}
+
+SingleTreeTracker::SCTInclusionStatus
+SingleTreeTracker::GetLogEntryInclusionStatus(
+    net::X509Certificate* cert,
+    const net::ct::SignedCertificateTimestamp* sct) {
+  auto it = entries_status_.find(sct->timestamp);
+
+  return it == entries_status_.end() ? SCT_NOT_OBSERVED : it->second;
+}
+
+}  // namespace certificate_transparency