Cert - protobufs to serialize and deserialize CertVerifierCache.

net/cert/cert_verifier_cache_persister.cc

+// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_verifier_cache_persister.h"
+
+#include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/pickle.h"
+#include "base/strings/string_piece.h"
+#include "base/time/time.h"
+#include "net/base/hash_value.h"
+#include "net/cert/cert_type.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/multi_threaded_cert_verifier.h"
+#include "net/cert/proto/cert_verification.pb.h"
+#include "net/cert/x509_cert_types.h"
+#include "net/cert/x509_certificate.h"
+
+namespace net {
+
+namespace {
+
+// Update |proto_request_param| with RequestParams data from |cache_iterator|.
+void SerializeRequestParams(
+    CertVerifierCacheIterator& cache_iterator,
+    CertVerificationRequestParams* proto_request_param) {
+  proto_request_param->set_hostname(cache_iterator.hostname());
+  proto_request_param->set_flags(cache_iterator.flags());
+  proto_request_param->set_start_time(
+      cache_iterator.start_time().ToInternalValue());
+  for (const SHA1HashValue& value : cache_iterator.hash_values()) {
+    CertVerificationSHA256HashValue* hash_value =
+        proto_request_param->add_hash_values();
+    hash_value->set_data(value.data,
+                         sizeof(value.data) / sizeof(value.data[0]));
+  }
+}
+
+// Update |proto_result| with certificate number and updates |serialized_certs|
+// with DER-encoded representation of certificate if the certicate is not in
+// |serialized_certs|. Returns true if data is serialized correctly.
+bool SerializeCert(const X509Certificate::OSCertHandle& cert_handle,
+                   CertVerifierCachePersister::CertVector* serialized_certs,
+                   CertVerificationResult* proto_result) {
+  std::string encoded;
+  if (!X509Certificate::GetDEREncoded(cert_handle, &encoded))
+    return false;
+  const auto& it =
+      std::find(serialized_certs->begin(), serialized_certs->end(), encoded);
+  size_t cert_number = 0;
+  if (it != serialized_certs->end()) {
+    cert_number =
+        static_cast<size_t>(std::distance(serialized_certs->begin(), it));
+  } else {
+    serialized_certs->push_back(encoded);
+    cert_number = serialized_certs->size() - 1;
+  }
+  proto_result->add_cert_numbers(cert_number);
+  return true;
+}
+
+// Update |proto_cached_result| with CachedResult data from |cache_iterator|.
+// |serialized_certs| contains a list of unique DER-encoded representation of
+// certificates.
+bool SerializeCachedResult(
+    CertVerifierCacheIterator& cache_iterator,
+    CertVerifierCachePersister::CertVector* serialized_certs,
+    CertVerificationCachedResult* proto_cached_result) {
+  proto_cached_result->set_error(cache_iterator.error());
+
+  // Serialize CertVerifyResult.
+  CertVerificationResult* proto_result = proto_cached_result->mutable_result();
+  const CertVerifyResult& result = cache_iterator.result();
+
+  if (!SerializeCert(result.verified_cert->os_cert_handle(), serialized_certs,
+                     proto_result))
+    return false;
+  const X509Certificate::X509Certificate::OSCertHandles& intermediate_ca_certs =
+      result.verified_cert->GetIntermediateCertificates();
+  for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) {
+    if (!SerializeCert(intermediate_ca_certs[i], serialized_certs,
+                       proto_result))
+      return false;
+  }
+  proto_result->set_cert_status(result.cert_status);
+  proto_result->set_has_md2(result.has_md2);
+  proto_result->set_has_md4(result.has_md4);
+  proto_result->set_has_md5(result.has_md5);
+  proto_result->set_has_sha1(result.has_sha1);
+  proto_result->set_has_sha1_leaf(result.has_sha1_leaf);
+  for (const HashValue& value : result.public_key_hashes)
+    proto_result->add_public_key_hashes(value.ToString());
+  proto_result->set_is_issued_by_known_root(result.is_issued_by_known_root);
+  proto_result->set_is_issued_by_additional_trust_anchor(
+      result.is_issued_by_additional_trust_anchor);
+  proto_result->set_common_name_fallback_used(result.common_name_fallback_used);
+  return true;
+}
+
+// Update |proto_cache_validity_period| with ValidityPeriod data from
+// |cache_iterator|.
+void SerializeValidityPeriod(
+    CertVerifierCacheIterator& cache_iterator,
+    CertVerificationCacheValidityPeriod* proto_cache_validity_period) {
+  proto_cache_validity_period->set_verification_time(
+      cache_iterator.verification_time().ToInternalValue());
+  proto_cache_validity_period->set_expiration_time(
+      cache_iterator.expiration_time().ToInternalValue());
+}
+
+// Update |error| and |result| with deserialized CachedResult data from
+// |proto_cached_result|. Returns true if it is deserialized correctly.
+bool DeserializeCachedResult(
+    const CertVerificationCachedResult& proto_cached_result,
+    const CertVerifierCachePersister::CertVector& deserialized_der_certs,
+    const std::string& hostname,
+    int* error,
+    CertVerifyResult* result) {
+  if (!proto_cached_result.has_error() || !proto_cached_result.has_result()) {
+    DVLOG(1) << "Invalid CertVerificationCacheEntry";
+    return false;
+  }
+  const CertVerificationResult& proto_result = proto_cached_result.result();
+  if (proto_result.cert_numbers_size() == 0 ||
+      !proto_result.has_cert_status()) {
+    DVLOG(1) << "Invalid CertVerificationResult for " << hostname;
+    return false;
+  }
+
+  *error = proto_cached_result.error();
+
+  std::vector<base::StringPiece> der_cert_pieces(
+      proto_result.cert_numbers_size());
+  for (int i = 0; i < proto_result.cert_numbers_size(); i++) {
+    size_t cert_number = proto_result.cert_numbers(i);
+    CHECK_LT(cert_number, deserialized_der_certs.size());
+    der_cert_pieces[i] = base::StringPiece(deserialized_der_certs[cert_number]);
+  }
+  result->verified_cert =
+      X509Certificate::CreateFromDERCertChain(der_cert_pieces);
+
+  for (int i = 0; i < proto_result.public_key_hashes_size(); ++i) {
+    const ::std::string& public_key_hash = proto_result.public_key_hashes(i);
+    HashValue hash;
+    if (!hash.FromString(public_key_hash)) {
+      DVLOG(1) << "CertVerificationResult has invalid public_key_hashes for "
+               << hostname;
+      return false;
+    }
+    result->public_key_hashes.push_back(hash);
+  }
+  result->cert_status = proto_result.cert_status();
+  result->has_md2 = proto_result.has_md2();
+  result->has_md4 = proto_result.has_md4();
+  result->has_md5 = proto_result.has_md5();
+  result->has_sha1 = proto_result.has_sha1();
+  result->has_sha1_leaf = proto_result.has_sha1_leaf();
+  result->is_issued_by_known_root = proto_result.is_issued_by_known_root();
+  result->is_issued_by_additional_trust_anchor =
+      proto_result.is_issued_by_additional_trust_anchor();
+  result->common_name_fallback_used = proto_result.common_name_fallback_used();
+  return true;
+}
+
+}  // namespace
+
+CertVerifierCachePersister::CertVerifierCachePersister(
+    MultiThreadedCertVerifier* verifier)
+    : verifier_(verifier) {}
+
+CertVerifierCachePersister::~CertVerifierCachePersister() {}
+
+void CertVerifierCachePersister::SerializeCache(std::string* data) {
+  base::TimeTicks start_time(base::TimeTicks::Now());
+  CertVerificationCache proto_cert_cache;
+  CertVector serialized_certs;
+
+  CertVerifierCacheIterator cache_iterator(*verifier_);
+  for (; cache_iterator.HasNext(); cache_iterator.Advance()) {
+    CertVerificationCacheEntry* proto_cache_entry =
+        proto_cert_cache.add_cache_entry();
+
+    CertVerificationRequestParams* proto_request_param =
+        proto_cache_entry->mutable_request_params();
+    SerializeRequestParams(cache_iterator, proto_request_param);
+
+    CertVerificationCachedResult* proto_cached_result =
+        proto_cache_entry->mutable_cached_result();
+    if (!SerializeCachedResult(cache_iterator, &serialized_certs,
+                               proto_cached_result))
+      continue;
+
+    CertVerificationCacheValidityPeriod* proto_cache_validity_period =
+        proto_cache_entry->mutable_cache_validity_period();
+    SerializeValidityPeriod(cache_iterator, proto_cache_validity_period);
+  }
+  for (const std::string& cert : serialized_certs)
+    proto_cert_cache.add_certs(cert);
+
+  proto_cert_cache.SerializeToString(data);
+  UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.SerializeTime",
+                      base::TimeTicks::Now() - start_time);
+}
+
+bool CertVerifierCachePersister::LoadCache(const std::string& data) {
+  base::TimeTicks load_cache_start_time = base::TimeTicks::Now();
+  CertVector deserialized_der_certs;
+  CertVerificationCache proto;
+
+  if (!proto.ParseFromString(data)) {
+    DVLOG(1) << "Protobug ParseFromString failure";
+    return false;
+  }
+
+  for (int i = 0; i < proto.certs_size(); ++i)
+    deserialized_der_certs.push_back(proto.certs(i));
+
+  for (int i = 0; i < proto.cache_entry_size(); ++i) {
+    const CertVerificationCacheEntry& cache_entry = proto.cache_entry(i);
+    if (!cache_entry.has_request_params() ||
+        !cache_entry.has_cache_validity_period() ||
+        !cache_entry.has_cached_result()) {
+      DVLOG(1) << "Invalid CertVerificationCacheEntry";
+      continue;
+    }
+
+    const CertVerificationRequestParams& proto_request_params =
+        cache_entry.request_params();
+    int hash_values_size = proto_request_params.hash_values_size();
+    if (!proto_request_params.has_hostname() ||
+        proto_request_params.hostname().empty() ||
+        !proto_request_params.has_flags() || hash_values_size <= 0 ||
+        !proto_request_params.has_start_time()) {
+      DVLOG(1) << "Invalid CertVerificationRequestParams";
+      continue;
+    }
+
+    std::string hostname(proto_request_params.hostname());
+    int flags = proto_request_params.flags();
+    std::vector<SHA1HashValue> hash_values(hash_values_size);
+    for (int index = 0; index < hash_values_size; ++index) {
+      const CertVerificationSHA256HashValue& proto_hash_values =
+          proto_request_params.hash_values(index);
+      if (!proto_hash_values.has_data()) {
+        DVLOG(1) << "Invalid CertVerificationSHA256HashValue for " << hostname
+                 << flags;
+        continue;
+      }
+      const std::string& data = proto_hash_values.data();
+      memcpy(hash_values[index].data, data.data(), data.length());
+    }
+    base::Time start_time =
+        base::Time::FromInternalValue(proto_request_params.start_time());
+
+    const CertVerificationCacheValidityPeriod& proto_cache_validity_period =
+        cache_entry.cache_validity_period();
+    if (!proto_cache_validity_period.has_verification_time() ||
+        !proto_cache_validity_period.has_expiration_time()) {
+      DVLOG(1) << "Invalid CertVerificationCacheValidityPeriod" << hostname;
+      continue;
+    }
+    base::Time verification_time = base::Time::FromInternalValue(
+        proto_cache_validity_period.verification_time());
+    base::Time expiration_time = base::Time::FromInternalValue(
+        proto_cache_validity_period.expiration_time());
+
+    const CertVerificationCachedResult& proto_cached_result =
+        cache_entry.cached_result();
+    CertVerifyResult result;
+    int error;
+    if (!DeserializeCachedResult(proto_cached_result, deserialized_der_certs,
+                                 hostname, &error, &result)) {
+      DVLOG(1) << "Invalid CertVerificationCachedResult for " << hostname;
+      continue;
+    }
+
+    if (!verifier_->AddCertResult(hostname, flags, hash_values, start_time,
+                                  error, result, verification_time,
+                                  expiration_time)) {
+      DVLOG(1) << "Didn't restore cert result entry for " << hostname;
+      continue;
+    }
+  }
+  UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.LoadCacheTime",
+                      base::TimeTicks::Now() - load_cache_start_time);
+  return true;
+}
+
+}  // namespace net