Cert - protobufs to serialize and deserialize CertVerifierCache.

net/cert/cert_verifier_cache_persister.cc

+// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_verifier_cache_persister.h"
+
+#include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/pickle.h"
+#include "base/strings/string_piece.h"
+#include "base/time/time.h"
+#include "net/base/hash_value.h"
+#include "net/cert/cert_type.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/multi_threaded_cert_verifier.h"
+#include "net/cert/proto/cert_verification.pb.h"
+#include "net/cert/x509_cert_types.h"
+#include "net/cert/x509_certificate.h"
+
+namespace net {
+
+namespace {
+
+// Update |proto_request_param| with RequestParams data from |cache_iterator|.
+void SerializeRequestParams(
+    MultiThreadedCertVerifier::Iterator& cache_iterator,
+    CertVerificationRequestParams* proto_request_param) {
+  proto_request_param->set_hostname(cache_iterator.hostname());
+  proto_request_param->set_flags(cache_iterator.flags());
+  proto_request_param->set_start_time(
+      cache_iterator.start_time().ToInternalValue());
+  for (const SHA1HashValue& value : cache_iterator.hash_values()) {
+    CertVerificationSHA1HashValue* hash_value =
+        proto_request_param->add_hash_values();
+    hash_value->set_data(value.data,
+                         sizeof(value.data) / sizeof(value.data[0]));
+  }
+}
+
+// Update |proto_result| with certificate number and updates |serialized_certs|
+// with DER-encoded representation of certificate if the certicate is not in
+// |serialized_certs|. Returns true if data is serialized correctly.
+bool SerializeCert(const X509Certificate::OSCertHandle& cert_handle,
+                   CertVerifierCachePersister::CertVector* serialized_certs,
+                   CertVerificationResult* proto_result) {
+  std::string encoded;
+  if (!X509Certificate::GetDEREncoded(cert_handle, &encoded))
+    return false;
+  const auto& it =
+      std::find(serialized_certs->begin(), serialized_certs->end(), encoded);
+  size_t cert_number = 0;
+  if (it != serialized_certs->end()) {
+    cert_number =
+        static_cast<size_t>(std::distance(serialized_certs->begin(), it));
+  } else {
+    serialized_certs->push_back(encoded);
+    cert_number = serialized_certs->size() - 1;
+  }
+  proto_result->add_cert_numbers(cert_number);
+  return true;
+}
+
+// Update |proto_cached_result| with CachedResult data from |cache_iterator|.
+// |serialized_certs| contains a list of unique DER-encoded representation of
+// certificates.
+bool SerializeCachedResult(
+    MultiThreadedCertVerifier::Iterator& cache_iterator,
+    CertVerifierCachePersister::CertVector* serialized_certs,
+    CertVerificationCachedResult* proto_cached_result) {
+  proto_cached_result->set_error(cache_iterator.error());
+
+  // Serialize CertVerifyResult.
+  CertVerificationResult* proto_result = proto_cached_result->mutable_result();
+  const CertVerifyResult& result = cache_iterator.result();
+
+  if (!SerializeCert(result.verified_cert->os_cert_handle(), serialized_certs,
+                     proto_result))
+    return false;
+  const X509Certificate::X509Certificate::OSCertHandles& intermediate_ca_certs =
+      result.verified_cert->GetIntermediateCertificates();
+  for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) {
+    if (!SerializeCert(intermediate_ca_certs[i], serialized_certs,
+                       proto_result))
+      return false;
+  }
+  proto_result->set_cert_status(result.cert_status);
+  proto_result->set_has_md2(result.has_md2);
+  proto_result->set_has_md4(result.has_md4);
+  proto_result->set_has_md5(result.has_md5);
+  proto_result->set_has_sha1(result.has_sha1);
+  proto_result->set_has_sha1_leaf(result.has_sha1_leaf);
+  for (const HashValue& value : result.public_key_hashes)
+    proto_result->add_public_key_hashes(value.ToString());
+  proto_result->set_is_issued_by_known_root(result.is_issued_by_known_root);
+  proto_result->set_is_issued_by_additional_trust_anchor(
+      result.is_issued_by_additional_trust_anchor);
+  proto_result->set_common_name_fallback_used(result.common_name_fallback_used);
+  return true;
+}
+
+// Update |proto_cache_validity_period| with ValidityPeriod data from
+// |cache_iterator|.
+void SerializeValidityPeriod(
+    MultiThreadedCertVerifier::Iterator& cache_iterator,
+    CertVerificationCacheValidityPeriod* proto_cache_validity_period) {
+  proto_cache_validity_period->set_verification_time(
+      cache_iterator.verification_time().ToInternalValue());
+  proto_cache_validity_period->set_expiration_time(
+      cache_iterator.expiration_time().ToInternalValue());
+}
+
+// Update |error| and |result| with deserialized CachedResult data from
+// |proto_cached_result|. Returns true if it is deserialized correctly.
+bool DeserializeCachedResult(
+    const CertVerificationCachedResult& proto_cached_result,
+    const CertVerifierCachePersister::CertVector& deserialized_der_certs,
+    const std::string& hostname,
+    int* error,
+    CertVerifyResult* result) {
+  if (!proto_cached_result.has_error() || !proto_cached_result.has_result()) {
+    DVLOG(1) << "Invalid CertVerificationCacheEntry";
+    return false;
+  }
+  const CertVerificationResult& proto_result = proto_cached_result.result();
+  if (proto_result.cert_numbers_size() == 0 ||
+      !proto_result.has_cert_status()) {
+    DVLOG(1) << "Invalid CertVerificationResult for " << hostname;
+    return false;
+  }
+
+  *error = proto_cached_result.error();
+
+  std::vector<base::StringPiece> der_cert_pieces(
+      proto_result.cert_numbers_size());
+  for (int i = 0; i < proto_result.cert_numbers_size(); i++) {
+    size_t cert_number = proto_result.cert_numbers(i);
+    CHECK_LT(cert_number, deserialized_der_certs.size());
+    der_cert_pieces[i] = base::StringPiece(deserialized_der_certs[cert_number]);
+  }
+  result->verified_cert =
+      X509Certificate::CreateFromDERCertChain(der_cert_pieces);
+
+  for (int i = 0; i < proto_result.public_key_hashes_size(); ++i) {
+    const ::std::string& public_key_hash = proto_result.public_key_hashes(i);
+    HashValue hash;
+    if (!hash.FromString(public_key_hash)) {
+      DVLOG(1) << "CertVerificationResult has invalid public_key_hashes for "
+               << hostname;
+      return false;
+    }
+    result->public_key_hashes.push_back(hash);
+  }
+  result->cert_status = proto_result.cert_status();
+  result->has_md2 = proto_result.has_md2();
+  result->has_md4 = proto_result.has_md4();
+  result->has_md5 = proto_result.has_md5();
+  result->has_sha1 = proto_result.has_sha1();
+  result->has_sha1_leaf = proto_result.has_sha1_leaf();
+  result->is_issued_by_known_root = proto_result.is_issued_by_known_root();
+  result->is_issued_by_additional_trust_anchor =
+      proto_result.is_issued_by_additional_trust_anchor();
+  result->common_name_fallback_used = proto_result.common_name_fallback_used();
+  return true;
+}
+
+}  // namespace
+
+CertVerifierCachePersister::CertVerifierCachePersister(
+    MultiThreadedCertVerifier* verifier)
+    : verifier_(verifier) {}
+
+CertVerifierCachePersister::~CertVerifierCachePersister() {}
+
+void CertVerifierCachePersister::SerializeCache(std::string* data) {
+  base::TimeTicks start_time(base::TimeTicks::Now());
+  CertVerificationCache proto_cert_cache;
+  CertVector serialized_certs;
+
+  MultiThreadedCertVerifier::Iterator cache_iterator(*verifier_);
+  for (; cache_iterator.HasNext(); cache_iterator.Advance()) {
+    CertVerificationCacheEntry* proto_cache_entry =
+        proto_cert_cache.add_cache_entry();
+
+    CertVerificationRequestParams* proto_request_param =
+        proto_cache_entry->mutable_request_params();
+    SerializeRequestParams(cache_iterator, proto_request_param);
+
+    CertVerificationCachedResult* proto_cached_result =
+        proto_cache_entry->mutable_cached_result();
+    if (!SerializeCachedResult(cache_iterator, &serialized_certs,
+                               proto_cached_result))
+      continue;
+
+    CertVerificationCacheValidityPeriod* proto_cache_validity_period =
+        proto_cache_entry->mutable_cache_validity_period();
+    SerializeValidityPeriod(cache_iterator, proto_cache_validity_period);
+  }
+  for (const std::string& cert : serialized_certs)
+    proto_cert_cache.add_certs(cert);
+
+  proto_cert_cache.SerializeToString(data);
+  UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.SerializeTime",
+                      base::TimeTicks::Now() - start_time);
+}
+
+bool CertVerifierCachePersister::LoadCache(const std::string& data) {
+  base::TimeTicks load_cache_start_time = base::TimeTicks::Now();
+  CertVector deserialized_der_certs;
+  CertVerificationCache proto;
+
+  if (!proto.ParseFromString(data)) {
+    DVLOG(1) << "CertVerifierCachePersister ParseFromString failure.";
+    return false;
+  }
+
+  if (proto.certs_size() == 0u) {
+    DVLOG(1) << "CertVerifierCachePersister has no certificates.";
+    return false;
+  }
+  if (proto.cache_entry_size() == 0u) {
+    DVLOG(1) << "CertVerifierCachePersister has no cache entries.";
+    return false;
+  }
+
+  for (int i = 0; i < proto.certs_size(); ++i)
+    deserialized_der_certs.push_back(proto.certs(i));
+
+  bool detected_corrupted_data = false;
+  for (int i = 0; i < proto.cache_entry_size(); ++i) {
+    const CertVerificationCacheEntry& cache_entry = proto.cache_entry(i);
+    if (!cache_entry.has_request_params() ||
+        !cache_entry.has_cache_validity_period() ||
+        !cache_entry.has_cached_result()) {
+      DVLOG(1) << "Invalid CertVerificationCacheEntry";

[Ryan Sleevi, 2016/05/13 20:18:12]

All of these DVLOGS seem unnecessarily verbose and useless.

I'm very anti-DVLOG, but if there's a use case you're trying to address, perhaps
you could explain? DVLOGs are only for developer builds - but also show up
extensively in our test bots - so why do these add particular value? Are these
signs of programmer error? If so, doesn't DCHECK make more sense? Or are they
benign, ignorable errors? If so, why DVLOG at all?

[ramant (doing other things), 2016/05/27 19:57:13]

Deleted the DVLOGs. They are all ignorable errors.
Done.

+      detected_corrupted_data = true;
+      continue;
+    }
+
+    const CertVerificationRequestParams& proto_request_params =
+        cache_entry.request_params();
+    int hash_values_size = proto_request_params.hash_values_size();
+    if (!proto_request_params.has_hostname() ||
+        proto_request_params.hostname().empty() ||
+        !proto_request_params.has_flags() || hash_values_size <= 0 ||
+        !proto_request_params.has_start_time()) {
+      DVLOG(1) << "Invalid CertVerificationRequestParams";
+      detected_corrupted_data = true;
+      continue;
+    }
+
+    std::string hostname(proto_request_params.hostname());
+    int flags = proto_request_params.flags();
+    std::vector<SHA1HashValue> hash_values(hash_values_size);
+    for (int index = 0; index < hash_values_size; ++index) {
+      const CertVerificationSHA1HashValue& proto_hash_values =
+          proto_request_params.hash_values(index);
+      if (!proto_hash_values.has_data()) {
+        DVLOG(1) << "Invalid CertVerificationSHA1HashValue for " << hostname
+                 << flags;
+        detected_corrupted_data = true;
+        continue;
+      }
+      const std::string& data = proto_hash_values.data();
+      memcpy(hash_values[index].data, data.data(), data.length());
+    }
+    base::Time start_time =
+        base::Time::FromInternalValue(proto_request_params.start_time());
+
+    const CertVerificationCacheValidityPeriod& proto_cache_validity_period =
+        cache_entry.cache_validity_period();
+    if (!proto_cache_validity_period.has_verification_time() ||
+        !proto_cache_validity_period.has_expiration_time()) {
+      DVLOG(1) << "Invalid CertVerificationCacheValidityPeriod" << hostname;
+      detected_corrupted_data = true;
+      continue;
+    }
+    base::Time verification_time = base::Time::FromInternalValue(
+        proto_cache_validity_period.verification_time());
+    base::Time expiration_time = base::Time::FromInternalValue(
+        proto_cache_validity_period.expiration_time());
+
+    const CertVerificationCachedResult& proto_cached_result =
+        cache_entry.cached_result();
+    CertVerifyResult result;
+    int error;
+    if (!DeserializeCachedResult(proto_cached_result, deserialized_der_certs,
+                                 hostname, &error, &result)) {
+      DVLOG(1) << "Invalid CertVerificationCachedResult for " << hostname;
+      detected_corrupted_data = true;
+      continue;
+    }
+
+    if (!verifier_->AddCertResult(hostname, flags, hash_values, start_time,
+                                  error, result, verification_time,
+                                  expiration_time)) {
+      DVLOG(1) << "Didn't restore cert result entry for " << hostname;
+      detected_corrupted_data = true;
+      continue;
+    }
+  }
+  UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.LoadCacheTime",
+                      base::TimeTicks::Now() - load_cache_start_time);
+  return !detected_corrupted_data;
+}
+
+}  // namespace net