OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/cert_verifier_cache_persister.h" | |
6 | |
7 #include "base/logging.h" | |
8 #include "base/metrics/histogram_macros.h" | |
9 #include "base/pickle.h" | |
10 #include "base/strings/string_piece.h" | |
11 #include "base/time/time.h" | |
12 #include "net/base/hash_value.h" | |
13 #include "net/cert/cert_type.h" | |
14 #include "net/cert/cert_verify_result.h" | |
15 #include "net/cert/multi_threaded_cert_verifier.h" | |
16 #include "net/cert/proto/cert_verification.pb.h" | |
17 #include "net/cert/x509_cert_types.h" | |
18 #include "net/cert/x509_certificate.h" | |
19 | |
20 namespace net { | |
21 | |
22 namespace { | |
23 | |
24 // Update |proto_request_param| with RequestParams data from |cache_iterator|. | |
25 void SerializeRequestParams( | |
26 MultiThreadedCertVerifier::Iterator& cache_iterator, | |
27 CertVerificationRequestParams* proto_request_param) { | |
28 proto_request_param->set_hostname(cache_iterator.hostname()); | |
29 proto_request_param->set_flags(cache_iterator.flags()); | |
30 proto_request_param->set_start_time( | |
31 cache_iterator.start_time().ToInternalValue()); | |
32 for (const SHA1HashValue& value : cache_iterator.hash_values()) { | |
33 CertVerificationSHA1HashValue* hash_value = | |
34 proto_request_param->add_hash_values(); | |
35 hash_value->set_data(value.data, | |
36 sizeof(value.data) / sizeof(value.data[0])); | |
37 } | |
38 } | |
39 | |
40 // Update |proto_result| with certificate number and updates |serialized_certs| | |
41 // with DER-encoded representation of certificate if the certicate is not in | |
42 // |serialized_certs|. Returns true if data is serialized correctly. | |
43 bool SerializeCert(const X509Certificate::OSCertHandle& cert_handle, | |
44 CertVerifierCachePersister::CertVector* serialized_certs, | |
45 CertVerificationResult* proto_result) { | |
46 std::string encoded; | |
47 if (!X509Certificate::GetDEREncoded(cert_handle, &encoded)) | |
48 return false; | |
49 const auto& it = | |
50 std::find(serialized_certs->begin(), serialized_certs->end(), encoded); | |
51 size_t cert_number = 0; | |
52 if (it != serialized_certs->end()) { | |
53 cert_number = | |
54 static_cast<size_t>(std::distance(serialized_certs->begin(), it)); | |
55 } else { | |
56 serialized_certs->push_back(encoded); | |
57 cert_number = serialized_certs->size() - 1; | |
58 } | |
59 proto_result->add_cert_numbers(cert_number); | |
60 return true; | |
61 } | |
62 | |
63 // Update |proto_cached_result| with CachedResult data from |cache_iterator|. | |
64 // |serialized_certs| contains a list of unique DER-encoded representation of | |
65 // certificates. | |
66 bool SerializeCachedResult( | |
67 MultiThreadedCertVerifier::Iterator& cache_iterator, | |
68 CertVerifierCachePersister::CertVector* serialized_certs, | |
69 CertVerificationCachedResult* proto_cached_result) { | |
70 proto_cached_result->set_error(cache_iterator.error()); | |
71 | |
72 // Serialize CertVerifyResult. | |
73 CertVerificationResult* proto_result = proto_cached_result->mutable_result(); | |
74 const CertVerifyResult& result = cache_iterator.result(); | |
75 | |
76 if (!SerializeCert(result.verified_cert->os_cert_handle(), serialized_certs, | |
77 proto_result)) | |
78 return false; | |
79 const X509Certificate::X509Certificate::OSCertHandles& intermediate_ca_certs = | |
80 result.verified_cert->GetIntermediateCertificates(); | |
81 for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) { | |
82 if (!SerializeCert(intermediate_ca_certs[i], serialized_certs, | |
83 proto_result)) | |
84 return false; | |
85 } | |
86 proto_result->set_cert_status(result.cert_status); | |
87 proto_result->set_has_md2(result.has_md2); | |
88 proto_result->set_has_md4(result.has_md4); | |
89 proto_result->set_has_md5(result.has_md5); | |
90 proto_result->set_has_sha1(result.has_sha1); | |
91 proto_result->set_has_sha1_leaf(result.has_sha1_leaf); | |
92 for (const HashValue& value : result.public_key_hashes) | |
93 proto_result->add_public_key_hashes(value.ToString()); | |
94 proto_result->set_is_issued_by_known_root(result.is_issued_by_known_root); | |
95 proto_result->set_is_issued_by_additional_trust_anchor( | |
96 result.is_issued_by_additional_trust_anchor); | |
97 proto_result->set_common_name_fallback_used(result.common_name_fallback_used); | |
98 return true; | |
99 } | |
100 | |
101 // Update |proto_cache_validity_period| with ValidityPeriod data from | |
102 // |cache_iterator|. | |
103 void SerializeValidityPeriod( | |
104 MultiThreadedCertVerifier::Iterator& cache_iterator, | |
105 CertVerificationCacheValidityPeriod* proto_cache_validity_period) { | |
106 proto_cache_validity_period->set_verification_time( | |
107 cache_iterator.verification_time().ToInternalValue()); | |
108 proto_cache_validity_period->set_expiration_time( | |
109 cache_iterator.expiration_time().ToInternalValue()); | |
110 } | |
111 | |
112 // Update |error| and |result| with deserialized CachedResult data from | |
113 // |proto_cached_result|. Returns true if it is deserialized correctly. | |
114 bool DeserializeCachedResult( | |
115 const CertVerificationCachedResult& proto_cached_result, | |
116 const CertVerifierCachePersister::CertVector& deserialized_der_certs, | |
117 const std::string& hostname, | |
118 int* error, | |
119 CertVerifyResult* result) { | |
120 if (!proto_cached_result.has_error() || !proto_cached_result.has_result()) { | |
121 DVLOG(1) << "Invalid CertVerificationCacheEntry"; | |
122 return false; | |
123 } | |
124 const CertVerificationResult& proto_result = proto_cached_result.result(); | |
125 if (proto_result.cert_numbers_size() == 0 || | |
126 !proto_result.has_cert_status()) { | |
127 DVLOG(1) << "Invalid CertVerificationResult for " << hostname; | |
128 return false; | |
129 } | |
130 | |
131 *error = proto_cached_result.error(); | |
132 | |
133 std::vector<base::StringPiece> der_cert_pieces( | |
134 proto_result.cert_numbers_size()); | |
135 for (int i = 0; i < proto_result.cert_numbers_size(); i++) { | |
136 size_t cert_number = proto_result.cert_numbers(i); | |
137 CHECK_LT(cert_number, deserialized_der_certs.size()); | |
138 der_cert_pieces[i] = base::StringPiece(deserialized_der_certs[cert_number]); | |
139 } | |
140 result->verified_cert = | |
141 X509Certificate::CreateFromDERCertChain(der_cert_pieces); | |
142 | |
143 for (int i = 0; i < proto_result.public_key_hashes_size(); ++i) { | |
144 const ::std::string& public_key_hash = proto_result.public_key_hashes(i); | |
145 HashValue hash; | |
146 if (!hash.FromString(public_key_hash)) { | |
147 DVLOG(1) << "CertVerificationResult has invalid public_key_hashes for " | |
148 << hostname; | |
149 return false; | |
150 } | |
151 result->public_key_hashes.push_back(hash); | |
152 } | |
153 result->cert_status = proto_result.cert_status(); | |
154 result->has_md2 = proto_result.has_md2(); | |
155 result->has_md4 = proto_result.has_md4(); | |
156 result->has_md5 = proto_result.has_md5(); | |
157 result->has_sha1 = proto_result.has_sha1(); | |
158 result->has_sha1_leaf = proto_result.has_sha1_leaf(); | |
159 result->is_issued_by_known_root = proto_result.is_issued_by_known_root(); | |
160 result->is_issued_by_additional_trust_anchor = | |
161 proto_result.is_issued_by_additional_trust_anchor(); | |
162 result->common_name_fallback_used = proto_result.common_name_fallback_used(); | |
163 return true; | |
164 } | |
165 | |
166 } // namespace | |
167 | |
168 CertVerifierCachePersister::CertVerifierCachePersister( | |
169 MultiThreadedCertVerifier* verifier) | |
170 : verifier_(verifier) {} | |
171 | |
172 CertVerifierCachePersister::~CertVerifierCachePersister() {} | |
173 | |
174 void CertVerifierCachePersister::SerializeCache(std::string* data) { | |
175 base::TimeTicks start_time(base::TimeTicks::Now()); | |
176 CertVerificationCache proto_cert_cache; | |
177 CertVector serialized_certs; | |
178 | |
179 MultiThreadedCertVerifier::Iterator cache_iterator(*verifier_); | |
180 for (; cache_iterator.HasNext(); cache_iterator.Advance()) { | |
181 CertVerificationCacheEntry* proto_cache_entry = | |
182 proto_cert_cache.add_cache_entry(); | |
183 | |
184 CertVerificationRequestParams* proto_request_param = | |
185 proto_cache_entry->mutable_request_params(); | |
186 SerializeRequestParams(cache_iterator, proto_request_param); | |
187 | |
188 CertVerificationCachedResult* proto_cached_result = | |
189 proto_cache_entry->mutable_cached_result(); | |
190 if (!SerializeCachedResult(cache_iterator, &serialized_certs, | |
191 proto_cached_result)) | |
192 continue; | |
193 | |
194 CertVerificationCacheValidityPeriod* proto_cache_validity_period = | |
195 proto_cache_entry->mutable_cache_validity_period(); | |
196 SerializeValidityPeriod(cache_iterator, proto_cache_validity_period); | |
197 } | |
198 for (const std::string& cert : serialized_certs) | |
199 proto_cert_cache.add_certs(cert); | |
200 | |
201 proto_cert_cache.SerializeToString(data); | |
202 UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.SerializeTime", | |
203 base::TimeTicks::Now() - start_time); | |
204 } | |
205 | |
206 bool CertVerifierCachePersister::LoadCache(const std::string& data) { | |
207 base::TimeTicks load_cache_start_time = base::TimeTicks::Now(); | |
208 CertVector deserialized_der_certs; | |
209 CertVerificationCache proto; | |
210 | |
211 if (!proto.ParseFromString(data)) { | |
212 DVLOG(1) << "CertVerifierCachePersister ParseFromString failure."; | |
213 return false; | |
214 } | |
215 | |
216 if (proto.certs_size() == 0u) { | |
217 DVLOG(1) << "CertVerifierCachePersister has no certificates."; | |
218 return false; | |
219 } | |
220 if (proto.cache_entry_size() == 0u) { | |
221 DVLOG(1) << "CertVerifierCachePersister has no cache entries."; | |
222 return false; | |
223 } | |
224 | |
225 for (int i = 0; i < proto.certs_size(); ++i) | |
226 deserialized_der_certs.push_back(proto.certs(i)); | |
227 | |
228 bool detected_corrupted_data = false; | |
229 for (int i = 0; i < proto.cache_entry_size(); ++i) { | |
230 const CertVerificationCacheEntry& cache_entry = proto.cache_entry(i); | |
231 if (!cache_entry.has_request_params() || | |
232 !cache_entry.has_cache_validity_period() || | |
233 !cache_entry.has_cached_result()) { | |
234 DVLOG(1) << "Invalid CertVerificationCacheEntry"; | |
Ryan Sleevi
2016/05/13 20:18:12
All of these DVLOGS seem unnecessarily verbose and
ramant (doing other things)
2016/05/27 19:57:13
Deleted the DVLOGs. They are all ignorable errors.
| |
235 detected_corrupted_data = true; | |
236 continue; | |
237 } | |
238 | |
239 const CertVerificationRequestParams& proto_request_params = | |
240 cache_entry.request_params(); | |
241 int hash_values_size = proto_request_params.hash_values_size(); | |
242 if (!proto_request_params.has_hostname() || | |
243 proto_request_params.hostname().empty() || | |
244 !proto_request_params.has_flags() || hash_values_size <= 0 || | |
245 !proto_request_params.has_start_time()) { | |
246 DVLOG(1) << "Invalid CertVerificationRequestParams"; | |
247 detected_corrupted_data = true; | |
248 continue; | |
249 } | |
250 | |
251 std::string hostname(proto_request_params.hostname()); | |
252 int flags = proto_request_params.flags(); | |
253 std::vector<SHA1HashValue> hash_values(hash_values_size); | |
254 for (int index = 0; index < hash_values_size; ++index) { | |
255 const CertVerificationSHA1HashValue& proto_hash_values = | |
256 proto_request_params.hash_values(index); | |
257 if (!proto_hash_values.has_data()) { | |
258 DVLOG(1) << "Invalid CertVerificationSHA1HashValue for " << hostname | |
259 << flags; | |
260 detected_corrupted_data = true; | |
261 continue; | |
262 } | |
263 const std::string& data = proto_hash_values.data(); | |
264 memcpy(hash_values[index].data, data.data(), data.length()); | |
265 } | |
266 base::Time start_time = | |
267 base::Time::FromInternalValue(proto_request_params.start_time()); | |
268 | |
269 const CertVerificationCacheValidityPeriod& proto_cache_validity_period = | |
270 cache_entry.cache_validity_period(); | |
271 if (!proto_cache_validity_period.has_verification_time() || | |
272 !proto_cache_validity_period.has_expiration_time()) { | |
273 DVLOG(1) << "Invalid CertVerificationCacheValidityPeriod" << hostname; | |
274 detected_corrupted_data = true; | |
275 continue; | |
276 } | |
277 base::Time verification_time = base::Time::FromInternalValue( | |
278 proto_cache_validity_period.verification_time()); | |
279 base::Time expiration_time = base::Time::FromInternalValue( | |
280 proto_cache_validity_period.expiration_time()); | |
281 | |
282 const CertVerificationCachedResult& proto_cached_result = | |
283 cache_entry.cached_result(); | |
284 CertVerifyResult result; | |
285 int error; | |
286 if (!DeserializeCachedResult(proto_cached_result, deserialized_der_certs, | |
287 hostname, &error, &result)) { | |
288 DVLOG(1) << "Invalid CertVerificationCachedResult for " << hostname; | |
289 detected_corrupted_data = true; | |
290 continue; | |
291 } | |
292 | |
293 if (!verifier_->AddCertResult(hostname, flags, hash_values, start_time, | |
294 error, result, verification_time, | |
295 expiration_time)) { | |
296 DVLOG(1) << "Didn't restore cert result entry for " << hostname; | |
297 detected_corrupted_data = true; | |
298 continue; | |
299 } | |
300 } | |
301 UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.LoadCacheTime", | |
302 base::TimeTicks::Now() - load_cache_start_time); | |
303 return !detected_corrupted_data; | |
304 } | |
305 | |
306 } // namespace net | |
OLD | NEW |