OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ | 5 #ifndef NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ |
6 #define NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ | 6 #define NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ |
7 | 7 |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <stdint.h> | 9 #include <stdint.h> |
10 | 10 |
(...skipping 23 matching lines...) Expand all Loading... |
34 class CertVerifierWorker; | 34 class CertVerifierWorker; |
35 class CertVerifyProc; | 35 class CertVerifyProc; |
36 | 36 |
37 // MultiThreadedCertVerifier is a CertVerifier implementation that runs | 37 // MultiThreadedCertVerifier is a CertVerifier implementation that runs |
38 // synchronous CertVerifier implementations on worker threads. | 38 // synchronous CertVerifier implementations on worker threads. |
39 class NET_EXPORT_PRIVATE MultiThreadedCertVerifier | 39 class NET_EXPORT_PRIVATE MultiThreadedCertVerifier |
40 : public CertVerifier, | 40 : public CertVerifier, |
41 NON_EXPORTED_BASE(public base::NonThreadSafe), | 41 NON_EXPORTED_BASE(public base::NonThreadSafe), |
42 public CertDatabase::Observer { | 42 public CertDatabase::Observer { |
43 public: | 43 public: |
44 explicit MultiThreadedCertVerifier(CertVerifyProc* verify_proc); | |
45 | |
46 // When the verifier is destroyed, all certificate verifications requests are | |
47 // canceled, and their completion callbacks will not be called. | |
48 ~MultiThreadedCertVerifier() override; | |
49 | |
50 // Configures a source of additional certificates that should be treated as | |
51 // trust anchors during verification, provided that the underlying | |
52 // CertVerifyProc supports additional trust beyond the default implementation. | |
53 // The CertTrustAnchorProvider will only be accessed on the same | |
54 // thread that Verify() is called on; that is, it will not be | |
55 // accessed from worker threads. | |
56 // It must outlive the MultiThreadedCertVerifier. | |
57 void SetCertTrustAnchorProvider( | |
58 CertTrustAnchorProvider* trust_anchor_provider); | |
59 | |
60 // CertVerifier implementation | |
61 int Verify(X509Certificate* cert, | |
62 const std::string& hostname, | |
63 const std::string& ocsp_response, | |
64 int flags, | |
65 CRLSet* crl_set, | |
66 CertVerifyResult* verify_result, | |
67 const CompletionCallback& callback, | |
68 std::unique_ptr<Request>* out_req, | |
69 const BoundNetLog& net_log) override; | |
70 | |
71 bool SupportsOCSPStapling() override; | |
72 | |
73 private: | |
74 struct JobToRequestParamsComparator; | |
75 friend class CertVerifierRequest; | |
76 friend class CertVerifierJob; | |
77 friend class MultiThreadedCertVerifierTest; | |
78 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CacheHit); | |
79 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, DifferentCACerts); | |
80 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, InflightJoin); | |
81 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, MultipleInflightJoin); | |
82 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CancelRequest); | |
83 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, | |
84 RequestParamsComparators); | |
85 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, | |
86 CertTrustAnchorProvider); | |
87 | |
88 // Input parameters of a certificate verification request. | 44 // Input parameters of a certificate verification request. |
89 struct NET_EXPORT_PRIVATE RequestParams { | 45 struct NET_EXPORT_PRIVATE RequestParams { |
90 RequestParams(const SHA1HashValue& cert_fingerprint_arg, | 46 RequestParams(const SHA1HashValue& cert_fingerprint_arg, |
91 const SHA1HashValue& ca_fingerprint_arg, | 47 const SHA1HashValue& ca_fingerprint_arg, |
92 const std::string& hostname_arg, | 48 const std::string& hostname_arg, |
93 const std::string& ocsp_response_arg, | 49 const std::string& ocsp_response_arg, |
94 int flags_arg, | 50 int flags_arg, |
95 const CertificateList& additional_trust_anchors); | 51 const CertificateList& additional_trust_anchors); |
96 RequestParams(const RequestParams& other); | 52 RequestParams(const RequestParams& other); |
| 53 RequestParams(const std::string& hostname_arg, |
| 54 int flags_arg, |
| 55 const std::vector<SHA1HashValue>& hash_values_arg, |
| 56 const base::Time& start_time_arg); |
97 ~RequestParams(); | 57 ~RequestParams(); |
98 | 58 |
99 bool operator<(const RequestParams& other) const; | 59 bool operator<(const RequestParams& other) const; |
100 | 60 |
101 std::string hostname; | 61 std::string hostname; |
102 int flags; | 62 int flags; |
103 std::vector<SHA1HashValue> hash_values; | 63 std::vector<SHA1HashValue> hash_values; |
104 // The time when verification started. | 64 // The time when verification started. |
105 // Note: This uses base::Time, rather than base::TimeTicks, to | 65 // Note: This uses base::Time, rather than base::TimeTicks, to |
106 // account for system clock changes. | 66 // account for system clock changes. |
107 base::Time start_time; | 67 base::Time start_time; |
108 }; | 68 }; |
109 | 69 |
110 // CachedResult contains the result of a certificate verification. | 70 // CachedResult contains the result of a certificate verification. |
111 struct NET_EXPORT_PRIVATE CachedResult { | 71 struct NET_EXPORT_PRIVATE CachedResult { |
112 CachedResult(); | 72 CachedResult(); |
| 73 CachedResult(int error_arg, CertVerifyResult result_arg); |
113 ~CachedResult(); | 74 ~CachedResult(); |
114 | 75 |
115 int error; // The return value of CertVerifier::Verify. | 76 int error; // The return value of CertVerifier::Verify. |
116 CertVerifyResult result; // The output of CertVerifier::Verify. | 77 CertVerifyResult result; // The output of CertVerifier::Verify. |
117 }; | 78 }; |
118 | 79 |
119 // Rather than having a single validity point along a monotonically increasing | 80 // Rather than having a single validity point along a monotonically increasing |
120 // timeline, certificate verification is based on falling within a range of | 81 // timeline, certificate verification is based on falling within a range of |
121 // the certificate's NotBefore and NotAfter and based on what the current | 82 // the certificate's NotBefore and NotAfter and based on what the current |
122 // system clock says (which may advance forwards or backwards as users correct | 83 // system clock says (which may advance forwards or backwards as users correct |
123 // clock skew). CacheValidityPeriod and CacheExpirationFunctor are helpers to | 84 // clock skew). CacheValidityPeriod and CacheExpirationFunctor are helpers to |
124 // ensure that expiration is measured both by the 'general' case (now + cache | 85 // ensure that expiration is measured both by the 'general' case (now + cache |
125 // TTL) and by whether or not significant enough clock skew was introduced | 86 // TTL) and by whether or not significant enough clock skew was introduced |
126 // since the last verification. | 87 // since the last verification. |
127 struct CacheValidityPeriod { | 88 struct CacheValidityPeriod { |
128 explicit CacheValidityPeriod(const base::Time& now); | 89 explicit CacheValidityPeriod(const base::Time& now); |
129 CacheValidityPeriod(const base::Time& now, const base::Time& expiration); | 90 CacheValidityPeriod(const base::Time& now, const base::Time& expiration); |
130 | 91 |
131 base::Time verification_time; | 92 base::Time verification_time; |
132 base::Time expiration_time; | 93 base::Time expiration_time; |
133 }; | 94 }; |
134 | 95 |
135 struct CacheExpirationFunctor { | 96 struct CacheExpirationFunctor { |
136 // Returns true iff |now| is within the validity period of |expiration|. | 97 // Returns true iff |now| is within the validity period of |expiration|. |
137 bool operator()(const CacheValidityPeriod& now, | 98 bool operator()(const CacheValidityPeriod& now, |
138 const CacheValidityPeriod& expiration) const; | 99 const CacheValidityPeriod& expiration) const; |
139 }; | 100 }; |
140 | 101 |
| 102 typedef ExpiringCache<RequestParams, |
| 103 CachedResult, |
| 104 CacheValidityPeriod, |
| 105 CacheExpirationFunctor> |
| 106 CertVerifierCache; |
| 107 |
| 108 class NET_EXPORT_PRIVATE Iterator { |
| 109 public: |
| 110 explicit Iterator(const MultiThreadedCertVerifier& verifier); |
| 111 ~Iterator(); |
| 112 |
| 113 bool HasNext() const { return iterator_.HasNext(); } |
| 114 void Advance() { iterator_.Advance(); } |
| 115 |
| 116 const std::string& hostname() const { return iterator_.key().hostname; } |
| 117 int flags() const { return iterator_.key().flags; } |
| 118 const std::vector<SHA1HashValue>& hash_values() const { |
| 119 return iterator_.key().hash_values; |
| 120 } |
| 121 const base::Time& start_time() const { return iterator_.key().start_time; } |
| 122 int error() const { return iterator_.value().error; } |
| 123 const CertVerifyResult& result() const { return iterator_.value().result; } |
| 124 const base::Time& verification_time() const { |
| 125 return iterator_.expiration().verification_time; |
| 126 } |
| 127 const base::Time& expiration_time() const { |
| 128 return iterator_.expiration().expiration_time; |
| 129 } |
| 130 |
| 131 private: |
| 132 CertVerifierCache::Iterator iterator_; |
| 133 |
| 134 DISALLOW_COPY_AND_ASSIGN(Iterator); |
| 135 }; |
| 136 |
| 137 explicit MultiThreadedCertVerifier(CertVerifyProc* verify_proc); |
| 138 |
| 139 // When the verifier is destroyed, all certificate verifications requests are |
| 140 // canceled, and their completion callbacks will not be called. |
| 141 ~MultiThreadedCertVerifier() override; |
| 142 |
| 143 // Configures a source of additional certificates that should be treated as |
| 144 // trust anchors during verification, provided that the underlying |
| 145 // CertVerifyProc supports additional trust beyond the default implementation. |
| 146 // The CertTrustAnchorProvider will only be accessed on the same |
| 147 // thread that Verify() is called on; that is, it will not be |
| 148 // accessed from worker threads. |
| 149 // It must outlive the MultiThreadedCertVerifier. |
| 150 void SetCertTrustAnchorProvider( |
| 151 CertTrustAnchorProvider* trust_anchor_provider); |
| 152 |
| 153 // CertVerifier implementation |
| 154 int Verify(X509Certificate* cert, |
| 155 const std::string& hostname, |
| 156 const std::string& ocsp_response, |
| 157 int flags, |
| 158 CRLSet* crl_set, |
| 159 CertVerifyResult* verify_result, |
| 160 const CompletionCallback& callback, |
| 161 std::unique_ptr<Request>* out_req, |
| 162 const BoundNetLog& net_log) override; |
| 163 |
| 164 bool SupportsOCSPStapling() override; |
| 165 |
| 166 // Caches |result| as the result for |hostname|, with the error code |
| 167 // of |error|, which was previously obtained by calling |Verify()| |
| 168 // with |flags| at |start_time|, for the certificate whose ordered |
| 169 // chain was |hash_values|, which was completed at |
| 170 // |verification_time|, and should expire by |expiration_time|. |
| 171 // If it returns true, subsequent calls to |Verify()| will return this |
| 172 // result, if it is before |expiration_time| and matches the |
| 173 // |hostname| and |flags|. |
| 174 bool AddCertResult(const std::string& hostname, |
| 175 int flags, |
| 176 const std::vector<SHA1HashValue>& hash_values, |
| 177 const base::Time& start_time, |
| 178 int error, |
| 179 const CertVerifyResult& result, |
| 180 const base::Time& verification_time, |
| 181 const base::Time& expiration_time); |
| 182 |
| 183 private: |
| 184 struct JobToRequestParamsComparator; |
| 185 friend class CertVerifierRequest; |
| 186 friend class CertVerifierJob; |
| 187 friend class MultiThreadedCertVerifierTest; |
| 188 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CacheHit); |
| 189 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, DifferentCACerts); |
| 190 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, InflightJoin); |
| 191 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, MultipleInflightJoin); |
| 192 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CancelRequest); |
| 193 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, |
| 194 RequestParamsComparators); |
| 195 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, |
| 196 CertTrustAnchorProvider); |
| 197 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, CacheHitIterator); |
| 198 FRIEND_TEST_ALL_PREFIXES(MultiThreadedCertVerifierTest, AddCertResult); |
| 199 |
141 struct JobComparator { | 200 struct JobComparator { |
142 bool operator()(const CertVerifierJob* job1, | 201 bool operator()(const CertVerifierJob* job1, |
143 const CertVerifierJob* job2) const; | 202 const CertVerifierJob* job2) const; |
144 }; | 203 }; |
145 | 204 |
146 using JobSet = std::set<CertVerifierJob*, JobComparator>; | 205 using JobSet = std::set<CertVerifierJob*, JobComparator>; |
147 | 206 |
148 typedef ExpiringCache<RequestParams, CachedResult, CacheValidityPeriod, | |
149 CacheExpirationFunctor> CertVerifierCache; | |
150 | |
151 // Saves |result| into the cache, keyed by |key|. | 207 // Saves |result| into the cache, keyed by |key|. |
152 void SaveResultToCache(const RequestParams& key, const CachedResult& result); | 208 void SaveResultToCache(const RequestParams& key, const CachedResult& result); |
153 | 209 |
154 // CertDatabase::Observer methods: | 210 // CertDatabase::Observer methods: |
155 void OnCACertChanged(const X509Certificate* cert) override; | 211 void OnCACertChanged(const X509Certificate* cert) override; |
156 | 212 |
157 // Returns an inflight job for |key|. If there is no such job then returns | 213 // Returns an inflight job for |key|. If there is no such job then returns |
158 // null. | 214 // null. |
159 CertVerifierJob* FindJob(const RequestParams& key); | 215 CertVerifierJob* FindJob(const RequestParams& key); |
160 | 216 |
(...skipping 21 matching lines...) Expand all Loading... |
182 scoped_refptr<CertVerifyProc> verify_proc_; | 238 scoped_refptr<CertVerifyProc> verify_proc_; |
183 | 239 |
184 CertTrustAnchorProvider* trust_anchor_provider_; | 240 CertTrustAnchorProvider* trust_anchor_provider_; |
185 | 241 |
186 DISALLOW_COPY_AND_ASSIGN(MultiThreadedCertVerifier); | 242 DISALLOW_COPY_AND_ASSIGN(MultiThreadedCertVerifier); |
187 }; | 243 }; |
188 | 244 |
189 } // namespace net | 245 } // namespace net |
190 | 246 |
191 #endif // NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ | 247 #endif // NET_CERT_MULTI_THREADED_CERT_VERIFIER_H_ |
OLD | NEW |