Cert - protobufs to serialize and deserialize CertVerifierCache.

net/cert/cert_verifier_cache_persister.cc

+// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_verifier_cache_persister.h"
+
+#include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/pickle.h"
+#include "base/time/time.h"
+#include "net/base/hash_value.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/proto/cert_verification.pb.h"
+#include "net/cert/x509_certificate.h"
+
+namespace net {
+
+CertVerifierCachePersister::CertVerifierCachePersister(
+    MultiThreadedCertVerifier* verifier)
+    : verifier_(verifier) {}
+
+CertVerifierCachePersister::~CertVerifierCachePersister() {}
+
+void CertVerifierCachePersister::SerializeCache(std::string* data) {
+  base::TimeTicks start_time(base::TimeTicks::Now());
+  CertVerificationCache proto_cert_cache;
+
+  MultiThreadedCertVerifier::CertVerifierCacheIterator cache_iterator(
+      *verifier_);
+  for (; cache_iterator.HasNext(); cache_iterator.Advance()) {
+    CertVerificationCacheEntry* proto_cache_entry =
+        proto_cert_cache.add_cache_entry();
+
+    CertVerificationRequestParams* proto_request_param =
+        proto_cache_entry->mutable_request_params();
+    SerializeRequestParams(cache_iterator, proto_request_param);
+
+    CertVerificationCachedResult* proto_cached_result =
+        proto_cache_entry->mutable_cached_result();
+    SerializeCachedResult(cache_iterator, proto_cached_result);
+
+    CertVerificationCacheValidityPeriod* proto_cache_validity_period =
+        proto_cache_entry->mutable_cache_validity_period();
+    SerializeValidityPeriod(cache_iterator, proto_cache_validity_period);
+  }
+
+  proto_cert_cache.SerializeToString(data);
+  UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.SerializeTime",
+                      base::TimeTicks::Now() - start_time);
+}
+
+bool CertVerifierCachePersister::LoadCache(const std::string& data) {
+  base::TimeTicks start_time(base::TimeTicks::Now());
+
+  CertVerificationCache proto;
+  if (!proto.ParseFromString(data)) {
+    DVLOG(1) << "Protobug ParseFromString failure";
+    return false;
+  }
+  for (int i = 0; i < proto.cache_entry_size(); ++i) {
+    const CertVerificationCacheEntry& cache_entry = proto.cache_entry(i);
+    if (!cache_entry.has_request_params() ||
+        !cache_entry.has_cache_validity_period() ||
+        !cache_entry.has_cached_result()) {
+      DVLOG(1) << "Invalid CertVerificationCacheEntry";
+      continue;
+    }
+
+    const CertVerificationRequestParams& proto_request_params =
+        cache_entry.request_params();
+    MultiThreadedCertVerifier::RequestParams key;
+    if (!DeserializeRequestParams(proto_request_params, &key))
+      continue;
+
+    MultiThreadedCertVerifier::CacheValidityPeriod expiration(
+        base::Time::Now());
+    const MultiThreadedCertVerifier::CertVerifierCache::value_type*
+        cached_entry = verifier_->cache_.Get(key, expiration);
+    if (cached_entry) {
+      DVLOG(1) << "Already exists in the cache for " << key.hostname;
+      continue;
+    }
+
+    const CertVerificationCacheValidityPeriod& proto_cache_validity_period =
+        cache_entry.cache_validity_period();
+    if (!DeserializeValidityPeriod(proto_cache_validity_period, key.hostname,
+                                   &expiration)) {
+      continue;
+    }
+
+    const CertVerificationCachedResult& proto_cached_result =
+        cache_entry.cached_result();
+    MultiThreadedCertVerifier::CachedResult cached_result;
+    if (!DeserializeCachedResult(proto_cached_result, key.hostname,
+                                 &cached_result)) {
+      continue;
+    }
+
+    verifier_->cache_.Put(
+        key, cached_result,
+        MultiThreadedCertVerifier::CacheValidityPeriod(key.start_time),
+        expiration);
+  }
+  UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.LoadCacheTime",
+                      base::TimeTicks::Now() - start_time);
+  return true;
+}
+
+void CertVerifierCachePersister::SerializeRequestParams(
+    MultiThreadedCertVerifier::CertVerifierCacheIterator& cache_iterator,
+    CertVerificationRequestParams* proto_request_param) {
+  proto_request_param->set_hostname(cache_iterator.hostname());
+  proto_request_param->set_flags(cache_iterator.flags());
+  proto_request_param->set_start_time(
+      cache_iterator.start_time().ToInternalValue());
+  for (const SHA1HashValue& value : cache_iterator.hash_values()) {
+    CertVerificationSHA1HashValue* hash_value =
+        proto_request_param->add_hash_values();
+    hash_value->set_data(value.data, 20);
+  }
+}
+
+void CertVerifierCachePersister::SerializeCachedResult(
+    MultiThreadedCertVerifier::CertVerifierCacheIterator& cache_iterator,
+    CertVerificationCachedResult* proto_cached_result) {
+  proto_cached_result->set_error(cache_iterator.error());
+
+  // Serialize CertVerifyResult.
+  CertVerificationResult* proto_result = proto_cached_result->mutable_result();
+  const CertVerifyResult& result = cache_iterator.result();
+
+  // TODO(rtenneti): Don't use picke to persist the certificates. Persist each
+  // unique individual certificate.
+  base::Pickle pickle;
+  result.verified_cert->Persist(&pickle);
+  std::string verified_cert(reinterpret_cast<const char*>(pickle.data()),
+                            pickle.size());
+  proto_result->set_verified_cert(verified_cert);
+  proto_result->set_cert_status(result.cert_status);
+  proto_result->set_has_md2(result.has_md2);
+  proto_result->set_has_md4(result.has_md4);
+  proto_result->set_has_md5(result.has_md5);
+  proto_result->set_has_sha1(result.has_sha1);
+  proto_result->set_has_sha1_leaf(result.has_sha1_leaf);
+  for (const HashValue& value : result.public_key_hashes)
+    proto_result->add_public_key_hashes(value.ToString());
+  proto_result->set_is_issued_by_known_root(result.is_issued_by_known_root);
+  proto_result->set_is_issued_by_additional_trust_anchor(
+      result.is_issued_by_additional_trust_anchor);
+  proto_result->set_common_name_fallback_used(result.common_name_fallback_used);
+}
+
+void CertVerifierCachePersister::SerializeValidityPeriod(
+    MultiThreadedCertVerifier::CertVerifierCacheIterator& cache_iterator,
+    CertVerificationCacheValidityPeriod* proto_cache_validity_period) {
+  proto_cache_validity_period->set_verification_time(
+      cache_iterator.verification_time().ToInternalValue());
+  proto_cache_validity_period->set_expiration_time(
+      cache_iterator.expiration_time().ToInternalValue());
+}
+
+bool CertVerifierCachePersister::DeserializeRequestParams(
+    const CertVerificationRequestParams& proto_request_params,
+    MultiThreadedCertVerifier::RequestParams* request_params) {
+  int hash_values_size = proto_request_params.hash_values_size();
+  if (!proto_request_params.has_hostname() ||
+      proto_request_params.hostname().empty() ||
+      !proto_request_params.has_flags() || hash_values_size <= 0 ||
+      !proto_request_params.has_start_time()) {
+    DVLOG(1) << "Invalid CertVerificationRequestParams";
+    return false;
+  }
+
+  request_params->hostname.assign(proto_request_params.hostname());
+  request_params->flags = proto_request_params.flags();
+  request_params->hash_values.resize(hash_values_size);
+  for (int index = 0; index < hash_values_size; ++index) {
+    const CertVerificationSHA1HashValue& hash_values =
+        proto_request_params.hash_values(index);
+    if (!hash_values.has_data()) {
+      DVLOG(1) << "Invalid CertVerificationSHA1HashValue for "
+               << request_params->hostname;
+      return false;
+    }
+    const std::string& data = hash_values.data();
+    memcpy(request_params->hash_values[index].data, data.data(), data.length());
+  }
+  return true;
+}
+
+bool CertVerifierCachePersister::DeserializeValidityPeriod(
+    const CertVerificationCacheValidityPeriod& proto_cache_validity_period,
+    const std::string& hostname,
+    MultiThreadedCertVerifier::CacheValidityPeriod* expiration) {
+  if (!proto_cache_validity_period.has_verification_time() ||
+      !proto_cache_validity_period.has_expiration_time()) {
+    DVLOG(1) << "Invalid CertVerificationCacheValidityPeriod" << hostname;
+    return false;
+  }
+  expiration->verification_time = base::Time::FromInternalValue(
+      proto_cache_validity_period.verification_time());
+  expiration->expiration_time = base::Time::FromInternalValue(
+      proto_cache_validity_period.expiration_time());
+  if (expiration->verification_time > expiration->expiration_time ||
+      expiration->expiration_time < base::Time::Now() ||
+      expiration->verification_time > base::Time::Now()) {
+    DVLOG(1) << "CertVerificationCacheValidityPeriod expired for " << hostname;
+    return false;
+  }
+  return true;
+}
+
+bool CertVerifierCachePersister::DeserializeCachedResult(
+    const CertVerificationCachedResult& proto_cached_result,
+    const std::string& hostname,
+    MultiThreadedCertVerifier::CachedResult* cached_result) {
+  if (!proto_cached_result.has_error() || !proto_cached_result.has_result()) {
+    DVLOG(1) << "Invalid CertVerificationCacheEntry";
+    return false;
+  }
+  const CertVerificationResult& proto_result = proto_cached_result.result();
+  if (!proto_result.has_verified_cert() || !proto_result.has_cert_status()) {
+    DVLOG(1) << "Invalid CertVerificationResult for " << hostname;
+    return false;
+  }
+
+  cached_result->error = proto_cached_result.error();
+  const std::string& verified_cert = proto_result.verified_cert();
+  base::Pickle pickle(verified_cert.data(), verified_cert.length());
+  base::PickleIterator iter1(pickle);
+  cached_result->result.verified_cert = X509Certificate::CreateFromPickle(
+      &iter1, X509Certificate::PICKLETYPE_CERTIFICATE_CHAIN_V3);
+  if (cached_result->result.verified_cert.get() == nullptr) {
+    DVLOG(1) << "CertVerificationResult has invalid certificate chain for "
+             << hostname;
+    return false;
+  }
+  for (int i = 0; i < proto_result.public_key_hashes_size(); ++i) {
+    const ::std::string& public_key_hash = proto_result.public_key_hashes(i);
+    HashValue hash;
+    if (!hash.FromString(public_key_hash)) {
+      DVLOG(1) << "CertVerificationResult has invalid public_key_hashes for "
+               << hostname;
+      return false;
+    }
+    cached_result->result.public_key_hashes.push_back(hash);
+  }
+  cached_result->result.cert_status = proto_result.cert_status();
+  cached_result->result.has_md2 = proto_result.has_md2();
+  cached_result->result.has_md4 = proto_result.has_md4();
+  cached_result->result.has_md5 = proto_result.has_md5();
+  cached_result->result.has_sha1 = proto_result.has_sha1();
+  cached_result->result.has_sha1_leaf = proto_result.has_sha1_leaf();
+  cached_result->result.is_issued_by_known_root =
+      proto_result.is_issued_by_known_root();
+  cached_result->result.is_issued_by_additional_trust_anchor =
+      proto_result.is_issued_by_additional_trust_anchor();
+  cached_result->result.common_name_fallback_used =
+      proto_result.common_name_fallback_used();
+  return true;
+}
+
+}  // namespace net