Index: net/cert/cert_verifier_cache_persister.cc |
diff --git a/net/cert/cert_verifier_cache_persister.cc b/net/cert/cert_verifier_cache_persister.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..1a53eb2b4303b037571c118587bd4e84dc8e33a9 |
--- /dev/null |
+++ b/net/cert/cert_verifier_cache_persister.cc |
@@ -0,0 +1,306 @@ |
+// Copyright (c) 2016 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "net/cert/cert_verifier_cache_persister.h" |
+ |
+#include "base/logging.h" |
+#include "base/metrics/histogram_macros.h" |
+#include "base/pickle.h" |
+#include "base/strings/string_piece.h" |
+#include "base/time/time.h" |
+#include "net/base/hash_value.h" |
+#include "net/cert/cert_type.h" |
+#include "net/cert/cert_verify_result.h" |
+#include "net/cert/multi_threaded_cert_verifier.h" |
+#include "net/cert/proto/cert_verification.pb.h" |
+#include "net/cert/x509_cert_types.h" |
+#include "net/cert/x509_certificate.h" |
+ |
+namespace net { |
+ |
+namespace { |
+ |
+// Update |proto_request_param| with RequestParams data from |cache_iterator|. |
+void SerializeRequestParams( |
+ MultiThreadedCertVerifier::Iterator& cache_iterator, |
+ CertVerificationRequestParams* proto_request_param) { |
+ proto_request_param->set_hostname(cache_iterator.hostname()); |
+ proto_request_param->set_flags(cache_iterator.flags()); |
+ proto_request_param->set_start_time( |
+ cache_iterator.start_time().ToInternalValue()); |
+ for (const SHA1HashValue& value : cache_iterator.hash_values()) { |
+ CertVerificationSHA1HashValue* hash_value = |
+ proto_request_param->add_hash_values(); |
+ hash_value->set_data(value.data, |
+ sizeof(value.data) / sizeof(value.data[0])); |
+ } |
+} |
+ |
+// Update |proto_result| with certificate number and updates |serialized_certs| |
+// with DER-encoded representation of certificate if the certicate is not in |
+// |serialized_certs|. Returns true if data is serialized correctly. |
+bool SerializeCert(const X509Certificate::OSCertHandle& cert_handle, |
+ CertVerifierCachePersister::CertVector* serialized_certs, |
+ CertVerificationResult* proto_result) { |
+ std::string encoded; |
+ if (!X509Certificate::GetDEREncoded(cert_handle, &encoded)) |
+ return false; |
+ const auto& it = |
+ std::find(serialized_certs->begin(), serialized_certs->end(), encoded); |
+ size_t cert_number = 0; |
+ if (it != serialized_certs->end()) { |
+ cert_number = |
+ static_cast<size_t>(std::distance(serialized_certs->begin(), it)); |
+ } else { |
+ serialized_certs->push_back(encoded); |
+ cert_number = serialized_certs->size() - 1; |
+ } |
+ proto_result->add_cert_numbers(cert_number); |
+ return true; |
+} |
+ |
+// Update |proto_cached_result| with CachedResult data from |cache_iterator|. |
+// |serialized_certs| contains a list of unique DER-encoded representation of |
+// certificates. |
+bool SerializeCachedResult( |
+ MultiThreadedCertVerifier::Iterator& cache_iterator, |
+ CertVerifierCachePersister::CertVector* serialized_certs, |
+ CertVerificationCachedResult* proto_cached_result) { |
+ proto_cached_result->set_error(cache_iterator.error()); |
+ |
+ // Serialize CertVerifyResult. |
+ CertVerificationResult* proto_result = proto_cached_result->mutable_result(); |
+ const CertVerifyResult& result = cache_iterator.result(); |
+ |
+ if (!SerializeCert(result.verified_cert->os_cert_handle(), serialized_certs, |
+ proto_result)) |
+ return false; |
+ const X509Certificate::X509Certificate::OSCertHandles& intermediate_ca_certs = |
+ result.verified_cert->GetIntermediateCertificates(); |
+ for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) { |
+ if (!SerializeCert(intermediate_ca_certs[i], serialized_certs, |
+ proto_result)) |
+ return false; |
+ } |
+ proto_result->set_cert_status(result.cert_status); |
+ proto_result->set_has_md2(result.has_md2); |
+ proto_result->set_has_md4(result.has_md4); |
+ proto_result->set_has_md5(result.has_md5); |
+ proto_result->set_has_sha1(result.has_sha1); |
+ proto_result->set_has_sha1_leaf(result.has_sha1_leaf); |
+ for (const HashValue& value : result.public_key_hashes) |
+ proto_result->add_public_key_hashes(value.ToString()); |
+ proto_result->set_is_issued_by_known_root(result.is_issued_by_known_root); |
+ proto_result->set_is_issued_by_additional_trust_anchor( |
+ result.is_issued_by_additional_trust_anchor); |
+ proto_result->set_common_name_fallback_used(result.common_name_fallback_used); |
+ return true; |
+} |
+ |
+// Update |proto_cache_validity_period| with ValidityPeriod data from |
+// |cache_iterator|. |
+void SerializeValidityPeriod( |
+ MultiThreadedCertVerifier::Iterator& cache_iterator, |
+ CertVerificationCacheValidityPeriod* proto_cache_validity_period) { |
+ proto_cache_validity_period->set_verification_time( |
+ cache_iterator.verification_time().ToInternalValue()); |
+ proto_cache_validity_period->set_expiration_time( |
+ cache_iterator.expiration_time().ToInternalValue()); |
+} |
+ |
+// Update |error| and |result| with deserialized CachedResult data from |
+// |proto_cached_result|. Returns true if it is deserialized correctly. |
+bool DeserializeCachedResult( |
+ const CertVerificationCachedResult& proto_cached_result, |
+ const CertVerifierCachePersister::CertVector& deserialized_der_certs, |
+ const std::string& hostname, |
+ int* error, |
+ CertVerifyResult* result) { |
+ if (!proto_cached_result.has_error() || !proto_cached_result.has_result()) { |
+ DVLOG(1) << "Invalid CertVerificationCacheEntry"; |
+ return false; |
+ } |
+ const CertVerificationResult& proto_result = proto_cached_result.result(); |
+ if (proto_result.cert_numbers_size() == 0 || |
+ !proto_result.has_cert_status()) { |
+ DVLOG(1) << "Invalid CertVerificationResult for " << hostname; |
+ return false; |
+ } |
+ |
+ *error = proto_cached_result.error(); |
+ |
+ std::vector<base::StringPiece> der_cert_pieces( |
+ proto_result.cert_numbers_size()); |
+ for (int i = 0; i < proto_result.cert_numbers_size(); i++) { |
+ size_t cert_number = proto_result.cert_numbers(i); |
+ CHECK_LT(cert_number, deserialized_der_certs.size()); |
+ der_cert_pieces[i] = base::StringPiece(deserialized_der_certs[cert_number]); |
+ } |
+ result->verified_cert = |
+ X509Certificate::CreateFromDERCertChain(der_cert_pieces); |
+ |
+ for (int i = 0; i < proto_result.public_key_hashes_size(); ++i) { |
+ const ::std::string& public_key_hash = proto_result.public_key_hashes(i); |
+ HashValue hash; |
+ if (!hash.FromString(public_key_hash)) { |
+ DVLOG(1) << "CertVerificationResult has invalid public_key_hashes for " |
+ << hostname; |
+ return false; |
+ } |
+ result->public_key_hashes.push_back(hash); |
+ } |
+ result->cert_status = proto_result.cert_status(); |
+ result->has_md2 = proto_result.has_md2(); |
+ result->has_md4 = proto_result.has_md4(); |
+ result->has_md5 = proto_result.has_md5(); |
+ result->has_sha1 = proto_result.has_sha1(); |
+ result->has_sha1_leaf = proto_result.has_sha1_leaf(); |
+ result->is_issued_by_known_root = proto_result.is_issued_by_known_root(); |
+ result->is_issued_by_additional_trust_anchor = |
+ proto_result.is_issued_by_additional_trust_anchor(); |
+ result->common_name_fallback_used = proto_result.common_name_fallback_used(); |
+ return true; |
+} |
+ |
+} // namespace |
+ |
+CertVerifierCachePersister::CertVerifierCachePersister( |
+ MultiThreadedCertVerifier* verifier) |
+ : verifier_(verifier) {} |
+ |
+CertVerifierCachePersister::~CertVerifierCachePersister() {} |
+ |
+void CertVerifierCachePersister::SerializeCache(std::string* data) { |
+ base::TimeTicks start_time(base::TimeTicks::Now()); |
+ CertVerificationCache proto_cert_cache; |
+ CertVector serialized_certs; |
+ |
+ MultiThreadedCertVerifier::Iterator cache_iterator(*verifier_); |
+ for (; cache_iterator.HasNext(); cache_iterator.Advance()) { |
+ CertVerificationCacheEntry* proto_cache_entry = |
+ proto_cert_cache.add_cache_entry(); |
+ |
+ CertVerificationRequestParams* proto_request_param = |
+ proto_cache_entry->mutable_request_params(); |
+ SerializeRequestParams(cache_iterator, proto_request_param); |
+ |
+ CertVerificationCachedResult* proto_cached_result = |
+ proto_cache_entry->mutable_cached_result(); |
+ if (!SerializeCachedResult(cache_iterator, &serialized_certs, |
+ proto_cached_result)) |
+ continue; |
+ |
+ CertVerificationCacheValidityPeriod* proto_cache_validity_period = |
+ proto_cache_entry->mutable_cache_validity_period(); |
+ SerializeValidityPeriod(cache_iterator, proto_cache_validity_period); |
+ } |
+ for (const std::string& cert : serialized_certs) |
+ proto_cert_cache.add_certs(cert); |
+ |
+ proto_cert_cache.SerializeToString(data); |
+ UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.SerializeTime", |
+ base::TimeTicks::Now() - start_time); |
+} |
+ |
+bool CertVerifierCachePersister::LoadCache(const std::string& data) { |
+ base::TimeTicks load_cache_start_time = base::TimeTicks::Now(); |
+ CertVector deserialized_der_certs; |
+ CertVerificationCache proto; |
+ |
+ if (!proto.ParseFromString(data)) { |
+ DVLOG(1) << "CertVerifierCachePersister ParseFromString failure."; |
+ return false; |
+ } |
+ |
+ if (proto.certs_size() == 0u) { |
+ DVLOG(1) << "CertVerifierCachePersister has no certificates."; |
+ return false; |
+ } |
+ if (proto.cache_entry_size() == 0u) { |
+ DVLOG(1) << "CertVerifierCachePersister has no cache entries."; |
+ return false; |
+ } |
+ |
+ for (int i = 0; i < proto.certs_size(); ++i) |
+ deserialized_der_certs.push_back(proto.certs(i)); |
+ |
+ bool detected_corrupted_data = false; |
+ for (int i = 0; i < proto.cache_entry_size(); ++i) { |
+ const CertVerificationCacheEntry& cache_entry = proto.cache_entry(i); |
+ if (!cache_entry.has_request_params() || |
+ !cache_entry.has_cache_validity_period() || |
+ !cache_entry.has_cached_result()) { |
+ DVLOG(1) << "Invalid CertVerificationCacheEntry"; |
Ryan Sleevi
2016/05/13 20:18:12
All of these DVLOGS seem unnecessarily verbose and
ramant (doing other things)
2016/05/27 19:57:13
Deleted the DVLOGs. They are all ignorable errors.
|
+ detected_corrupted_data = true; |
+ continue; |
+ } |
+ |
+ const CertVerificationRequestParams& proto_request_params = |
+ cache_entry.request_params(); |
+ int hash_values_size = proto_request_params.hash_values_size(); |
+ if (!proto_request_params.has_hostname() || |
+ proto_request_params.hostname().empty() || |
+ !proto_request_params.has_flags() || hash_values_size <= 0 || |
+ !proto_request_params.has_start_time()) { |
+ DVLOG(1) << "Invalid CertVerificationRequestParams"; |
+ detected_corrupted_data = true; |
+ continue; |
+ } |
+ |
+ std::string hostname(proto_request_params.hostname()); |
+ int flags = proto_request_params.flags(); |
+ std::vector<SHA1HashValue> hash_values(hash_values_size); |
+ for (int index = 0; index < hash_values_size; ++index) { |
+ const CertVerificationSHA1HashValue& proto_hash_values = |
+ proto_request_params.hash_values(index); |
+ if (!proto_hash_values.has_data()) { |
+ DVLOG(1) << "Invalid CertVerificationSHA1HashValue for " << hostname |
+ << flags; |
+ detected_corrupted_data = true; |
+ continue; |
+ } |
+ const std::string& data = proto_hash_values.data(); |
+ memcpy(hash_values[index].data, data.data(), data.length()); |
+ } |
+ base::Time start_time = |
+ base::Time::FromInternalValue(proto_request_params.start_time()); |
+ |
+ const CertVerificationCacheValidityPeriod& proto_cache_validity_period = |
+ cache_entry.cache_validity_period(); |
+ if (!proto_cache_validity_period.has_verification_time() || |
+ !proto_cache_validity_period.has_expiration_time()) { |
+ DVLOG(1) << "Invalid CertVerificationCacheValidityPeriod" << hostname; |
+ detected_corrupted_data = true; |
+ continue; |
+ } |
+ base::Time verification_time = base::Time::FromInternalValue( |
+ proto_cache_validity_period.verification_time()); |
+ base::Time expiration_time = base::Time::FromInternalValue( |
+ proto_cache_validity_period.expiration_time()); |
+ |
+ const CertVerificationCachedResult& proto_cached_result = |
+ cache_entry.cached_result(); |
+ CertVerifyResult result; |
+ int error; |
+ if (!DeserializeCachedResult(proto_cached_result, deserialized_der_certs, |
+ hostname, &error, &result)) { |
+ DVLOG(1) << "Invalid CertVerificationCachedResult for " << hostname; |
+ detected_corrupted_data = true; |
+ continue; |
+ } |
+ |
+ if (!verifier_->AddCertResult(hostname, flags, hash_values, start_time, |
+ error, result, verification_time, |
+ expiration_time)) { |
+ DVLOG(1) << "Didn't restore cert result entry for " << hostname; |
+ detected_corrupted_data = true; |
+ continue; |
+ } |
+ } |
+ UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.LoadCacheTime", |
+ base::TimeTicks::Now() - load_cache_start_time); |
+ return !detected_corrupted_data; |
+} |
+ |
+} // namespace net |