Cert - protobufs to serialize and deserialize CertVerifierCache.

net/cert/proto/cert_verification.proto

Index: net/cert/proto/cert_verification.proto
diff --git a/net/cert/proto/cert_verification.proto b/net/cert/proto/cert_verification.proto
new file mode 100644
index 0000000000000000000000000000000000000000..ab56d00b9c654e22cb853ea0ad58b7c4fd3a9705
--- /dev/null
+++ b/net/cert/proto/cert_verification.proto
@@ -0,0 +1,85 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+syntax = "proto2";
+
+option optimize_for = LITE_RUNTIME;
+
+package net;
+
+message CertVerificationSHA1HashValue {

[Ryan Sleevi, 2016/04/16 00:36:15]

SHA256

[ramant (doing other things), 2016/04/21 16:41:54]

Done.

+  optional bytes data = 1;
+};
+
+message CertVerificationRequestParams {
+  required string hostname = 1;
+  required int32 flags = 2;
+  repeated CertVerificationSHA1HashValue hash_values = 3;

[Ryan Sleevi, 2016/04/16 00:36:15]

Note: You don't have to store the full SHA-1/SHA-256 hash. The only requirement
here is that whatever IDs you assign to cross-referenced entries are stable.

That is, you could just as well assign uint32_ts here (4 bytes rather than
20/32-bytes), and monotonically increase the count for each new certificate
added. For experimentation, it's fine, but I'm sure you'll end up needing to
optimize this away.

For example, when building the list to serialize, you could build an internal
BST of all the entries (for fast insertion and determining if an entry is
already present), and once you've built that for all of the certs in all of the
cached entries, number each of the nodes and just serialize the number. Or you
could be less efficient at serialization time, but extremely efficient at
deserialization and w/r/t memory, by just doing

std::vector<std::string> serialized_certs;
std::string encoded;
CHECK(GetDEREncoded(os_cert_handle, &encoded));
const auto& it = find(serialized_certs.begin(), serialized_certs.end(),
encoded);
if (it != serialized_certs.end()) {
  return std::distance(serialized_certs.begin(), it);  // Watch out for
distance_type here, it's signed;
} else {
  serialized_certs.push_back(encoded);
  return serialized_certs.size();  // but size is unsigned
}

There's a lot of ways you can do this.

[ramant (doing other things), 2016/04/21 16:41:54]

Made this changes for certificates.

RequestParams has hash_values which is computed data, We serialize/deserilaize
that data.
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/multi_thr...

+  // The time when verification started.
+  required int64 start_time = 4;
+};
+
+message CertVerificationResult {
+  // The certificate and chain that was constructed during verification.
+  // Note that the though the verified certificate will match the originally
+  // supplied certificate, the intermediate certificates stored within may
+  // be substantially different. In the event of a verification failure, this

[Ryan Sleevi, 2016/04/16 00:36:15]

I'm not sure what you're trying to say about things being different here.
Certainly, don't document the statements about the CertVerifierCache

[ramant (doing other things), 2016/04/21 16:41:54]

Done.

+  // will contain the chain as supplied by the server. This may be NULL if
+  // running within the sandbox.
+  required string verified_cert = 1;
+
+  // Bitmask of CERT_STATUS_* from net/cert/cert_status_flags.h. Note that
+  // these status flags apply to the certificate chain returned in
+  // |verified_cert|, rather than the originally supplied certificate
+  // chain.
+  required uint32 cert_status = 2;
+
+  // Properties of the certificate chain.
+  required bool has_md2 = 3;
+  required bool has_md4 = 4;
+  required bool has_md5 = 5;
+  required bool has_sha1 = 6;
+  required bool has_sha1_leaf = 7;
+
+  // If the certificate was successfully verified then this contains the
+  // hashes, in several hash algorithms, of the SubjectPublicKeyInfos of the
+  // chain.
+  repeated string public_key_hashes = 8;
+  // is_issued_by_known_root is true if we recognise the root CA as a standard
+  // root.  If it isn't then it's probably the case that this certificate was
+  // generated by a MITM proxy whose root has been installed locally. This is
+  // meaningless if the certificate was not trusted.
+  required bool is_issued_by_known_root = 9;
+
+  // is_issued_by_additional_trust_anchor is true if the root CA used for this
+  // verification came from the list of additional trust anchors.
+  required bool is_issued_by_additional_trust_anchor = 10;
+
+  // True if a fallback to the common name was used when matching the host
+  // name, rather than using the subjectAltName.
+  required bool common_name_fallback_used = 11;
+};
+
+message CertVerificationCacheValidityPeriod {
+  required int64 verification_time = 1;
+  required int64 expiration_time = 2;
+};
+
+message CertVerificationCachedResult {
+  // The return value of CertVerifier::Verify.
+  required int64 error = 1;
+  // The output of CertVerifier::Verify.
+  required CertVerificationResult result = 2;
+}
+
+message CertVerificationCacheEntry {
+  required CertVerificationRequestParams request_params = 1;
+  required CertVerificationCachedResult cached_result = 2;
+  required CertVerificationCacheValidityPeriod cache_validity_period = 3;
+};
+
+// CertVerification is serialized and persisted to disk.
+message CertVerificationCache {
+  repeated CertVerificationCacheEntry cache_entry = 1;
+};