Introduce CertVerifier::RequestParams

net/cert/multi_threaded_cert_verifier.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/multi_threaded_cert_verifier.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 
@@ skipping 238 matching lines @@
   // PR_Cleanup.  Unless we detach them from NSPR, net_unittests gets
   // segfaults on shutdown when the threads' thread-specific data
   // destructors run.
   PR_DetachThread();
 #endif
 }
 
 // CertVerifierJob lives only on the verifier's origin message loop.
 class CertVerifierJob {
  public:
-  CertVerifierJob(const MultiThreadedCertVerifier::RequestParams& key,
+  CertVerifierJob(const CertVerifier::RequestParams& key,
                   NetLog* net_log,
                   X509Certificate* cert,
                   MultiThreadedCertVerifier* cert_verifier)
       : key_(key),
         start_time_(base::TimeTicks::Now()),
+        wall_start_time_(base::Time::Now()),
         net_log_(BoundNetLog::Make(net_log, NetLog::SOURCE_CERT_VERIFIER_JOB)),
         cert_verifier_(cert_verifier),
         is_first_job_(false),
         weak_ptr_factory_(this) {
     net_log_.BeginEvent(
         NetLog::TYPE_CERT_VERIFIER_JOB,
         base::Bind(&NetLogX509CertificateCallback, base::Unretained(cert)));
   }
 
   // Indicates whether this was the first job started by the CertVerifier. This
   // is only used for logging certain UMA stats.
   void set_is_first_job(bool is_first_job) { is_first_job_ = is_first_job; }
 
-  const MultiThreadedCertVerifier::RequestParams& key() const { return key_; }
+  const CertVerifier::RequestParams& key() const { return key_; }
 
   // Posts a task to the worker pool to do the verification. Once the
   // verification has completed on the worker thread, it will call
   // OnJobCompleted() on the origin thread.
   bool Start(const scoped_refptr<CertVerifyProc>& verify_proc,
              const scoped_refptr<X509Certificate>& cert,
              const std::string& hostname,
              const std::string& ocsp_response,
              int flags,
              const scoped_refptr<CRLSet>& crl_set,
@@ skipping 72 matching lines @@
     }
   }
 
   void OnJobCompleted(
       std::unique_ptr<MultiThreadedCertVerifier::CachedResult> verify_result) {
     TRACE_EVENT0("net", "CertVerifierJob::OnJobCompleted");
     std::unique_ptr<CertVerifierJob> keep_alive =
         cert_verifier_->RemoveJob(this);
 
     LogMetrics(*verify_result);
-    cert_verifier_->SaveResultToCache(key_, *verify_result);
+    cert_verifier_->SaveResultToCache(key_, wall_start_time_, *verify_result);
     cert_verifier_ = nullptr;
 
     // TODO(eroman): If the cert_verifier_ is deleted from within one of the
     // callbacks, any remaining requests for that job should be cancelled. Right
     // now they will be called.
     while (!requests_.empty()) {
       base::LinkNode<CertVerifierRequest>* request = requests_.head();
       request->RemoveFromList();
       request->value()->Post(*verify_result);
     }
   }
 
-  const MultiThreadedCertVerifier::RequestParams key_;
+  const CertVerifier::RequestParams key_;
+  // The tick count of when the job started. This is used to measure how long
+  // the job actually took to complete.
   const base::TimeTicks start_time_;
 
+  // The wall time of when the job started. This is to account for situations
+  // where the system clock may have changed after the Job had started, which
+  // could otherwise result in caching the wrong data.
+  const base::Time wall_start_time_;
+
   RequestList requests_;  // Non-owned.
 
   const BoundNetLog net_log_;
   MultiThreadedCertVerifier* cert_verifier_;  // Non-owned.
 
   bool is_first_job_;
   base::WeakPtrFactory<CertVerifierJob> weak_ptr_factory_;
 };
 
 MultiThreadedCertVerifier::MultiThreadedCertVerifier(
@@ skipping 34 matching lines @@
   if (callback.is_null() || !verify_result || hostname.empty())
     return ERR_INVALID_ARGUMENT;
 
   requests_++;
 
   const CertificateList empty_cert_list;
   const CertificateList& additional_trust_anchors =
       trust_anchor_provider_ ?
           trust_anchor_provider_->GetAdditionalTrustAnchors() : empty_cert_list;
 
-  const RequestParams key(cert->fingerprint(), cert->ca_fingerprint(), hostname,
-                          ocsp_response, flags, additional_trust_anchors);
+  const CertVerifier::RequestParams key(cert, hostname, flags, ocsp_response,
+                                        additional_trust_anchors);
   const CertVerifierCache::value_type* cached_entry =
       cache_.Get(key, CacheValidityPeriod(base::Time::Now()));
   if (cached_entry) {
     ++cache_hits_;
     *verify_result = cached_entry->result;
     return cached_entry->error;
   }
 
   // No cache hit. See if an identical request is currently in flight.
   CertVerifierJob* job = FindJob(key);
@@ skipping 23 matching lines @@
   std::unique_ptr<CertVerifierRequest> request =
       job->CreateRequest(callback, verify_result, net_log);
   *out_req = std::move(request);
   return ERR_IO_PENDING;
 }
 
 bool MultiThreadedCertVerifier::SupportsOCSPStapling() {
   return verify_proc_->SupportsOCSPStapling();
 }
 
-MultiThreadedCertVerifier::RequestParams::RequestParams(
-    const SHA1HashValue& cert_fingerprint_arg,
-    const SHA1HashValue& ca_fingerprint_arg,
-    const std::string& hostname_arg,
-    const std::string& ocsp_response_arg,
-    int flags_arg,
-    const CertificateList& additional_trust_anchors)
-    : hostname(hostname_arg), flags(flags_arg), start_time(base::Time::Now()) {
-  hash_values.reserve(3 + additional_trust_anchors.size());
-  SHA1HashValue ocsp_hash;
-  base::SHA1HashBytes(
-      reinterpret_cast<const unsigned char*>(ocsp_response_arg.data()),
-      ocsp_response_arg.size(), ocsp_hash.data);
-  hash_values.push_back(ocsp_hash);
-  hash_values.push_back(cert_fingerprint_arg);
-  hash_values.push_back(ca_fingerprint_arg);
-  for (size_t i = 0; i < additional_trust_anchors.size(); ++i)
-    hash_values.push_back(additional_trust_anchors[i]->fingerprint());
-}
-
-MultiThreadedCertVerifier::RequestParams::RequestParams(
-    const RequestParams& other) = default;
-
-MultiThreadedCertVerifier::RequestParams::~RequestParams() {}
-
-bool MultiThreadedCertVerifier::RequestParams::operator<(
-    const RequestParams& other) const {
-  // |flags| is compared before |cert_fingerprint|, |ca_fingerprint|,
-  // |hostname|, and |ocsp_response|, under assumption that integer comparisons
-  // are faster than memory and string comparisons.
-  if (flags != other.flags)
-    return flags < other.flags;
-  if (hostname != other.hostname)
-    return hostname < other.hostname;
-  return std::lexicographical_compare(
-      hash_values.begin(), hash_values.end(), other.hash_values.begin(),
-      other.hash_values.end(), SHA1HashValueLessThan());
-}
-
 bool MultiThreadedCertVerifier::JobComparator::operator()(
     const CertVerifierJob* job1,
     const CertVerifierJob* job2) const {
   return job1->key() < job2->key();
 }
 
-void MultiThreadedCertVerifier::SaveResultToCache(const RequestParams& key,
-                                                  const CachedResult& result) {
+void MultiThreadedCertVerifier::SaveResultToCache(
+    const CertVerifier::RequestParams& key,
+    const base::Time& start_time,
+    const CachedResult& result) {
   DCHECK(CalledOnValidThread());
 
   // When caching, this uses the time that validation started as the
   // beginning of the validity, rather than the time that it ended (aka
   // base::Time::Now()), to account for the fact that during validation,
   // the clock may have changed.
   //
   // If the clock has changed significantly, then this result will ideally
   // be evicted and the next time the certificate is encountered, it will
   // be revalidated.
   //
   // Because of this, it's possible for situations to arise where the
   // clock was correct at the start of validation, changed to an
   // incorrect time during validation (such as too far in the past or
   // future), and then was reset to the correct time. If this happens,
   // it's likely that the result will not be a valid/correct result,
   // but will still be used from the cache because the clock was reset
   // to the correct time after the (bad) validation result completed.
   //
   // However, this solution optimizes for the case where the clock is
   // bad at the start of validation, and subsequently is corrected. In
   // that situation, the result is also incorrect, but because the clock
   // was corrected after validation, if the cache validity period was
   // computed at the end of validation, it would continue to serve an
   // invalid result for kTTLSecs.
-  const base::Time start_time = key.start_time;
   cache_.Put(
       key, result, CacheValidityPeriod(start_time),
       CacheValidityPeriod(start_time,
                           start_time + base::TimeDelta::FromSeconds(kTTLSecs)));
 }
 
 std::unique_ptr<CertVerifierJob> MultiThreadedCertVerifier::RemoveJob(
     CertVerifierJob* job) {
   DCHECK(CalledOnValidThread());
   bool erased_job = inflight_.erase(job) == 1;
   DCHECK(erased_job);
   return base::WrapUnique(job);
 }
 
 void MultiThreadedCertVerifier::OnCACertChanged(
     const X509Certificate* cert) {
   DCHECK(CalledOnValidThread());
 
   ClearCache();
 }
 
 struct MultiThreadedCertVerifier::JobToRequestParamsComparator {
   bool operator()(const CertVerifierJob* job,
-                  const MultiThreadedCertVerifier::RequestParams& value) const {
+                  const CertVerifier::RequestParams& value) const {
     return job->key() < value;
   }
 };
 
-CertVerifierJob* MultiThreadedCertVerifier::FindJob(const RequestParams& key) {
+CertVerifierJob* MultiThreadedCertVerifier::FindJob(
+    const CertVerifier::RequestParams& key) {
   DCHECK(CalledOnValidThread());
 
   // The JobSet is kept in sorted order so items can be found using binary
   // search.
   auto it = std::lower_bound(inflight_.begin(), inflight_.end(), key,
                              JobToRequestParamsComparator());
   if (it != inflight_.end() && !(key < (*it)->key()))
     return *it;
   return nullptr;
 }
 
 }  // namespace net