Chromium Code Reviews Chromium Code Reviews
Issue 1991653002:
Move caching out of MultiThreadedCertVerifier (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@request_params| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef NET_CERT_CACHING_CERT_VERIFIER_H_ | |
| 6 #define NET_CERT_CACHING_CERT_VERIFIER_H_ | |
| 7 | |
| 8 #include <memory> | |
| 9 | |
| 10 #include "net/base/expiring_cache.h" | |
| 11 #include "net/base/net_export.h" | |
| 12 #include "net/cert/cert_database.h" | |
| 13 #include "net/cert/cert_verifier.h" | |
| 14 #include "net/cert/cert_verify_result.h" | |
| 15 | |
| 16 namespace net { | |
| 17 | |
| 18 class CertTrustAnchorProvider; | |
| 19 | |
| 20 class NET_EXPORT CachingCertVerifier : public CertVerifier, | |
|
eroman
2016/06/10 01:31:52
Also, please add a comment for this class (even th
| |
| 21 public CertDatabase::Observer { | |
| 22 public: | |
| 23 explicit CachingCertVerifier(std::unique_ptr<CertVerifier> verifier); | |
| 24 | |
| 25 ~CachingCertVerifier() override; | |
| 26 | |
| 27 // Configures a source of additional certificates that should be treated as | |
| 28 // trust anchors during verification, provided that the underlying | |
| 29 // CertVerifyProc supports additional trust beyond the default implementation. | |
| 30 // It must outlive the CachingCertVerifier. | |
| 31 void SetCertTrustAnchorProvider( | |
|
eroman
2016/06/10 00:08:03
This is weird (being part of CachingCertVerifier l
| |
| 32 CertTrustAnchorProvider* trust_anchor_provider); | |
| 33 | |
| 34 // CertVerifier implementation: | |
| 35 int Verify(const RequestParams& params, | |
| 36 CRLSet* crl_set, | |
| 37 CertVerifyResult* verify_result, | |
| 38 const CompletionCallback& callback, | |
| 39 std::unique_ptr<Request>* out_req, | |
| 40 const BoundNetLog& net_log) override; | |
| 41 bool SupportsOCSPStapling() override; | |
| 42 | |
| 43 private: | |
| 44 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, CacheHit); | |
| 45 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, DifferentCACerts); | |
| 46 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, CertTrustAnchorProvider); | |
| 47 | |
| 48 // CachedResult contains the result of a certificate verification. | |
| 49 struct NET_EXPORT_PRIVATE CachedResult { | |
| 50 CachedResult(); | |
| 51 ~CachedResult(); | |
| 52 | |
| 53 int error; // The return value of CertVerifier::Verify. | |
| 54 CertVerifyResult result; // The output of CertVerifier::Verify. | |
| 55 }; | |
| 56 | |
| 57 // Rather than having a single validity point along a monotonically increasing | |
| 58 // timeline, certificate verification is based on falling within a range of | |
| 59 // the certificate's NotBefore and NotAfter and based on what the current | |
| 60 // system clock says (which may advance forwards or backwards as users correct | |
| 61 // clock skew). CacheValidityPeriod and CacheExpirationFunctor are helpers to | |
| 62 // ensure that expiration is measured both by the 'general' case (now + cache | |
| 63 // TTL) and by whether or not significant enough clock skew was introduced | |
| 64 // since the last verification. | |
| 65 struct CacheValidityPeriod { | |
| 66 explicit CacheValidityPeriod(base::Time now); | |
| 67 CacheValidityPeriod(base::Time now, base::Time expiration); | |
| 68 | |
| 69 base::Time verification_time; | |
| 70 base::Time expiration_time; | |
| 71 }; | |
| 72 | |
| 73 struct CacheExpirationFunctor { | |
| 74 // Returns true iff |now| is within the validity period of |expiration|. | |
| 75 bool operator()(const CacheValidityPeriod& now, | |
| 76 const CacheValidityPeriod& expiration) const; | |
| 77 }; | |
| 78 | |
| 79 using CertVerificationCache = ExpiringCache<RequestParams, | |
| 80 CachedResult, | |
| 81 CacheValidityPeriod, | |
| 82 CacheExpirationFunctor>; | |
| 83 | |
| 84 // Handles completion of the request matching |params|, which started at | |
| 85 // |start_time|, completing. |verify_result| and |result| are added to the | |
| 86 // cache, and then |callback| (the original caller's callback) is invoked. | |
| 87 void OnRequestFinished(const RequestParams& params, | |
| 88 base::Time start_time, | |
| 89 const CompletionCallback& callback, | |
| 90 CertVerifyResult* verify_result, | |
| 91 int error); | |
| 92 | |
| 93 // Adds |verify_result| and |error| to the cache for |params|, whose | |
| 94 // verification attempt began at |start_time|. See the implementation | |
| 95 // for more details about the necessity of |start_time|. | |
| 96 void AddResultToCache(const RequestParams& params, | |
| 97 base::Time start_time, | |
| 98 const CertVerifyResult& verify_result, | |
| 99 int error); | |
| 100 | |
| 101 // CertDatabase::Observer methods: | |
| 102 void OnCACertChanged(const X509Certificate* cert) override; | |
| 103 | |
| 104 // For unit testing. | |
| 105 void ClearCache(); | |
| 106 size_t GetCacheSize() const; | |
| 107 uint64_t cache_hits() const { return cache_hits_; } | |
|
eroman
2016/06/10 01:31:52
side comment: if this is just for unit-testing, is
Ryan Sleevi
2016/06/10 07:51:20
Fair point, will do.
Ryan Sleevi
2016/06/10 23:41:51
Actually, after reading https://www.chromium.org/d
| |
| 108 uint64_t requests() const { return requests_; } | |
| 109 | |
| 110 std::unique_ptr<CertVerifier> verifier_; | |
| 111 | |
| 112 CertTrustAnchorProvider* trust_anchor_provider_; | |
| 113 | |
| 114 CertVerificationCache cache_; | |
| 115 | |
| 116 uint64_t requests_; | |
| 117 uint64_t cache_hits_; | |
| 118 | |
| 119 DISALLOW_COPY_AND_ASSIGN(CachingCertVerifier); | |
| 120 }; | |
| 121 | |
| 122 } // namespace net | |
| 123 | |
| 124 #endif // NET_CERT_CACHING_CERT_VERIFIER_H_ | |
| OLD | NEW |
