net/cert/cert_verifier.cc - Issue 1994353002: Update CertVerifier::Verify to use RequestParams instead

Side by Side Diff: net/cert/cert_verifier.cc

Issue 1994353002: Update CertVerifier::Verify to use RequestParams instead (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@request_params

Patch Set: Rebased Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verifier.h"	5 #include "net/cert/cert_verifier.h"

6	6

	7 #include <openssl/sha.h>

	8

7 #include <algorithm>	9 #include <algorithm>

8 #include <memory>	10 #include <memory>

9	11

10 #include "base/memory/ptr_util.h"	12 #include "base/memory/ptr_util.h"

11 #include "base/sha1.h"	13 #include "base/strings/string_util.h"

12 #include "build/build_config.h"	14 #include "build/build_config.h"

13 #include "net/cert/cert_verify_proc.h"	15 #include "net/cert/cert_verify_proc.h"

14	16

15 #if defined(OS_NACL)	17 #if defined(OS_NACL)

16 #include "base/logging.h"	18 #include "base/logging.h"

17 #else	19 #else

18 #include "net/cert/multi_threaded_cert_verifier.h"	20 #include "net/cert/multi_threaded_cert_verifier.h"

19 #endif	21 #endif

20	22

21 namespace net {	23 namespace net {

22	24

23 CertVerifier::RequestParams::RequestParams(	25 CertVerifier::RequestParams::RequestParams(

24 X509Certificate* certificate,	26 scoped_refptr<X509Certificate> certificate,

25 const std::string& hostname,	27 const std::string& hostname,

26 int flags,	28 int flags,

27 const std::string& ocsp_response,	29 const std::string& ocsp_response,

28 const CertificateList& additional_trust_anchors)	30 CertificateList additional_trust_anchors)

29 : hostname_(hostname), flags_(flags) {	31 : certificate_(std::move(certificate)),

30 // Rather than store all of the original data, create a fingerprint based	32 hostname_(hostname),

31 // on the hash of the request data.	33 flags_(flags),

32 SHA1HashValue ocsp_hash;	34 ocsp_response_(ocsp_response),

33 base::SHA1HashBytes(	35 additional_trust_anchors_(std::move(additional_trust_anchors)) {

34 reinterpret_cast<const unsigned char*>(ocsp_response.data()),	36 // For efficiency sake, rather than compare all of the fields for each
	eroman 2016/05/20 00:41:18 Have you confirmed this is worth doing with benchm Have you confirmed this is worth doing with benchmarks? Given that all the data is being kept alive now, would read more naturally to compare fields directly. Ryan Sleevi 2016/05/20 02:39:43 It should be obviously beneficial; computing the D Show quoted text On 2016/05/20 00:41:18, eroman wrote: > Have you confirmed this is worth doing with benchmarks? It should be obviously beneficial; computing the DER involves additional copies, and comparing the certs requires memcmp'ing the entire certificate - meaning that, say, comparing two certificate chains of 3certs each would be a 12K vs 12K comparison (with no cache locality) vs the 32-byte comparison here. Show quoted text > > Given that all the data is being kept alive now, would read more naturally to > compare fields directly. We don't have lexicographical comparison for certificates, intentionally. Ryan Sleevi 2016/05/20 06:27:36 On 2016/05/20 02:39:43, Ryan Sleevi wrote: > > Gi On 2016/05/20 02:39:43, Ryan Sleevi wrote: > > Given that all the data is being kept alive now, would read more naturally to Show quoted text > > compare fields directly. > > We don't have lexicographical comparison for certificates, intentionally. Turns out we do (X509Certificate::LessThan), and beyond being in tests, it's being used in the memoizing cert store. I'd like to get rid of it, but in the fingerprint code, I tightened it up. However, it's still expensive (full comparison, not hash comparison), and it seems like comparing on the hashes of the parameters here will still be a net-win for perf. But I'm really, really torn on this still. To gain the simplicity here, that is: if (flags != other.flags) return flags < other.flags; if (hostname != other.hostname) return hostname < other.hostname; if (ocsp_response != other.ocsp_response) return ocsp_response < other.ocsp_response; if (certificate != other.certificate) return X509Certificate::LessThan()(certificate, other.certificate); return std::lexicographical_compare(additional_trust_anchors_.begin(), additional_trust_anchors_.end(), other.additional_trust_anchors_.begin(), other.additional_trust_anchors_.end(), X509Certificate::LessThan()); We'd more than likely need to reintroduce the fingerprint_ and ca_fingerprint_ members to X509Certificate, and rewrite X509Certificate::LessThan to be if (cert.fingerprint_ != other.cert.fingerprint_) return cert.fingerprint_ < other.cert.fingerprint_; if (cert.ca_fingerprint_ != other.cert.ca_fingerprint_) return cert.ca_fingerprint_ < other.cert.ca_fingerprint_; if (cert_der != other.cert_der) return cert_der < other.cert_der; return ca_der < other.ca_der; And that seems.... bleh. But I can be swayed, now that you can see the other CL for context.
35 ocsp_response.size(), ocsp_hash.data);	37 // comparison, compute a hash of their values. This is done directly in

36	38 // this class, rather than as an overloaded hash operator, for efficiency's

37 request_data_.reserve(additional_trust_anchors.size() + 3);	39 // sake.

38 request_data_.push_back(ocsp_hash);	40 SHA256_CTX ctx;

39 request_data_.push_back(certificate->fingerprint());	41 SHA256_Init(&ctx);

40 request_data_.push_back(certificate->ca_fingerprint());	42 std::string cert_der;

41 for (const auto& trust_anchor : additional_trust_anchors)	43 X509Certificate::GetDEREncoded(certificate_->os_cert_handle(), &cert_der);

42 request_data_.push_back(trust_anchor->fingerprint());	44 SHA256_Update(&ctx, cert_der.data(), cert_der.size());

	45 for (const auto& cert_handle : certificate_->GetIntermediateCertificates()) {
	eroman 2016/05/20 00:41:18 Do you expect to separately change the fingerprint Do you expect to separately change the fingerprint and ca_fingerprint() in X509Certificate to use SHA256? Ryan Sleevi 2016/05/20 02:39:43 No, I intend to remove those. Show quoted text On 2016/05/20 00:41:18, eroman wrote: > Do you expect to separately change the fingerprint and ca_fingerprint() in > X509Certificate to use SHA256? No, I intend to remove those.
	46 X509Certificate::GetDEREncoded(cert_handle, &cert_der);

	47 SHA256_Update(&ctx, cert_der.data(), cert_der.size());

	48 }

	49 SHA256_Update(&ctx, hostname_.data(), hostname.size());

	50 SHA256_Update(&ctx, &flags, sizeof(flags));

	51 SHA256_Update(&ctx, ocsp_response.data(), ocsp_response.size());

	52 for (const auto& trust_anchor : additional_trust_anchors_) {

	53 X509Certificate::GetDEREncoded(trust_anchor->os_cert_handle(), &cert_der);

	54 SHA256_Update(&ctx, cert_der.data(), cert_der.size());

	55 }

	56 SHA256_Final(reinterpret_cast<uint8_t*>(

	57 base::WriteInto(&key_, SHA256_DIGEST_LENGTH + 1)),

	58 &ctx);

43 }	59 }

44	60

45 CertVerifier::RequestParams::RequestParams(const RequestParams& other) =	61 CertVerifier::RequestParams::RequestParams(const RequestParams& other) =

46 default;	62 default;

47 CertVerifier::RequestParams::~RequestParams() {}	63 CertVerifier::RequestParams::~RequestParams() {}

48	64

49 bool CertVerifier::RequestParams::operator<(	65 bool CertVerifier::RequestParams::operator<(

50 const CertVerifier::RequestParams& other) const {	66 const CertVerifier::RequestParams& other) const {

51 if (flags_ != other.flags_)	67 return key_ < other.key_;

52 return flags_ < other.flags_;

53 if (hostname_ != other.hostname_)

54 return hostname_ < other.hostname_;

55 return std::lexicographical_compare(

56 request_data_.begin(), request_data_.end(), other.request_data_.begin(),

57 other.request_data_.end(), SHA1HashValueLessThan());

58 }	68 }

59	69

60 bool CertVerifier::SupportsOCSPStapling() {	70 bool CertVerifier::SupportsOCSPStapling() {

61 return false;	71 return false;

62 }	72 }

63	73

64 std::unique_ptr<CertVerifier> CertVerifier::CreateDefault() {	74 std::unique_ptr<CertVerifier> CertVerifier::CreateDefault() {

65 #if defined(OS_NACL)	75 #if defined(OS_NACL)

66 NOTIMPLEMENTED();	76 NOTIMPLEMENTED();

67 return std::unique_ptr<CertVerifier>();	77 return std::unique_ptr<CertVerifier>();

68 #else	78 #else

69 return base::WrapUnique(	79 return base::WrapUnique(

70 new MultiThreadedCertVerifier(CertVerifyProc::CreateDefault()));	80 new MultiThreadedCertVerifier(CertVerifyProc::CreateDefault()));

71 #endif	81 #endif

72 }	82 }

73	83

74 } // namespace net	84 } // namespace net

OLD	NEW

« net/cert/cert_verifier.h ('K') | « net/cert/cert_verifier.h ('k') | net/cert/cert_verifier_unittest.cc » ('j') | net/cert/multi_threaded_cert_verifier.cc » ('J')