| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_CERT_CACHING_CERT_VERIFIER_H_ | 5 #ifndef NET_CERT_CACHING_CERT_VERIFIER_H_ |
| 6 #define NET_CERT_CACHING_CERT_VERIFIER_H_ | 6 #define NET_CERT_CACHING_CERT_VERIFIER_H_ |
| 7 | 7 |
| 8 #include <memory> | 8 #include <memory> |
| 9 | 9 |
| 10 #include "net/base/expiring_cache.h" | 10 #include "net/base/expiring_cache.h" |
| (...skipping 18 matching lines...) Expand all Loading... |
| 29 // - The trust settings (a user may change trust settings at any time) | 29 // - The trust settings (a user may change trust settings at any time) |
| 30 // | 30 // |
| 31 // This class tries to optimize by allowing certificate verification results | 31 // This class tries to optimize by allowing certificate verification results |
| 32 // to be cached for a limited amount of time (presently, 30 minutes), which | 32 // to be cached for a limited amount of time (presently, 30 minutes), which |
| 33 // tries to balance the implementation complexity of needing to monitor the | 33 // tries to balance the implementation complexity of needing to monitor the |
| 34 // above for meaningful changes and the practical utility of being able to | 34 // above for meaningful changes and the practical utility of being able to |
| 35 // cache results when they're not expected to change. | 35 // cache results when they're not expected to change. |
| 36 class NET_EXPORT CachingCertVerifier : public CertVerifier, | 36 class NET_EXPORT CachingCertVerifier : public CertVerifier, |
| 37 public CertDatabase::Observer { | 37 public CertDatabase::Observer { |
| 38 public: | 38 public: |
| 39 // Visitor class to allow read-only inspection of the verification cache. |
| 40 class NET_EXPORT CacheVisitor { |
| 41 public: |
| 42 virtual ~CacheVisitor() {} |
| 43 |
| 44 // Called once for each entry in the cache, providing details about the |
| 45 // cached entry. |
| 46 // Returns true to continue iteration, or false to abort. |
| 47 virtual bool VisitEntry(const RequestParams& params, |
| 48 int error, |
| 49 const CertVerifyResult& verify_result, |
| 50 base::Time verification_time, |
| 51 base::Time expiration_time) = 0; |
| 52 }; |
| 53 |
| 39 // Creates a CachingCertVerifier that will use |verifier| to perform the | 54 // Creates a CachingCertVerifier that will use |verifier| to perform the |
| 40 // actual verifications if they're not already cached or if the cached | 55 // actual verifications if they're not already cached or if the cached |
| 41 // item has expired. | 56 // item has expired. |
| 42 explicit CachingCertVerifier(std::unique_ptr<CertVerifier> verifier); | 57 explicit CachingCertVerifier(std::unique_ptr<CertVerifier> verifier); |
| 43 | 58 |
| 44 ~CachingCertVerifier() override; | 59 ~CachingCertVerifier() override; |
| 45 | 60 |
| 46 // Configures a source of additional certificates that should be treated as | 61 // Configures a source of additional certificates that should be treated as |
| 47 // trust anchors during verification, provided that the underlying | 62 // trust anchors during verification, provided that the underlying |
| 48 // CertVerifyProc supports additional trust beyond the default implementation. | 63 // CertVerifyProc supports additional trust beyond the default implementation. |
| 49 // It must outlive the CachingCertVerifier. | 64 // It must outlive the CachingCertVerifier. |
| 50 void SetCertTrustAnchorProvider( | 65 void SetCertTrustAnchorProvider( |
| 51 CertTrustAnchorProvider* trust_anchor_provider); | 66 CertTrustAnchorProvider* trust_anchor_provider); |
| 52 | 67 |
| 53 // CertVerifier implementation: | 68 // CertVerifier implementation: |
| 54 int Verify(const RequestParams& params, | 69 int Verify(const RequestParams& params, |
| 55 CRLSet* crl_set, | 70 CRLSet* crl_set, |
| 56 CertVerifyResult* verify_result, | 71 CertVerifyResult* verify_result, |
| 57 const CompletionCallback& callback, | 72 const CompletionCallback& callback, |
| 58 std::unique_ptr<Request>* out_req, | 73 std::unique_ptr<Request>* out_req, |
| 59 const BoundNetLog& net_log) override; | 74 const BoundNetLog& net_log) override; |
| 60 bool SupportsOCSPStapling() override; | 75 bool SupportsOCSPStapling() override; |
| 61 | 76 |
| 77 // Opportunistically attempts to add |error| and |verify_result| as the |
| 78 // result for |params|, which was obtained at |verification_time| and |
| 79 // expires at |expiration_time|. |
| 80 // This is opportunistic because it is not guaranteed that the entry |
| 81 // will be added (such as if the cache is full or an entry already |
| 82 // exists). |
| 83 // Returns true if the entry was added. |
| 84 bool AddEntry(const RequestParams& params, |
| 85 int error, |
| 86 const CertVerifyResult& verify_result, |
| 87 base::Time verification_time); |
| 88 |
| 89 // Iterates through all of the non-expired entries in the cache, calling |
| 90 // VisitEntry on |visitor| for each, until either all entries are |
| 91 // iterated through or the |visitor| aborts. |
| 92 // Note: During this call, it is not safe to call any non-const methods |
| 93 // on the CachingCertVerifier. |
| 94 void VisitEntries(CacheVisitor* visitor) const; |
| 95 |
| 62 private: | 96 private: |
| 63 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, CacheHit); | 97 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, CacheHit); |
| 98 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, Visitor); |
| 99 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, AddsEntries); |
| 64 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, DifferentCACerts); | 100 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, DifferentCACerts); |
| 65 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, CertTrustAnchorProvider); | 101 FRIEND_TEST_ALL_PREFIXES(CachingCertVerifierTest, CertTrustAnchorProvider); |
| 66 | 102 |
| 67 // CachedResult contains the result of a certificate verification. | 103 // CachedResult contains the result of a certificate verification. |
| 68 struct NET_EXPORT_PRIVATE CachedResult { | 104 struct NET_EXPORT_PRIVATE CachedResult { |
| 69 CachedResult(); | 105 CachedResult(); |
| 70 ~CachedResult(); | 106 ~CachedResult(); |
| 71 | 107 |
| 72 int error; // The return value of CertVerifier::Verify. | 108 int error; // The return value of CertVerifier::Verify. |
| 73 CertVerifyResult result; // The output of CertVerifier::Verify. | 109 CertVerifyResult result; // The output of CertVerifier::Verify. |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 134 | 170 |
| 135 uint64_t requests_; | 171 uint64_t requests_; |
| 136 uint64_t cache_hits_; | 172 uint64_t cache_hits_; |
| 137 | 173 |
| 138 DISALLOW_COPY_AND_ASSIGN(CachingCertVerifier); | 174 DISALLOW_COPY_AND_ASSIGN(CachingCertVerifier); |
| 139 }; | 175 }; |
| 140 | 176 |
| 141 } // namespace net | 177 } // namespace net |
| 142 | 178 |
| 143 #endif // NET_CERT_CACHING_CERT_VERIFIER_H_ | 179 #endif // NET_CERT_CACHING_CERT_VERIFIER_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1999733002:
Add support for walking and modifying the CachingCertVerifier (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@move_cache