Add Certificate Transparency logs auditing

components/certificate_transparency/single_tree_tracker.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/certificate_transparency/single_tree_tracker.h"
 
+#include <algorithm>
+#include <iterator>
 #include <utility>
 
+#include "net/base/hash_value.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/x509_certificate.h"
 
+using net::ct::LogEntry;
+using net::ct::MerkleTreeLeaf;
 using net::ct::SignedTreeHead;
 
 namespace certificate_transparency {
+bool OrderByTimestamp::operator()(const MerkleTreeLeaf& lhs,
+                                  const MerkleTreeLeaf& rhs) {
+  // This comparator should only used for containers where leaves from
+  // different logs are not mixed.
+  DCHECK(lhs.log_id == rhs.log_id);
+
+  if (lhs.timestamp != rhs.timestamp)
+    return lhs.timestamp < rhs.timestamp;
+
+  // Either two leaves with the same timestamp or the same leaf, have to
+  // compare the actual LogEntries to find out.
+  const LogEntry& lhs_entry = lhs.log_entry;
+  const LogEntry& rhs_entry = rhs.log_entry;
+  if (lhs_entry.type != rhs_entry.type)
+    return lhs_entry.type < rhs_entry.type;
+
+  if (lhs_entry.type == net::ct::LogEntry::LOG_ENTRY_TYPE_X509)
+    return lhs_entry.leaf_certificate < rhs_entry.leaf_certificate;
+
+  // lhs_entry.type == LOG_ENTRY_TYPE_PRECERT
+  return lhs_entry.tbs_certificate < rhs_entry.tbs_certificate &&
+         net::SHA256HashValueLessThan().operator()(lhs_entry.issuer_key_hash,
+                                                   rhs_entry.issuer_key_hash);

[Rob Percival, 2016/05/26 17:33:15]

".operator()" is redundant here, isn't it?

[Eran Messeri, 2016/06/30 19:58:28]

Indeed. Done.

+}
 
 SingleTreeTracker::SingleTreeTracker(
     scoped_refptr<const net::CTLogVerifier> ct_log)
     : ct_log_(std::move(ct_log)) {}
 
 SingleTreeTracker::~SingleTreeTracker() {}
 
 void SingleTreeTracker::OnSCTVerified(
     net::X509Certificate* cert,
     const net::ct::SignedCertificateTimestamp* sct) {
   DCHECK_EQ(ct_log_->key_id(), sct->log_id);
 
+  MerkleTreeLeaf leaf;
+  if (!GetMerkleTreeLeaf(cert, sct, &leaf))
+    return;
+
   // SCT was previously observed, so its status should not be changed.
-  if (entries_status_.find(sct->timestamp) != entries_status_.end())
+  if (EntryPendingNewSTH(leaf) || EntryPendingInclusionProof(leaf))
     return;
 
   // If there isn't a valid STH or the STH is not fresh enough to check
   // inclusion against, store the SCT for future checking and return.
   if (verified_sth_.timestamp.is_null() ||
       (verified_sth_.timestamp <
        (sct->timestamp + base::TimeDelta::FromHours(24)))) {
     // TODO(eranm): UMA - how often SCTs have to wait for a newer STH for
     // inclusion check.
-    entries_status_.insert(
-        std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH));
+    pending_new_sth_.insert(std::move(leaf));
     return;
   }
 
   // TODO(eranm): Check inclusion here.
   // TODO(eranm): UMA - how often inclusion can be checked immediately.
-  entries_status_.insert(
-      std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK));
+  pending_inclusion_check_.insert(std::move(leaf));

[Rob Percival, 2016/05/26 17:33:15]

Can you move a MerkleTreeLeaf? You've declared a copy constructor in this CL,
which should suppress generation of a default move constructor.

[Eran Messeri, 2016/06/30 19:58:28]

I'd get a compilation error in that case, wouldn't I?
If I explicitly delete the move c'tor on the type I move I definitely get an
error. I could not find documentation on what happens when an
implicitly-declared move c'tor is deleted.

Either way, I've forced the creation of one.

 }
 
 void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) {
   DCHECK_EQ(ct_log_->key_id(), sth.log_id);
 
   if (!ct_log_->VerifySignedTreeHead(sth)) {
     // Sanity check the STH; the caller should have done this
     // already, but being paranoid here.
     // NOTE(eranm): Right now there's no way to get rid of this check here
     // as this is the first object in the chain that has an instance of
     // a CTLogVerifier to verify the STH.
     return;
   }
 
   // In order to avoid updating |verified_sth_| to an older STH in case
   // an older STH is observed, check that either the observed STH is for
   // a larger tree size or that it is for the same tree size but has
   // a newer timestamp.
   const bool sths_for_same_tree = verified_sth_.tree_size == sth.tree_size;
   const bool received_sth_is_for_larger_tree =
       (verified_sth_.tree_size > sth.tree_size);
   const bool received_sth_is_newer = (sth.timestamp > verified_sth_.timestamp);
 
   if (verified_sth_.timestamp.is_null() || received_sth_is_for_larger_tree ||
       (sths_for_same_tree && received_sth_is_newer)) {
     verified_sth_ = sth;
   }
 
+  if (pending_new_sth_.empty())
+    return;
   // Find out which SCTs can now be checked for inclusion.
-  // TODO(eranm): Keep two maps of MerkleTreeLeaf instances, one for leaves
-  // pending inclusion checks and one for leaves pending a new STH.
-  // The comparison function between MerkleTreeLeaf instances should use the
-  // timestamp to determine sorting order, so that bulk moving from one
-  // map to the other can happen.
-  auto entry = entries_status_.begin();
-  while (entry != entries_status_.end() &&
-         entry->first < verified_sth_.timestamp) {
-    entry->second = SCT_PENDING_INCLUSION_CHECK;
-    ++entry;
-    // TODO(eranm): Check inclusion here.
-  }
+  auto sth_timestamp_compare = [&sth](const MerkleTreeLeaf& leaf) {
+    return leaf.timestamp > sth.timestamp;
+  };
+  auto first_entry_not_included = std::find_if(
+      pending_new_sth_.begin(), pending_new_sth_.end(), sth_timestamp_compare);
+  // Move all entries up to the first entry not covered by this STH to
+  // the set of entries pending inclusion check.
+  std::move(pending_new_sth_.begin(), first_entry_not_included,
+            std::inserter(pending_inclusion_check_,
+                          pending_inclusion_check_.begin()));
+  // Clear moved entries.
+  pending_new_sth_.erase(pending_new_sth_.begin(), first_entry_not_included);
+
+  // TODO(eranm): Check inclusion here of entries that can now be checked.
 }
 
 SingleTreeTracker::SCTInclusionStatus
 SingleTreeTracker::GetLogEntryInclusionStatus(
     net::X509Certificate* cert,
     const net::ct::SignedCertificateTimestamp* sct) {
-  auto it = entries_status_.find(sct->timestamp);
+  MerkleTreeLeaf leaf;
+  if (!GetMerkleTreeLeaf(cert, sct, &leaf))
+    return SCT_NOT_OBSERVED;
 
-  return it == entries_status_.end() ? SCT_NOT_OBSERVED : it->second;
+  if (EntryPendingNewSTH(leaf))
+    return SCT_PENDING_NEWER_STH;
+
+  if (EntryPendingInclusionProof(leaf))
+    return SCT_PENDING_INCLUSION_CHECK;
+

[Rob Percival, 2016/05/26 17:33:15]

TODO here for looking up result of inclusion check.

[Eran Messeri, 2016/06/30 19:58:28]

Done.

+  return SCT_NOT_OBSERVED;
+}
+
+bool SingleTreeTracker::EntryPendingNewSTH(
+    const net::ct::MerkleTreeLeaf& leaf) {
+  return pending_new_sth_.find(leaf) != pending_new_sth_.end();
+}
+
+bool SingleTreeTracker::EntryPendingInclusionProof(
+    const net::ct::MerkleTreeLeaf& leaf) {
+  return pending_inclusion_check_.find(leaf) != pending_inclusion_check_.end();
 }
 
 }  // namespace certificate_transparency