components/certificate_transparency/tree_state_tracker.cc - Issue 2017563002: Add Certificate Transparency logs auditing

Side by Side Diff: components/certificate_transparency/tree_state_tracker.cc

Issue 2017563002: Add Certificate Transparency logs auditing (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Review comments & one less TODO Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« components/certificate_transparency/single_tree_tracker.cc ('K') | « components/certificate_transparency/tree_state_tracker.h ('k') | net/cert/merkle_audit_proof.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "components/certificate_transparency/tree_state_tracker.h"	5 #include "components/certificate_transparency/tree_state_tracker.h"

6	6

	7 #include "base/feature_list.h"

	8 #include "base/memory/ptr_util.h"

	9 #include "components/certificate_transparency/log_dns_client.h"

7 #include "components/certificate_transparency/single_tree_tracker.h"	10 #include "components/certificate_transparency/single_tree_tracker.h"

	11 #include "net/base/network_change_notifier.h"

8 #include "net/cert/ct_log_verifier.h"	12 #include "net/cert/ct_log_verifier.h"

9 #include "net/cert/signed_certificate_timestamp.h"	13 #include "net/cert/signed_certificate_timestamp.h"

10 #include "net/cert/signed_tree_head.h"	14 #include "net/cert/signed_tree_head.h"

11 #include "net/cert/x509_certificate.h"	15 #include "net/cert/x509_certificate.h"

	16 #include "net/dns/dns_client.h"

	17 #include "net/dns/dns_config_service.h"

	18 #include "net/log/net_log.h"

12	19

13 using net::X509Certificate;	20 using net::X509Certificate;

14 using net::CTLogVerifier;	21 using net::CTLogVerifier;

15 using net::ct::SignedCertificateTimestamp;	22 using net::ct::SignedCertificateTimestamp;

16 using net::ct::SignedTreeHead;	23 using net::ct::SignedTreeHead;

17	24

	25 namespace {

	26 const size_t kMaxConcurrentDnsQueries = 1;

	27 }

	28

18 namespace certificate_transparency {	29 namespace certificate_transparency {

19	30

	31 // Enables or disables auditing Certificate Transparency logs over DNS.

	32 const base::Feature kCTLogAuditing = {"CertificateTransparencyLogAuditing",

	33 base::FEATURE_DISABLED_BY_DEFAULT};

	34

20 TreeStateTracker::TreeStateTracker(	35 TreeStateTracker::TreeStateTracker(

21 std::vector<scoped_refptr<const CTLogVerifier>> ct_logs) {	36 std::vector<scoped_refptr<const CTLogVerifier>> ct_logs) {

22 for (const auto& log : ct_logs)	37 if (!base::FeatureList::IsEnabled(kCTLogAuditing))

23 tree_trackers_[log->key_id()].reset(new SingleTreeTracker(log));	38 return;

	39

	40 net::NetLogWithSource net_log;
	Ryan Sleevi 2017/01/10 03:15:54 I'm a little squicky about this and whether it's O I'm a little squicky about this and whether it's OK. eroman: Can you offer thoughts on this? eroman 2017/01/10 21:23:10 This is technically a supported pattern, in that i Show quoted text On 2017/01/10 03:15:54, Ryan Sleevi wrote: > I'm a little squicky about this and whether it's OK. > > eroman: Can you offer thoughts on this? This is technically a supported pattern, in that it has the effect of passing a null NetLog dependency. The consequence is that any NetLog events emitted by this DnsClient and LogDnsClient are sent to oblivion. This is not generally something we want to do. I haven't read the surrounding code to determine whether in this instance this is reasonable. Without knowing more, my recommendation is to forward the NetLog dependency so this DNS activity shows up in our ChromeNetLog, or justify why we don't need to log it. Cheers. Eran Messeri 2017/01/17 11:37:57 I can fix it the following way: * Pass in a NetLog I can fix it the following way: * Pass in a NetLog from the IOThread when creating the TreeStateTracker: In https://cs.chromium.org/chromium/src/chrome/browser/io_thread.cc?q=TreeStateT... , where the TreeStateTracker is created, there's already an initialized ChromeNetLog instance (net_log_). So a NetLog instance would be passed into the TreeStateTracker c'tor. Here, a NetLogWithSource will be created from the NetLog instance (I would add a new source type in net_log_source_type_list.h, to indicate all dns queries are related to CT inclusion proof fetching). Would that address your concern, Ryan? (I'd rather do it in a follow-up CL to avoid increasing the scope of this CL, since such a change would touch more net/ code, the io_thread and profile_io_data). eroman 2017/01/20 00:03:49 That works for me. Stick a TODO by this line and y Show quoted text On 2017/01/17 11:37:57, Eran Messeri wrote: > I can fix it the following way: > * Pass in a NetLog from the IOThread when creating the TreeStateTracker: > In > https://cs.chromium.org/chromium/src/chrome/browser/io_thread.cc?q=TreeStateT... > , where the TreeStateTracker is created, there's already an initialized > ChromeNetLog instance (net_log_). > > So a NetLog instance would be passed into the TreeStateTracker c'tor. > Here, a NetLogWithSource will be created from the NetLog instance (I would add a > new source type in net_log_source_type_list.h, to indicate all dns queries are > related to CT inclusion proof fetching). > > Would that address your concern, Ryan? > (I'd rather do it in a follow-up CL to avoid increasing the scope of this CL, > since such a change would touch more net/ code, the io_thread and > profile_io_data). That works for me. Stick a TODO by this line and you can follow-up with me separately. Eran Messeri 2017/01/20 09:49:05 Done. Show quoted text On 2017/01/20 00:03:49, eroman (slow) wrote: > On 2017/01/17 11:37:57, Eran Messeri wrote: > > I can fix it the following way: > > * Pass in a NetLog from the IOThread when creating the TreeStateTracker: > > In > > > https://cs.chromium.org/chromium/src/chrome/browser/io_thread.cc?q=TreeStateT... > > , where the TreeStateTracker is created, there's already an initialized > > ChromeNetLog instance (net_log_). > > > > So a NetLog instance would be passed into the TreeStateTracker c'tor. > > Here, a NetLogWithSource will be created from the NetLog instance (I would add > a > > new source type in net_log_source_type_list.h, to indicate all dns queries are > > related to CT inclusion proof fetching). > > > > Would that address your concern, Ryan? > > (I'd rather do it in a follow-up CL to avoid increasing the scope of this CL, > > since such a change would touch more net/ code, the io_thread and > > profile_io_data). > > That works for me. > Stick a TODO by this line and you can follow-up with me separately. Done.
	41 std::unique_ptr<net::DnsClient> dns_client =

	42 net::DnsClient::CreateClient(net_log.net_log());

	43 dns_client_ = base::MakeUnique<LogDnsClient>(std::move(dns_client), net_log,

	44 kMaxConcurrentDnsQueries);

	45

	46 for (const auto& log : ct_logs) {

	47 tree_trackers_[log->key_id()].reset(

	48 new SingleTreeTracker(log, dns_client_.get()));

	49 }

24 }	50 }

25	51

26 TreeStateTracker::~TreeStateTracker() {}	52 TreeStateTracker::~TreeStateTracker() {}

27	53

28 void TreeStateTracker::OnSCTVerified(X509Certificate* cert,	54 void TreeStateTracker::OnSCTVerified(X509Certificate* cert,

29 const SignedCertificateTimestamp* sct) {	55 const SignedCertificateTimestamp* sct) {

30 auto it = tree_trackers_.find(sct->log_id);	56 auto it = tree_trackers_.find(sct->log_id);

31 // Ignore if the SCT is from an unknown log.	57 // Ignore if the SCT is from an unknown log.

32 if (it == tree_trackers_.end())	58 if (it == tree_trackers_.end())

33 return;	59 return;

34	60

35 it->second->OnSCTVerified(cert, sct);	61 it->second->OnSCTVerified(cert, sct);

36 }	62 }

37	63

38 void TreeStateTracker::NewSTHObserved(const SignedTreeHead& sth) {	64 void TreeStateTracker::NewSTHObserved(const SignedTreeHead& sth) {

39 auto it = tree_trackers_.find(sth.log_id);	65 auto it = tree_trackers_.find(sth.log_id);

40 // Is the STH from a known log? Since STHs can be provided from external	66 // Is the STH from a known log? Since STHs can be provided from external

41 // sources for logs not yet recognized by this client, return, rather than	67 // sources for logs not yet recognized by this client, return, rather than

42 // DCHECK.	68 // DCHECK.

43 if (it == tree_trackers_.end())	69 if (it == tree_trackers_.end())

44 return;	70 return;

45	71

46 it->second->NewSTHObserved(sth);	72 it->second->NewSTHObserved(sth);

47 }	73 }

48	74

49 } // namespace certificate_transparency	75 } // namespace certificate_transparency

OLD	NEW