Add Certificate Transparency logs auditing

components/certificate_transparency/tree_state_tracker.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/certificate_transparency/tree_state_tracker.h"
 
+#include "base/feature_list.h"
+#include "base/memory/ptr_util.h"
+#include "components/certificate_transparency/log_dns_client.h"
 #include "components/certificate_transparency/single_tree_tracker.h"
+#include "net/base/network_change_notifier.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/signed_tree_head.h"
 #include "net/cert/x509_certificate.h"
+#include "net/dns/dns_client.h"
+#include "net/dns/dns_config_service.h"
+#include "net/log/net_log.h"
 
 using net::X509Certificate;
 using net::CTLogVerifier;
 using net::ct::SignedCertificateTimestamp;
 using net::ct::SignedTreeHead;
 
+namespace {
+const size_t kMaxConcurrentDnsQueries = 1;
+}
+
 namespace certificate_transparency {
 
+// Enables or disables auditing Certificate Transparency logs over DNS.
+const base::Feature kCTLogAuditing = {"CertificateTransparencyLogAuditing",
+                                      base::FEATURE_DISABLED_BY_DEFAULT};
+
 TreeStateTracker::TreeStateTracker(
     std::vector<scoped_refptr<const CTLogVerifier>> ct_logs) {
-  for (const auto& log : ct_logs)
-    tree_trackers_[log->key_id()].reset(new SingleTreeTracker(log));
+  if (!base::FeatureList::IsEnabled(kCTLogAuditing))
+    return;
+
+  //TODO(eranm): Hook up a real NetLog this way:

[Ryan Sleevi, 2017/01/20 12:53:21]

// TODO(eranm):

(add space)

[Eran Messeri, 2017/01/23 16:45:47]

Done.

+  // Pass in a NetLog from the IOThread when creating the TreeStateTracker:
+  // In, chrome/browser/io_thread.cc, where the TreeStateTracker is created,
+  // there's already an initialized ChromeNetLog instance (net_log_).
+  //
+  // A NetLog instance would be passed into the TreeStateTracker c'tor.
+  // Here, a NetLogWithSource will be created from the NetLog instance (after
+  // adding a new source type in net_log_source_type_list.h, to indicate which
+  // dns queries are related to CT inclusion proof fetching) by invoking
+  // NetLogWithSource::Make.

[Ryan Sleevi, 2017/01/20 12:53:21]

Let's drop this comment, if anything because it's a layering violation (talking
about //chrome) :)

But also because I know you're going to do it right away ;)

[Eran Messeri, 2017/01/23 16:45:47]

Done.

+  net::NetLogWithSource net_log;
+  std::unique_ptr<net::DnsClient> dns_client =
+      net::DnsClient::CreateClient(net_log.net_log());
+  dns_client_ = base::MakeUnique<LogDnsClient>(std::move(dns_client), net_log,
+                                               kMaxConcurrentDnsQueries);
+
+  for (const auto& log : ct_logs) {
+    tree_trackers_[log->key_id()].reset(
+        new SingleTreeTracker(log, dns_client_.get()));
+  }
 }
 
 TreeStateTracker::~TreeStateTracker() {}
 
 void TreeStateTracker::OnSCTVerified(X509Certificate* cert,
                                      const SignedCertificateTimestamp* sct) {
   auto it = tree_trackers_.find(sct->log_id);
   // Ignore if the SCT is from an unknown log.
   if (it == tree_trackers_.end())
     return;
 
   it->second->OnSCTVerified(cert, sct);
 }
 
 void TreeStateTracker::NewSTHObserved(const SignedTreeHead& sth) {
   auto it = tree_trackers_.find(sth.log_id);
   // Is the STH from a known log? Since STHs can be provided from external
   // sources for logs not yet recognized by this client, return, rather than
   // DCHECK.
   if (it == tree_trackers_.end())
     return;
 
   it->second->NewSTHObserved(sth);
 }
 
 }  // namespace certificate_transparency