components/certificate_transparency/tree_state_tracker.cc - Issue 2017563002: Add Certificate Transparency logs auditing

Unified Diff: components/certificate_transparency/tree_state_tracker.cc

Issue 2017563002: Add Certificate Transparency logs auditing (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fix Windows compilation issue Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« components/certificate_transparency/single_tree_tracker_unittest.cc ('K') | « components/certificate_transparency/tree_state_tracker.h ('k') | net/cert/merkle_audit_proof.h » ('j') | net/cert/merkle_audit_proof.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: components/certificate_transparency/tree_state_tracker.cc

diff --git a/components/certificate_transparency/tree_state_tracker.cc b/components/certificate_transparency/tree_state_tracker.cc

index 118cec0fedb94f4f149281c106a09ee730534cf7..d8cb6085e2d1777af0c8c796af94e2391b0bb38b 100644

--- a/components/certificate_transparency/tree_state_tracker.cc

+++ b/components/certificate_transparency/tree_state_tracker.cc

@@ -4,23 +4,59 @@

#include "components/certificate_transparency/tree_state_tracker.h"

+#include "base/feature_list.h"

+#include "base/memory/ptr_util.h"

+#include "components/certificate_transparency/log_dns_client.h"

#include "components/certificate_transparency/single_tree_tracker.h"

+#include "net/base/network_change_notifier.h"

#include "net/cert/ct_log_verifier.h"

#include "net/cert/signed_certificate_timestamp.h"

#include "net/cert/signed_tree_head.h"

#include "net/cert/x509_certificate.h"

+#include "net/dns/dns_client.h"

+#include "net/dns/dns_config_service.h"

+#include "net/log/net_log.h"

using net::X509Certificate;

using net::CTLogVerifier;

using net::ct::SignedCertificateTimestamp;

using net::ct::SignedTreeHead;

+namespace {

+const size_t kMaxConcurrentDnsQueries = 1;

namespace certificate_transparency {

+// Enables or disables auditing Certificate Transparency logs over DNS.

+const base::Feature kCTLogAuditing = {"CertificateTransparencyLogAuditing",

+ base::FEATURE_DISABLED_BY_DEFAULT};

TreeStateTracker::TreeStateTracker(

std::vector<scoped_refptr<const CTLogVerifier>> ct_logs) {

- for (const auto& log : ct_logs)

- tree_trackers_[log->key_id()].reset(new SingleTreeTracker(log));

+ if (!base::FeatureList::IsEnabled(kCTLogAuditing))

+ return;

+ //TODO(eranm): Hook up a real NetLog this way:

Ryan Sleevi 2017/01/20 12:53:21 // TODO(eranm): (add space)

Eran Messeri 2017/01/23 16:45:47 Done.

+ // Pass in a NetLog from the IOThread when creating the TreeStateTracker:

+ // In, chrome/browser/io_thread.cc, where the TreeStateTracker is created,

+ // there's already an initialized ChromeNetLog instance (net_log_).

+ //

+ // A NetLog instance would be passed into the TreeStateTracker c'tor.

+ // Here, a NetLogWithSource will be created from the NetLog instance (after

+ // adding a new source type in net_log_source_type_list.h, to indicate which

+ // dns queries are related to CT inclusion proof fetching) by invoking

+ // NetLogWithSource::Make.

Ryan Sleevi 2017/01/20 12:53:21 Let's drop this comment, if anything because it's

Eran Messeri 2017/01/23 16:45:47 Done.

+ net::NetLogWithSource net_log;

+ std::unique_ptr<net::DnsClient> dns_client =

+ net::DnsClient::CreateClient(net_log.net_log());

+ dns_client_ = base::MakeUnique<LogDnsClient>(std::move(dns_client), net_log,

+ kMaxConcurrentDnsQueries);

+ for (const auto& log : ct_logs) {

+ tree_trackers_[log->key_id()].reset(

+ new SingleTreeTracker(log, dns_client_.get()));

+ }

}

TreeStateTracker::~TreeStateTracker() {}