Cert - protobufs to serialize and deserialize CertVerifierCache.

net/extras/cert/cert_verifier_cache_persister.cc

+// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/extras/cert/cert_verifier_cache_persister.h"
+
+#include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/pickle.h"
+#include "base/strings/string_piece.h"
+#include "base/time/time.h"
+#include "net/base/hash_value.h"
+#include "net/cert/caching_cert_verifier.h"
+#include "net/cert/cert_type.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/x509_cert_types.h"
+#include "net/cert/x509_certificate.h"
+#include "net/extras/cert/proto/cert_verification.pb.h"
+
+namespace net {
+
+namespace {
+
+bool SerializeCertHandle(
+    const X509Certificate::OSCertHandle& cert_handle,
+    CertVerifierCachePersister::CertVector* serialized_certs,
+    size_t* cert_number) {
+  std::string encoded;
+  if (!X509Certificate::GetDEREncoded(cert_handle, &encoded)) {
+    DCHECK(false);
+    return false;
+  }
+  const auto& it =
+      std::find(serialized_certs->begin(), serialized_certs->end(), encoded);

[Ryan Sleevi, 2016/05/30 18:37:18]

EFFICIENCY: These |encoded| strings are going to be between 1-3K each, and will
share in common a good portion of the first 12-30 bytes (up until the serial
number), which will likely force cache misses and force the entire string to be
loaded. Just calling it out.

(For example, you could consider using a hash_map to map cert->index, and just
linearly increment that way, without the need for std::distance or std::find)

Recall that the cache stores 256 entries, of full certificates, so that will be
average 3-4 certificates an entry (not to mention the CertVerifyResult
verify_chain being another set). Even with a Google-service bias (where we stuff
100+ SANs in a cert), this could be less than ideal.

It really depends on defining for your use case, and the only way I can see this
being the 'right' case is for situations where it's talking to Google services
and maybe 10-15 entries. I think if we look at 'real world' browsing, even on
mobile, this will likely have 100 or so entries, non-overlapping - and the
memory pressures this begins to put (which isn't about the O(N) complexities but
the L1/L2 caching) will likely make this not very performant - AND it will force
evictions of other data from the cache lines.

[ramant (doing other things), 2016/06/01 16:29:21]

Done.

+  if (it != serialized_certs->end()) {
+    *cert_number =
+        static_cast<size_t>(std::distance(serialized_certs->begin(), it));
+  } else {
+    serialized_certs->push_back(encoded);
+    *cert_number = serialized_certs->size() - 1;
+  }
+  return true;
+}
+
+// Update |proto_certificate| with certificate number and updates
+// |serialized_certs|
+// with DER-encoded representation of certificate if the certicate is not in
+// |serialized_certs|. Returns true if data is serialized correctly.
+bool SerializeCertificate(
+    const scoped_refptr<X509Certificate>& certificate,
+    CertVerifierCachePersister::CertVector* serialized_certs,
+    CertVerificationCertificate* proto_certificate) {
+  size_t cert_number = 0;
+  if (!SerializeCertHandle(certificate->os_cert_handle(), serialized_certs,
+                           &cert_number)) {
+    DCHECK(false);
+    return false;
+  }
+  proto_certificate->add_cert_numbers(cert_number);
+  const X509Certificate::X509Certificate::OSCertHandles& intermediate_ca_certs =
+      certificate->GetIntermediateCertificates();
+  for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) {
+    if (!SerializeCertHandle(intermediate_ca_certs[i], serialized_certs,
+                             &cert_number)) {
+      DCHECK(false);
+      return false;
+    }
+    proto_certificate->add_cert_numbers(cert_number);
+  }
+  return true;
+}
+
+// Returns deserialized certificate with the deserialized data from
+// |proto_certificate|.
+scoped_refptr<X509Certificate> DeserializeCertificate(
+    const CertVerificationCertificate& proto_certificate,
+    const CertVerifierCachePersister::CertVector& deserialized_der_certs) {
+  std::vector<base::StringPiece> der_cert_pieces(
+      proto_certificate.cert_numbers_size());
+  for (int i = 0; i < proto_certificate.cert_numbers_size(); i++) {
+    size_t cert_number = proto_certificate.cert_numbers(i);
+    CHECK_LT(cert_number, deserialized_der_certs.size());
+    der_cert_pieces[i] = base::StringPiece(deserialized_der_certs[cert_number]);
+  }
+  return X509Certificate::CreateFromDERCertChain(der_cert_pieces);
+}
+
+// Update |proto_request_param| with RequestParams data from |params|.
+bool SerializeRequestParams(
+    const CertVerifier::RequestParams& params,
+    CertVerifierCachePersister::CertVector* serialized_certs,
+    CertVerificationRequestParams* proto_request_param) {
+  CertVerificationCertificate* proto_certificate =
+      proto_request_param->mutable_certificate();
+  if (!SerializeCertificate(params.certificate(), serialized_certs,
+                            proto_certificate)) {
+    DCHECK(false);
+    return false;
+  }
+  proto_request_param->set_hostname(params.hostname());
+  proto_request_param->set_flags(params.flags());
+  proto_request_param->set_ocsp_response(params.ocsp_response());
+  for (const scoped_refptr<X509Certificate>& cert :
+       params.additional_trust_anchors()) {
+    proto_certificate = proto_request_param->add_additional_trust_anchors();
+    if (!SerializeCertificate(cert, serialized_certs, proto_certificate)) {
+      DCHECK(false);
+      return false;
+    }
+  }
+  return true;
+}
+
+// Update |proto_cached_result| with CachedResult data from |cache_iterator|.
+// |serialized_certs| contains a list of unique DER-encoded representation of
+// certificates.
+bool SerializeCachedResult(
+    CachingCertVerifier::Iterator& cache_iterator,
+    CertVerifierCachePersister::CertVector* serialized_certs,
+    CertVerificationCachedResult* proto_cached_result) {
+  proto_cached_result->set_error(cache_iterator.error());
+
+  // Serialize CertVerifyResult.
+  const CertVerifyResult& result = cache_iterator.verify_result();
+
+  CertVerificationResult* proto_result = proto_cached_result->mutable_result();
+  CertVerificationCertificate* proto_certificate =
+      proto_result->mutable_verified_cert();
+  if (!SerializeCertificate(result.verified_cert, serialized_certs,
+                            proto_certificate)) {
+    DCHECK(false);
+    return false;
+  }
+  proto_result->set_cert_status(result.cert_status);
+  proto_result->set_has_md2(result.has_md2);
+  proto_result->set_has_md4(result.has_md4);
+  proto_result->set_has_md5(result.has_md5);
+  proto_result->set_has_sha1(result.has_sha1);
+  proto_result->set_has_sha1_leaf(result.has_sha1_leaf);
+  for (const HashValue& value : result.public_key_hashes)
+    proto_result->add_public_key_hashes(value.ToString());
+  proto_result->set_is_issued_by_known_root(result.is_issued_by_known_root);
+  proto_result->set_is_issued_by_additional_trust_anchor(
+      result.is_issued_by_additional_trust_anchor);
+  proto_result->set_common_name_fallback_used(result.common_name_fallback_used);
+  return true;
+}
+
+// Update |error| and |result| with deserialized CachedResult data from
+// |proto_cached_result|. Returns true if it is deserialized correctly.
+bool DeserializeCachedResult(
+    const CertVerificationCachedResult& proto_cached_result,
+    const CertVerifierCachePersister::CertVector& deserialized_der_certs,
+    int* error,
+    CertVerifyResult* result) {
+  if (!proto_cached_result.has_error() || !proto_cached_result.has_result()) {
+    DCHECK(false);
+    return false;
+  }
+
+  const CertVerificationResult& proto_result = proto_cached_result.result();
+  if (!proto_result.has_verified_cert() || !proto_result.has_cert_status()) {
+    DCHECK(false);
+    return false;
+  }
+
+  *error = proto_cached_result.error();
+
+  result->verified_cert = DeserializeCertificate(proto_result.verified_cert(),
+                                                 deserialized_der_certs);
+  if (!result->verified_cert.get()) {
+    DCHECK(false);
+    return false;
+  }
+
+  for (int i = 0; i < proto_result.public_key_hashes_size(); ++i) {
+    const ::std::string& public_key_hash = proto_result.public_key_hashes(i);
+    HashValue hash;
+    if (!hash.FromString(public_key_hash)) {
+      DCHECK(false);
+      return false;
+    }
+    result->public_key_hashes.push_back(hash);
+  }
+  result->cert_status = proto_result.cert_status();
+  result->has_md2 = proto_result.has_md2();
+  result->has_md4 = proto_result.has_md4();
+  result->has_md5 = proto_result.has_md5();
+  result->has_sha1 = proto_result.has_sha1();
+  result->has_sha1_leaf = proto_result.has_sha1_leaf();
+  result->is_issued_by_known_root = proto_result.is_issued_by_known_root();
+  result->is_issued_by_additional_trust_anchor =
+      proto_result.is_issued_by_additional_trust_anchor();
+  result->common_name_fallback_used = proto_result.common_name_fallback_used();
+  return true;
+}
+
+// Update |proto_cache_validity_period| with ValidityPeriod data from
+// |cache_iterator|.
+void SerializeValidityPeriod(
+    CachingCertVerifier::Iterator& cache_iterator,
+    CertVerificationCacheValidityPeriod* proto_cache_validity_period) {
+  proto_cache_validity_period->set_verification_time(
+      cache_iterator.verification_time().ToInternalValue());
+  proto_cache_validity_period->set_expiration_time(
+      cache_iterator.expiration_time().ToInternalValue());
+}
+
+}  // namespace
+
+CertVerifierCachePersister::CertVerifierCachePersister(
+    CachingCertVerifier* verifier)
+    : verifier_(verifier) {}
+
+CertVerifierCachePersister::~CertVerifierCachePersister() {}
+
+void CertVerifierCachePersister::SerializeCache(std::string* data) {
+  base::TimeTicks start_time(base::TimeTicks::Now());
+  CertVerificationCache proto_cert_cache;
+  CertVector serialized_certs;
+
+  CachingCertVerifier::Iterator cache_iterator(*verifier_);
+  for (; cache_iterator.HasNext(); cache_iterator.Advance()) {
+    CertVerificationCacheEntry* proto_cache_entry =
+        proto_cert_cache.add_cache_entry();
+
+    CertVerificationRequestParams* proto_request_param =
+        proto_cache_entry->mutable_request_params();
+    if (!SerializeRequestParams(cache_iterator.params(), &serialized_certs,
+                                proto_request_param)) {
+      DCHECK(false);
+      continue;
+    }
+
+    CertVerificationCachedResult* proto_cached_result =
+        proto_cache_entry->mutable_cached_result();
+    if (!SerializeCachedResult(cache_iterator, &serialized_certs,
+                               proto_cached_result)) {
+      DCHECK(false);
+      continue;
+    }
+
+    CertVerificationCacheValidityPeriod* proto_cache_validity_period =
+        proto_cache_entry->mutable_cache_validity_period();
+    SerializeValidityPeriod(cache_iterator, proto_cache_validity_period);
+  }
+  for (const std::string& cert : serialized_certs)
+    proto_cert_cache.add_certs(cert);
+
+  proto_cert_cache.SerializeToString(data);
+  UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.SerializeTime",
+                      base::TimeTicks::Now() - start_time);
+}
+
+bool CertVerifierCachePersister::LoadCache(const std::string& data) {
+  base::TimeTicks load_cache_start_time = base::TimeTicks::Now();
+  CertVector deserialized_der_certs;
+  CertVerificationCache proto;
+
+  if (!proto.ParseFromString(data) || proto.certs_size() == 0u ||
+      proto.cache_entry_size() == 0u) {
+    return false;
+  }
+
+  for (int i = 0; i < proto.certs_size(); ++i)
+    deserialized_der_certs.push_back(proto.certs(i));
+
+  bool detected_corrupted_data = false;
+  for (int i = 0; i < proto.cache_entry_size(); ++i) {
+    const CertVerificationCacheEntry& cache_entry = proto.cache_entry(i);
+    if (!cache_entry.has_request_params() ||
+        !cache_entry.has_cache_validity_period() ||
+        !cache_entry.has_cached_result()) {
+      detected_corrupted_data = true;
+      continue;
+    }
+
+    const CertVerificationRequestParams& proto_request_params =
+        cache_entry.request_params();
+
+    if (!proto_request_params.has_certificate() ||
+        !proto_request_params.has_hostname() ||
+        proto_request_params.hostname().empty() ||
+        !proto_request_params.has_flags() ||
+        !proto_request_params.has_ocsp_response()) {
+      detected_corrupted_data = true;
+      continue;
+    }
+
+    scoped_refptr<X509Certificate> certificate = DeserializeCertificate(
+        proto_request_params.certificate(), deserialized_der_certs);
+    if (!certificate.get()) {
+      detected_corrupted_data = true;
+      continue;
+    }
+
+    std::string hostname(proto_request_params.hostname());
+    int flags = proto_request_params.flags();
+    std::string ocsp_response(proto_request_params.ocsp_response());
+    CertificateList additional_trust_anchors;
+    for (int i = 0; i < proto_request_params.additional_trust_anchors_size();
+         ++i) {
+      const CertVerificationCertificate& proto_certificate =
+          proto_request_params.additional_trust_anchors(i);
+      scoped_refptr<X509Certificate> cert =
+          DeserializeCertificate(proto_certificate, deserialized_der_certs);
+      if (cert.get())
+        additional_trust_anchors.push_back(cert);
+    }
+
+    CertVerifier::RequestParams params(certificate, hostname, flags,
+                                       ocsp_response, additional_trust_anchors);
+
+    const CertVerificationCacheValidityPeriod& proto_cache_validity_period =
+        cache_entry.cache_validity_period();
+    if (!proto_cache_validity_period.has_verification_time() ||
+        !proto_cache_validity_period.has_expiration_time()) {
+      detected_corrupted_data = true;
+      continue;
+    }
+    base::Time verification_time = base::Time::FromInternalValue(
+        proto_cache_validity_period.verification_time());
+
+    const CertVerificationCachedResult& proto_cached_result =
+        cache_entry.cached_result();
+    CertVerifyResult result;
+    int error;
+    if (!DeserializeCachedResult(proto_cached_result, deserialized_der_certs,
+                                 &error, &result)) {
+      detected_corrupted_data = true;
+      continue;
+    }
+
+    if (!verifier_->AddEntry(params, error, result, verification_time)) {
+      detected_corrupted_data = true;
+      continue;
+    }
+  }
+  UMA_HISTOGRAM_COUNTS("Net.CertVerifierCachePersister.LoadCacheSize",
+                       proto.cache_entry_size());
+  UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.LoadCacheTime",
+                      base::TimeTicks::Now() - load_cache_start_time);
+  return !detected_corrupted_data;
+}
+
+}  // namespace net