components/cronet/cert/cert_verifier_cache_persister.cc - Issue 2021433004: Cert - protobufs to serialize and deserialize CertVerifierCache.

Side by Side Diff: components/cronet/cert/cert_verifier_cache_persister.cc

Issue 2021433004: Cert - protobufs to serialize and deserialize CertVerifierCache. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@Add_support_for_walking_1999733002

Patch Set: delete //net/data/ssl/... Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« components/cronet/android/BUILD.gn ('K') | « components/cronet/cert/cert_verifier_cache_persister.h ('k') | components/cronet/cert/cert_verifier_cache_persister_unittest.cc » ('j') | components/cronet/cert/cert_verifier_cache_persister_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "components/cronet/cert/cert_verifier_cache_persister.h"

	6

	7 #include <string>

	8 #include <vector>

	9

	10 #include "base/logging.h"

	11 #include "base/metrics/histogram_macros.h"

	12 #include "base/strings/string_piece.h"

	13 #include "base/time/time.h"

	14 #include "components/cronet/cert/proto/cert_verification.pb.h"

	15 #include "net/base/hash_value.h"

	16 #include "net/cert/caching_cert_verifier.h"

	17 #include "net/cert/cert_type.h"

	18 #include "net/cert/cert_verify_result.h"

	19 #include "net/cert/x509_cert_types.h"

	20 #include "net/cert/x509_certificate.h"

	21

	22 namespace cronet {

	23

	24 namespace {

	25

	26 typedef std::vector<std::string> CertVector;

	27 typedef std::map<std::string, size_t> SerializedCertMap;

	28 typedef std::map<size_t, std::string> DeserializedCertMap;

	29

	30 bool SerializeCertHandle(const net::X509Certificate::OSCertHandle& cert_handle,

	31 SerializedCertMap* serialized_certs,

	32 size_t* cert_number) {

	33 std::string encoded;

	34 if (!net::X509Certificate::GetDEREncoded(cert_handle, &encoded)) {

	35 NOTREACHED();

	36 return false;

	37 }

	38 // Determine if \|cert_handle\| was already serialized. If so, simply return a

	39 // reference to that entry. Otherwise, add a new entry to the set of certs to

	40 // be serialized (\|serialized_certs\|).

	41 auto result =

	42 serialized_certs->insert({encoded, serialized_certs->size() + 1});

	43 *cert_number = result.first->second;

	44 return true;

	45 }

	46

	47 // Update \|certificate\| with certificate number and updates \|serialized_certs\|

	48 // with DER-encoded representation of certificate if the certicate is not in

	49 // \|serialized_certs\|. Returns true if data is serialized correctly.

	50 bool SerializeCertificate(net::X509Certificate* cert,

	51 SerializedCertMap* serialized_certs,

	52 cronet_pb::CertVerificationCertificate* certificate) {

	53 size_t cert_number = 0;

	54 if (!SerializeCertHandle(cert->os_cert_handle(), serialized_certs,

	55 &cert_number)) {

	56 NOTREACHED();

	57 return false;

	58 }

	59 certificate->add_cert_numbers(cert_number);

	60 const net::X509Certificate::X509Certificate::OSCertHandles&

	61 intermediate_ca_certs = cert->GetIntermediateCertificates();

	62 for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) {

	63 if (!SerializeCertHandle(intermediate_ca_certs[i], serialized_certs,

	64 &cert_number)) {

	65 NOTREACHED();

	66 return false;

	67 }

	68 certificate->add_cert_numbers(cert_number);

	69 }

	70 return true;

	71 }

	72

	73 // Deserializes \|certificate\| using the certificate database provided in

	74 // \|deserialized_certs\|. Returns the parsed certificate on success, or nullptr

	75 // if deserialization failed.

	76 scoped_refptr<net::X509Certificate> DeserializeCertificate(

	77 const cronet_pb::CertVerificationCertificate& certificate,

	78 const DeserializedCertMap& deserialized_certs) {

	79 if (0 == certificate.cert_numbers_size())

	80 return nullptr;

	81 std::vector<base::StringPiece> der_cert_pieces(

	82 certificate.cert_numbers_size());

	83 for (int i = 0; i < certificate.cert_numbers_size(); i++) {

	84 size_t cert_number = certificate.cert_numbers(i);

	85 DeserializedCertMap::const_iterator it =

	86 deserialized_certs.find(cert_number);

	87 if (it == deserialized_certs.end())

	88 return nullptr;

	89 der_cert_pieces[i] = base::StringPiece(it->second);

	90 }

	91 return net::X509Certificate::CreateFromDERCertChain(der_cert_pieces);

	92 }

	93

	94 // Serializes \|params\| into \|request_params\|, updating \|serialized_certs\| with

	95 // the set of raw certificates that will be needed to deserialize the

	96 // certificate in \|request_params\| via DeserializeCertificate().

	97 bool SerializeRequestParams(

	98 const net::CertVerifier::RequestParams& params,

	99 SerializedCertMap* serialized_certs,

	100 cronet_pb::CertVerificationRequestParams* request_params) {

	101 cronet_pb::CertVerificationCertificate* certificate =

	102 request_params->mutable_certificate();

	103 if (!SerializeCertificate(params.certificate().get(), serialized_certs,

	104 certificate)) {

	105 NOTREACHED();

	106 return false;

	107 }

	108 request_params->set_hostname(params.hostname());

	109 request_params->set_flags(params.flags());

	110 request_params->set_ocsp_response(params.ocsp_response());

	111 for (const scoped_refptr<net::X509Certificate>& cert :

	112 params.additional_trust_anchors()) {

	113 certificate = request_params->add_additional_trust_anchors();

	114 if (!SerializeCertificate(cert.get(), serialized_certs, certificate)) {

	115 NOTREACHED();

	116 return false;

	117 }

	118 }

	119 return true;

	120 }

	121

	122 // Serializes \|result\| into \|cached_result\|, updating \|serialized_certs\| with

	123 // the set of raw certificates that will be needed to deserialize the

	124 // certificate in \|cached_result\| via DeserializeCertificate().

	125 bool SerializeCachedResult(

	126 const net::CertVerifyResult& result,

	127 SerializedCertMap* serialized_certs,

	128 cronet_pb::CertVerificationCachedResult* cached_result) {

	129 cronet_pb::CertVerificationResult* cert_verification_result =

	130 cached_result->mutable_result();

	131 cronet_pb::CertVerificationCertificate* certificate =

	132 cert_verification_result->mutable_verified_cert();

	133 if (!SerializeCertificate(result.verified_cert.get(), serialized_certs,

	134 certificate)) {

	135 NOTREACHED();

	136 return false;

	137 }

	138 cert_verification_result->set_cert_status(result.cert_status);

	139 cert_verification_result->set_has_md2(result.has_md2);

	140 cert_verification_result->set_has_md4(result.has_md4);

	141 cert_verification_result->set_has_md5(result.has_md5);

	142 cert_verification_result->set_has_sha1(result.has_sha1);

	143 cert_verification_result->set_has_sha1_leaf(result.has_sha1_leaf);

	144 for (const net::HashValue& value : result.public_key_hashes)

	145 cert_verification_result->add_public_key_hashes(value.ToString());

	146 cert_verification_result->set_is_issued_by_known_root(

	147 result.is_issued_by_known_root);

	148 cert_verification_result->set_is_issued_by_additional_trust_anchor(

	149 result.is_issued_by_additional_trust_anchor);

	150 cert_verification_result->set_common_name_fallback_used(

	151 result.common_name_fallback_used);

	152 return true;

	153 }

	154

	155 // Deserializes \|cached_result\| using the certificate database provided in

	156 // \|deserialized_certs\|. Returns the parsed net::CertVerifyResult on success, or

	157 // nullptr if deserialization failed.

	158 bool DeserializeCachedResult(

	159 const cronet_pb::CertVerificationCachedResult& cached_result,

	160 const DeserializedCertMap& deserialized_certs,

	161 int* error,

	162 net::CertVerifyResult* result) {

	163 if (!cached_result.has_error() \|\| !cached_result.has_result())

	164 return false;

	165

	166 const cronet_pb::CertVerificationResult& cert_verification_result =

	167 cached_result.result();

	168 if (!cert_verification_result.has_verified_cert() \|\|

	169 !cert_verification_result.has_cert_status()) {

	170 return false;

	171 }

	172

	173 *error = cached_result.error();

	174

	175 result->verified_cert = DeserializeCertificate(

	176 cert_verification_result.verified_cert(), deserialized_certs);

	177 if (!result->verified_cert)

	178 return false;

	179

	180 for (int i = 0; i < cert_verification_result.public_key_hashes_size(); ++i) {

	181 const std::string& public_key_hash =

	182 cert_verification_result.public_key_hashes(i);

	183 net::HashValue hash;

	184 if (!hash.FromString(public_key_hash))

	185 return false;

	186 result->public_key_hashes.push_back(hash);

	187 }

	188 result->cert_status = cert_verification_result.cert_status();

	189 result->has_md2 = cert_verification_result.has_md2();

	190 result->has_md4 = cert_verification_result.has_md4();

	191 result->has_md5 = cert_verification_result.has_md5();

	192 result->has_sha1 = cert_verification_result.has_sha1();

	193 result->has_sha1_leaf = cert_verification_result.has_sha1_leaf();

	194 result->is_issued_by_known_root =

	195 cert_verification_result.is_issued_by_known_root();

	196 result->is_issued_by_additional_trust_anchor =

	197 cert_verification_result.is_issued_by_additional_trust_anchor();

	198 result->common_name_fallback_used =

	199 cert_verification_result.common_name_fallback_used();

	200 return true;

	201 }

	202

	203 } // namespace

	204

	205 cronet_pb::CertVerificationCache SerializeCertVerifierCache(

	206 const net::CachingCertVerifier& verifier) {

	207 cronet_pb::CertVerificationCache cert_cache;

	208 SerializedCertMap serialized_certs;

	209

	210 net::CachingCertVerifier::Iterator cache_iterator(verifier);

	211 for (; cache_iterator.HasNext(); cache_iterator.Advance()) {

	212 cronet_pb::CertVerificationCacheEntry* cache_entry =

	213 cert_cache.add_cache_entry();

	214

	215 cronet_pb::CertVerificationRequestParams* request_params =

	216 cache_entry->mutable_request_params();

	217 if (!SerializeRequestParams(cache_iterator.params(), &serialized_certs,

	218 request_params)) {

	219 NOTREACHED();

	220 continue;

	221 }

	222

	223 cronet_pb::CertVerificationCachedResult* cached_result =

	224 cache_entry->mutable_cached_result();

	225 cached_result->set_error(cache_iterator.error());

	226 if (!SerializeCachedResult(cache_iterator.verify_result(),

	227 &serialized_certs, cached_result)) {

	228 NOTREACHED();

	229 continue;

	230 }

	231

	232 cache_entry->set_verification_time(

	233 cache_iterator.verification_time().ToInternalValue());

	234 }

	235 for (auto cert : serialized_certs) {

	236 cronet_pb::CertVerificationCertificateData* cert_entry =

	237 cert_cache.add_cert_entry();

	238 cert_entry->set_cert(cert.first);

	239 cert_entry->set_cert_number(cert.second);

	240 }

	241

	242 return cert_cache;
	Ryan Sleevi 2016/06/15 23:31:32 Note: You're mutating \|cert_cache\| throughout your Note: You're mutating \|cert_cache\| throughout your serialization, even if it fails. That means you potentially end up serializing junk data in a way that can seriously mess with your deserialization. If serialization fails, shouldn't you fail-closed and serialize nothing? ramant (doing other things) 2016/06/17 02:45:14 Done. Show quoted text On 2016/06/15 23:31:32, Ryan Sleevi wrote: > Note: You're mutating \|cert_cache\| throughout your serialization, even if it > fails. That means you potentially end up serializing junk data in a way that can > seriously mess with your deserialization. > > If serialization fails, shouldn't you fail-closed and serialize nothing? Done.
	243 }

	244

	245 bool DeserializeCertVerifierCache(

	246 const cronet_pb::CertVerificationCache& cert_cache,

	247 net::CachingCertVerifier* verifier) {

	248 DeserializedCertMap deserialized_certs;

	249

	250 if (cert_cache.cert_entry_size() == 0u \|\|

	251 cert_cache.cache_entry_size() == 0u) {

	252 return false;

	253 }

	254

	255 // Build \|deserialized_certs\|'s certificate map.

	256 for (int i = 0; i < cert_cache.cert_entry_size(); ++i) {

	257 const cronet_pb::CertVerificationCertificateData& cert_entry =

	258 cert_cache.cert_entry(i);

	259 if (!cert_entry.has_cert() \|\| !cert_entry.has_cert_number())

	260 return false;

	261 deserialized_certs.insert({cert_entry.cert_number(), cert_entry.cert()});

	262 }

	263

	264 for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {

	265 const cronet_pb::CertVerificationCacheEntry& cache_entry =

	266 cert_cache.cache_entry(i);

	267

	268 // Verify \|cache_entry\|'s data.

	269 if (!cache_entry.has_request_params() \|\|

	270 !cache_entry.has_verification_time() \|\|

	271 !cache_entry.has_cached_result()) {

	272 return false;

	273 }

	274

	275 const cronet_pb::CertVerificationRequestParams& request_params =

	276 cache_entry.request_params();

	277

	278 // Verify \|request_params\|'s data.

	279 if (!request_params.has_certificate() \|\| !request_params.has_hostname() \|\|

	280 request_params.hostname().empty() \|\| !request_params.has_flags() \|\|

	281 !request_params.has_ocsp_response()) {

	282 return false;

	283 }

	284

	285 // Deserialize \|request_params\|'s certificate using the certificate

	286 // database provided in \|deserialized_certs\|.

	287 scoped_refptr<net::X509Certificate> certificate = DeserializeCertificate(

	288 request_params.certificate(), deserialized_certs);

	289 if (!certificate)

	290 return false;

	291

	292 // Deserialize \|request_params\|'s trust anchor certificates using the

	293 // certificate database provided in \|deserialized_certs\|.

	294 net::CertificateList additional_trust_anchors;

	295 for (int i = 0; i < request_params.additional_trust_anchors_size(); ++i) {

	296 const cronet_pb::CertVerificationCertificate& certificate =

	297 request_params.additional_trust_anchors(i);

	298 scoped_refptr<net::X509Certificate> cert =

	299 DeserializeCertificate(certificate, deserialized_certs);

	300 if (!cert)

	301 return false;

	302 additional_trust_anchors.push_back(cert);

	303 }

	304

	305 net::CertVerifier::RequestParams params(

	306 certificate, request_params.hostname(), request_params.flags(),

	307 request_params.ocsp_response(), additional_trust_anchors);

	308

	309 // Deserialize \|cached_result\| into \|result\|.

	310 const cronet_pb::CertVerificationCachedResult& cached_result =

	311 cache_entry.cached_result();

	312 net::CertVerifyResult result;

	313 int error;

	314 if (!DeserializeCachedResult(cached_result, deserialized_certs, &error,

	315 &result)) {

	316 return false;

	317 }

	318

	319 verifier->AddEntry(

	320 params, error, result,

	321 base::Time::FromInternalValue(cache_entry.verification_time()));
	Ryan Sleevi 2016/06/15 23:31:31 BUG?: Not checking if this deserializes properly i BUG?: Not checking if this deserializes properly into a valid time ramant (doing other things) 2016/06/17 02:45:14 At line 270 was doing !cache_entry.has_verificatio At line 270 was doing !cache_entry.has_verification_time(). Added check for is_null. Added a check for verification_time not being in future. Any other checks? Done.
	322 }

	323 return true;

	324 }

	325

	326 } // namespace cronet

OLD	NEW