Chromium Code Reviews Chromium Code Reviews
Issue 2021433004:
Cert - protobufs to serialize and deserialize CertVerifierCache. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@Add_support_for_walking_1999733002| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "components/cronet/cert/cert_verifier_cache_persister.h" | |
| 6 | |
| 7 #include <string> | |
| 8 #include <vector> | |
| 9 | |
| 10 #include "base/logging.h" | |
| 11 #include "base/strings/string_piece.h" | |
| 12 #include "base/time/time.h" | |
| 13 #include "components/cronet/cert/proto/cert_verification.pb.h" | |
| 14 #include "net/base/hash_value.h" | |
| 15 #include "net/cert/caching_cert_verifier.h" | |
| 16 #include "net/cert/cert_verify_result.h" | |
| 17 #include "net/cert/x509_certificate.h" | |
| 18 | |
| 19 namespace cronet { | |
| 20 | |
| 21 namespace { | |
| 22 | |
| 23 typedef std::vector<std::string> CertVector; | |
| 24 typedef std::map<std::string, size_t> SerializedCertMap; | |
| 25 typedef std::map<size_t, std::string> DeserializedCertMap; | |
| 26 | |
| 27 // Determine if |cert_handle| was already serialized. If so, simply return a | |
| 28 // reference to that entry. Otherwise, add a new entry to the set of certs to | |
| 29 // be serialized (|serialized_certs|). Returns true if |cert_handle| is | |
| 30 // serialized correctly. | |
| 31 bool SerializeCertHandle(const net::X509Certificate::OSCertHandle& cert_handle, | |
| 32 SerializedCertMap* serialized_certs, | |
| 33 size_t* cert_number) { | |
| 34 std::string encoded; | |
| 35 if (!net::X509Certificate::GetDEREncoded(cert_handle, &encoded)) { | |
| 36 NOTREACHED(); | |
|
Ryan Sleevi
2016/06/21 20:31:02
After re-reading this, all of these NOTREACHED()'s
ramant (doing other things)
2016/06/22 03:51:36
Done.
| |
| 37 return false; | |
| 38 } | |
| 39 auto result = | |
| 40 serialized_certs->insert({encoded, serialized_certs->size() + 1}); | |
| 41 *cert_number = result.first->second; | |
| 42 return true; | |
| 43 } | |
| 44 | |
| 45 // Update |certificate| with certificate number and updates |serialized_certs| | |
| 46 // with DER-encoded representation of certificate if the certicate is not in | |
| 47 // |serialized_certs|. Returns true if data is serialized correctly. | |
| 48 bool SerializeCertificate(net::X509Certificate* cert, | |
| 49 SerializedCertMap* serialized_certs, | |
| 50 cronet_pb::CertVerificationCertificate* certificate) { | |
| 51 size_t cert_number = 0; | |
| 52 if (!SerializeCertHandle(cert->os_cert_handle(), serialized_certs, | |
| 53 &cert_number)) { | |
| 54 NOTREACHED(); | |
| 55 return false; | |
| 56 } | |
| 57 certificate->add_cert_numbers(cert_number); | |
| 58 const net::X509Certificate::X509Certificate::OSCertHandles& | |
| 59 intermediate_ca_certs = cert->GetIntermediateCertificates(); | |
| 60 for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) { | |
|
Ryan Sleevi
2016/06/21 20:31:02
You no longer use i, so you could just use
for (c
ramant (doing other things)
2016/06/22 03:51:36
Done.
| |
| 61 if (!SerializeCertHandle(intermediate_ca_certs[i], serialized_certs, | |
| 62 &cert_number)) { | |
| 63 NOTREACHED(); | |
| 64 return false; | |
| 65 } | |
| 66 certificate->add_cert_numbers(cert_number); | |
| 67 } | |
| 68 return true; | |
| 69 } | |
| 70 | |
| 71 // Deserializes |certificate| using the certificate database provided in | |
| 72 // |deserialized_certs|. Returns the parsed certificate on success, or nullptr | |
| 73 // if deserialization failed. | |
| 74 scoped_refptr<net::X509Certificate> DeserializeCertificate( | |
| 75 const cronet_pb::CertVerificationCertificate& certificate, | |
| 76 const DeserializedCertMap& deserialized_certs) { | |
| 77 if (0 == certificate.cert_numbers_size()) | |
| 78 return nullptr; | |
| 79 std::vector<base::StringPiece> der_cert_pieces( | |
| 80 certificate.cert_numbers_size()); | |
| 81 for (int i = 0; i < certificate.cert_numbers_size(); i++) { | |
| 82 size_t cert_number = certificate.cert_numbers(i); | |
| 83 DeserializedCertMap::const_iterator it = | |
| 84 deserialized_certs.find(cert_number); | |
| 85 if (it == deserialized_certs.end()) | |
| 86 return nullptr; | |
| 87 der_cert_pieces[i] = base::StringPiece(it->second); | |
| 88 } | |
| 89 return net::X509Certificate::CreateFromDERCertChain(der_cert_pieces); | |
| 90 } | |
| 91 | |
| 92 // Serializes |params| into |request_params|, updating |serialized_certs| with | |
| 93 // the set of raw certificates that will be needed to deserialize the | |
| 94 // certificate in |request_params| via DeserializeCertificate(). | |
| 95 bool SerializeRequestParams( | |
| 96 const net::CertVerifier::RequestParams& params, | |
| 97 SerializedCertMap* serialized_certs, | |
| 98 cronet_pb::CertVerificationRequestParams* request_params) { | |
| 99 cronet_pb::CertVerificationCertificate* certificate = | |
| 100 request_params->mutable_certificate(); | |
| 101 if (!SerializeCertificate(params.certificate().get(), serialized_certs, | |
| 102 certificate)) { | |
| 103 NOTREACHED(); | |
| 104 return false; | |
| 105 } | |
| 106 request_params->set_hostname(params.hostname()); | |
| 107 request_params->set_flags(params.flags()); | |
| 108 request_params->set_ocsp_response(params.ocsp_response()); | |
| 109 for (const scoped_refptr<net::X509Certificate>& cert : | |
|
Ryan Sleevi
2016/06/21 20:31:02
can use "const auto&" here
ramant (doing other things)
2016/06/22 03:51:36
Done.
| |
| 110 params.additional_trust_anchors()) { | |
| 111 certificate = request_params->add_additional_trust_anchors(); | |
| 112 if (!SerializeCertificate(cert.get(), serialized_certs, certificate)) { | |
| 113 NOTREACHED(); | |
| 114 return false; | |
| 115 } | |
| 116 } | |
| 117 return true; | |
| 118 } | |
| 119 | |
| 120 // Serializes |result| into |cached_result|, updating |serialized_certs| with | |
| 121 // the set of raw certificates that will be needed to deserialize the | |
| 122 // certificate in |cached_result| via DeserializeCertificate(). | |
| 123 bool SerializeCachedResult( | |
| 124 const net::CertVerifyResult& result, | |
| 125 SerializedCertMap* serialized_certs, | |
| 126 cronet_pb::CertVerificationCachedResult* cached_result) { | |
| 127 cronet_pb::CertVerificationResult* cert_verification_result = | |
| 128 cached_result->mutable_result(); | |
| 129 cronet_pb::CertVerificationCertificate* certificate = | |
| 130 cert_verification_result->mutable_verified_cert(); | |
| 131 if (!SerializeCertificate(result.verified_cert.get(), serialized_certs, | |
| 132 certificate)) { | |
| 133 NOTREACHED(); | |
| 134 return false; | |
| 135 } | |
| 136 cert_verification_result->set_cert_status(result.cert_status); | |
| 137 cert_verification_result->set_has_md2(result.has_md2); | |
| 138 cert_verification_result->set_has_md4(result.has_md4); | |
| 139 cert_verification_result->set_has_md5(result.has_md5); | |
| 140 cert_verification_result->set_has_sha1(result.has_sha1); | |
| 141 cert_verification_result->set_has_sha1_leaf(result.has_sha1_leaf); | |
| 142 for (const net::HashValue& value : result.public_key_hashes) | |
| 143 cert_verification_result->add_public_key_hashes(value.ToString()); | |
| 144 cert_verification_result->set_is_issued_by_known_root( | |
| 145 result.is_issued_by_known_root); | |
| 146 cert_verification_result->set_is_issued_by_additional_trust_anchor( | |
| 147 result.is_issued_by_additional_trust_anchor); | |
| 148 cert_verification_result->set_common_name_fallback_used( | |
| 149 result.common_name_fallback_used); | |
| 150 return true; | |
| 151 } | |
| 152 | |
| 153 // Deserializes |cached_result| using the certificate database provided in | |
| 154 // |deserialized_certs|. Returns the parsed net::CertVerifyResult on success, or | |
| 155 // nullptr if deserialization failed. | |
| 156 bool DeserializeCachedResult( | |
| 157 const cronet_pb::CertVerificationCachedResult& cached_result, | |
| 158 const DeserializedCertMap& deserialized_certs, | |
| 159 int* error, | |
| 160 net::CertVerifyResult* result) { | |
| 161 if (!cached_result.has_error() || !cached_result.has_result()) | |
| 162 return false; | |
| 163 | |
| 164 const cronet_pb::CertVerificationResult& cert_verification_result = | |
| 165 cached_result.result(); | |
| 166 if (!cert_verification_result.has_verified_cert() || | |
| 167 !cert_verification_result.has_cert_status()) { | |
| 168 return false; | |
| 169 } | |
| 170 | |
| 171 *error = cached_result.error(); | |
| 172 | |
| 173 result->verified_cert = DeserializeCertificate( | |
| 174 cert_verification_result.verified_cert(), deserialized_certs); | |
| 175 if (!result->verified_cert) | |
| 176 return false; | |
| 177 | |
| 178 for (int i = 0; i < cert_verification_result.public_key_hashes_size(); ++i) { | |
| 179 const std::string& public_key_hash = | |
| 180 cert_verification_result.public_key_hashes(i); | |
| 181 net::HashValue hash; | |
| 182 if (!hash.FromString(public_key_hash)) | |
| 183 return false; | |
| 184 result->public_key_hashes.push_back(hash); | |
| 185 } | |
| 186 result->cert_status = cert_verification_result.cert_status(); | |
| 187 result->has_md2 = cert_verification_result.has_md2(); | |
| 188 result->has_md4 = cert_verification_result.has_md4(); | |
| 189 result->has_md5 = cert_verification_result.has_md5(); | |
| 190 result->has_sha1 = cert_verification_result.has_sha1(); | |
| 191 result->has_sha1_leaf = cert_verification_result.has_sha1_leaf(); | |
| 192 result->is_issued_by_known_root = | |
| 193 cert_verification_result.is_issued_by_known_root(); | |
| 194 result->is_issued_by_additional_trust_anchor = | |
| 195 cert_verification_result.is_issued_by_additional_trust_anchor(); | |
| 196 result->common_name_fallback_used = | |
| 197 cert_verification_result.common_name_fallback_used(); | |
| 198 return true; | |
| 199 } | |
| 200 | |
| 201 // Serializes |params|, |error|, |verify_result| and |verification_time| into | |
| 202 // |cert_cache|, updating |serialized_certs| with the set of raw certificates | |
| 203 // that will be needed to deserialize the certificate in |cert_cache| via | |
| 204 // DeserializeCertificate(). | |
| 205 bool SerializeCachedEntry(const net::CachingCertVerifier::RequestParams& params, | |
| 206 int error, | |
| 207 const net::CertVerifyResult& verify_result, | |
| 208 base::Time verification_time, | |
| 209 cronet_pb::CertVerificationCache* cert_cache, | |
| 210 SerializedCertMap* serialized_certs) { | |
| 211 cronet_pb::CertVerificationCacheEntry* cache_entry = | |
| 212 cert_cache->add_cache_entry(); | |
| 213 | |
| 214 cronet_pb::CertVerificationRequestParams* request_params = | |
| 215 cache_entry->mutable_request_params(); | |
| 216 if (!SerializeRequestParams(params, serialized_certs, request_params)) | |
| 217 return false; | |
| 218 | |
| 219 cronet_pb::CertVerificationCachedResult* cached_result = | |
| 220 cache_entry->mutable_cached_result(); | |
| 221 if (!SerializeCachedResult(verify_result, serialized_certs, cached_result)) | |
| 222 return false; | |
| 223 cached_result->set_error(error); | |
| 224 | |
| 225 cache_entry->set_verification_time(verification_time.ToInternalValue()); | |
| 226 return true; | |
| 227 } | |
| 228 | |
| 229 class CacheVisitor : public net::CachingCertVerifier::CacheVisitor { | |
| 230 public: | |
| 231 CacheVisitor() : failed_to_serialize_(false) {} | |
| 232 ~CacheVisitor() override {} | |
| 233 | |
| 234 bool VisitEntry(const net::CachingCertVerifier::RequestParams& params, | |
| 235 int error, | |
| 236 const net::CertVerifyResult& verify_result, | |
| 237 base::Time verification_time, | |
| 238 base::Time expiration_time) override { | |
| 239 if (!SerializeCachedEntry(params, error, verify_result, verification_time, | |
| 240 &cert_cache_, &serialized_certs_)) { | |
| 241 Reset(); | |
| 242 return false; | |
| 243 } | |
| 244 return true; | |
| 245 } | |
| 246 | |
| 247 void Reset() { | |
| 248 cert_cache_ = cronet_pb::CertVerificationCache(); | |
| 249 failed_to_serialize_ = true; | |
| 250 } | |
| 251 | |
| 252 void SerializeCerts() { | |
| 253 for (auto cert : serialized_certs_) { | |
|
Ryan Sleevi
2016/06/21 20:31:02
const auto& cert
ramant (doing other things)
2016/06/22 03:51:36
Done.
| |
| 254 cronet_pb::CertVerificationCertificateData* cert_entry = | |
| 255 cert_cache_.add_cert_entry(); | |
| 256 cert_entry->set_cert(cert.first); | |
| 257 cert_entry->set_cert_number(cert.second); | |
| 258 } | |
| 259 } | |
| 260 | |
| 261 const cronet_pb::CertVerificationCache& cert_cache() const { | |
| 262 return cert_cache_; | |
| 263 } | |
| 264 | |
| 265 bool failed_to_serialize() const { return failed_to_serialize_; } | |
| 266 | |
| 267 cronet_pb::CertVerificationCache cert_cache_; | |
| 268 SerializedCertMap serialized_certs_; | |
| 269 bool failed_to_serialize_; | |
| 270 }; | |
| 271 | |
| 272 struct CertVerifierCacheEntry { | |
| 273 CertVerifierCacheEntry(const net::CertVerifier::RequestParams& params, | |
| 274 int error, | |
| 275 const net::CertVerifyResult& result, | |
| 276 base::Time verification_time) | |
| 277 : params(params), | |
| 278 error(error), | |
| 279 result(result), | |
| 280 verification_time(verification_time) {} | |
| 281 | |
| 282 net::CertVerifier::RequestParams params; | |
| 283 int error; | |
| 284 net::CertVerifyResult result; | |
| 285 base::Time verification_time; | |
| 286 }; | |
| 287 | |
| 288 } // namespace | |
| 289 | |
| 290 cronet_pb::CertVerificationCache SerializeCertVerifierCache( | |
| 291 const net::CachingCertVerifier& verifier) { | |
| 292 CacheVisitor visitor; | |
| 293 verifier.VisitEntries(&visitor); | |
| 294 | |
| 295 if (!visitor.failed_to_serialize()) | |
| 296 visitor.SerializeCerts(); | |
| 297 return visitor.cert_cache(); | |
| 298 } | |
| 299 | |
| 300 bool DeserializeCertVerifierCache( | |
| 301 const cronet_pb::CertVerificationCache& cert_cache, | |
| 302 net::CachingCertVerifier* verifier) { | |
| 303 DeserializedCertMap deserialized_certs; | |
| 304 | |
| 305 if (cert_cache.cert_entry_size() == 0u || | |
| 306 cert_cache.cache_entry_size() == 0u) { | |
| 307 return false; | |
| 308 } | |
| 309 | |
| 310 // Build |deserialized_certs|'s certificate map. | |
| 311 for (int i = 0; i < cert_cache.cert_entry_size(); ++i) { | |
| 312 const cronet_pb::CertVerificationCertificateData& cert_entry = | |
| 313 cert_cache.cert_entry(i); | |
| 314 if (!cert_entry.has_cert() || !cert_entry.has_cert_number()) | |
| 315 return false; | |
| 316 deserialized_certs.insert({cert_entry.cert_number(), cert_entry.cert()}); | |
| 317 } | |
| 318 | |
| 319 std::vector<std::unique_ptr<CertVerifierCacheEntry>> | |
| 320 cert_verifier_cache_entries; | |
| 321 for (int i = 0; i < cert_cache.cache_entry_size(); ++i) { | |
| 322 const cronet_pb::CertVerificationCacheEntry& cache_entry = | |
| 323 cert_cache.cache_entry(i); | |
| 324 | |
| 325 // Verify |cache_entry|'s data. | |
| 326 if (!cache_entry.has_request_params() || | |
| 327 !cache_entry.has_verification_time() || | |
| 328 !cache_entry.has_cached_result()) { | |
| 329 return false; | |
| 330 } | |
| 331 | |
| 332 const cronet_pb::CertVerificationRequestParams& request_params = | |
| 333 cache_entry.request_params(); | |
| 334 | |
| 335 // Verify |request_params|'s data. | |
| 336 if (!request_params.has_certificate() || !request_params.has_hostname() || | |
| 337 request_params.hostname().empty() || !request_params.has_flags() || | |
| 338 !request_params.has_ocsp_response()) { | |
| 339 return false; | |
| 340 } | |
| 341 | |
| 342 // Deserialize |request_params|'s certificate using the certificate | |
|
Ryan Sleevi
2016/06/21 20:31:02
s/ / /
ramant (doing other things)
2016/06/22 03:51:36
Done.
| |
| 343 // database provided in |deserialized_certs|. | |
| 344 scoped_refptr<net::X509Certificate> certificate = DeserializeCertificate( | |
| 345 request_params.certificate(), deserialized_certs); | |
| 346 if (!certificate) | |
| 347 return false; | |
| 348 | |
| 349 // Deserialize |request_params|'s trust anchor certificates using the | |
| 350 // certificate database provided in |deserialized_certs|. | |
| 351 net::CertificateList additional_trust_anchors; | |
| 352 for (int i = 0; i < request_params.additional_trust_anchors_size(); ++i) { | |
| 353 const cronet_pb::CertVerificationCertificate& certificate = | |
| 354 request_params.additional_trust_anchors(i); | |
| 355 scoped_refptr<net::X509Certificate> cert = | |
| 356 DeserializeCertificate(certificate, deserialized_certs); | |
| 357 if (!cert) | |
| 358 return false; | |
| 359 additional_trust_anchors.push_back(cert); | |
| 360 } | |
| 361 | |
| 362 net::CertVerifier::RequestParams params( | |
| 363 certificate, request_params.hostname(), request_params.flags(), | |
| 364 request_params.ocsp_response(), additional_trust_anchors); | |
| 365 | |
| 366 // Deserialize |cached_result| into |result|. | |
| 367 const cronet_pb::CertVerificationCachedResult& cached_result = | |
| 368 cache_entry.cached_result(); | |
| 369 net::CertVerifyResult result; | |
| 370 int error; | |
| 371 if (!DeserializeCachedResult(cached_result, deserialized_certs, &error, | |
| 372 &result)) { | |
| 373 return false; | |
| 374 } | |
| 375 | |
| 376 base::Time verification_time = | |
| 377 base::Time::FromInternalValue(cache_entry.verification_time()); | |
| 378 if (verification_time.is_null() || verification_time >= base::Time::Now()) | |
|
Ryan Sleevi
2016/06/21 20:31:02
It's unclear why you're making this check (which i
ramant (doing other things)
2016/06/22 03:51:36
What do you think of my comment?
Done.
| |
| 379 return false; | |
| 380 | |
| 381 std::unique_ptr<CertVerifierCacheEntry> cert_verifier_cache_entry( | |
| 382 new CertVerifierCacheEntry(params, error, result, verification_time)); | |
| 383 cert_verifier_cache_entries.push_back(std::move(cert_verifier_cache_entry)); | |
| 384 } | |
| 385 | |
| 386 for (const auto& entry : cert_verifier_cache_entries) { | |
| 387 verifier->AddEntry(entry->params, entry->error, entry->result, | |
| 388 entry->verification_time); | |
| 389 } | |
| 390 return true; | |
| 391 } | |
| 392 | |
| 393 } // namespace cronet | |
| OLD | NEW |
