OLD | NEW |
(Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "components/cronet/android/cert/cert_verifier_cache_serializer.h" |
| 6 |
| 7 #include <string> |
| 8 #include <vector> |
| 9 |
| 10 #include "base/logging.h" |
| 11 #include "base/strings/string_piece.h" |
| 12 #include "base/time/time.h" |
| 13 #include "components/cronet/android/cert/proto/cert_verification.pb.h" |
| 14 #include "net/base/hash_value.h" |
| 15 #include "net/cert/caching_cert_verifier.h" |
| 16 #include "net/cert/cert_verify_result.h" |
| 17 #include "net/cert/x509_certificate.h" |
| 18 |
| 19 namespace cronet { |
| 20 |
| 21 namespace { |
| 22 |
| 23 // Map from each unique certificate to certificate number. |
| 24 typedef std::map<std::string, size_t> SerializedCertMap; |
| 25 // Map from certificate number to each unique certificate. |
| 26 typedef std::map<size_t, std::string> DeserializedCertMap; |
| 27 |
| 28 // Determine if |cert_handle| was already serialized. If so, simply return a |
| 29 // reference to that entry. Otherwise, add a new entry to the set of certs to |
| 30 // be serialized (|serialized_certs|). Returns true if |cert_handle| is |
| 31 // serialized correctly. |
| 32 bool SerializeCertHandle(const net::X509Certificate::OSCertHandle& cert_handle, |
| 33 SerializedCertMap* serialized_certs, |
| 34 size_t* cert_number) { |
| 35 std::string encoded; |
| 36 if (!net::X509Certificate::GetDEREncoded(cert_handle, &encoded)) |
| 37 return false; |
| 38 auto result = |
| 39 serialized_certs->insert({encoded, serialized_certs->size() + 1}); |
| 40 *cert_number = result.first->second; |
| 41 return true; |
| 42 } |
| 43 |
| 44 // Update |certificate| with certificate number and updates |serialized_certs| |
| 45 // with DER-encoded representation of certificate if the certicate is not in |
| 46 // |serialized_certs|. Returns true if data is serialized correctly. |
| 47 bool SerializeCertificate(net::X509Certificate* cert, |
| 48 SerializedCertMap* serialized_certs, |
| 49 cronet_pb::CertVerificationCertificate* certificate) { |
| 50 size_t cert_number = 0; |
| 51 if (!SerializeCertHandle(cert->os_cert_handle(), serialized_certs, |
| 52 &cert_number)) { |
| 53 return false; |
| 54 } |
| 55 certificate->add_cert_numbers(cert_number); |
| 56 const net::X509Certificate::X509Certificate::OSCertHandles& |
| 57 intermediate_ca_certs = cert->GetIntermediateCertificates(); |
| 58 for (const auto& intermediate : intermediate_ca_certs) { |
| 59 if (!SerializeCertHandle(intermediate, serialized_certs, &cert_number)) |
| 60 return false; |
| 61 certificate->add_cert_numbers(cert_number); |
| 62 } |
| 63 return true; |
| 64 } |
| 65 |
| 66 // Deserializes |certificate| using the certificate database provided in |
| 67 // |deserialized_certs|. Returns the parsed certificate on success, or nullptr |
| 68 // if deserialization failed. |
| 69 scoped_refptr<net::X509Certificate> DeserializeCertificate( |
| 70 const cronet_pb::CertVerificationCertificate& certificate, |
| 71 const DeserializedCertMap& deserialized_certs) { |
| 72 if (0 == certificate.cert_numbers_size()) |
| 73 return nullptr; |
| 74 std::vector<base::StringPiece> der_cert_pieces( |
| 75 certificate.cert_numbers_size()); |
| 76 for (int i = 0; i < certificate.cert_numbers_size(); ++i) { |
| 77 size_t cert_number = certificate.cert_numbers(i); |
| 78 DeserializedCertMap::const_iterator it = |
| 79 deserialized_certs.find(cert_number); |
| 80 if (it == deserialized_certs.end()) |
| 81 return nullptr; |
| 82 der_cert_pieces[i] = base::StringPiece(it->second); |
| 83 } |
| 84 return net::X509Certificate::CreateFromDERCertChain(der_cert_pieces); |
| 85 } |
| 86 |
| 87 // Serializes |params| into |request_params|, updating |serialized_certs| with |
| 88 // the set of raw certificates that will be needed to deserialize the |
| 89 // certificate in |request_params| via DeserializeCertificate(). |
| 90 bool SerializeRequestParams( |
| 91 const net::CertVerifier::RequestParams& params, |
| 92 SerializedCertMap* serialized_certs, |
| 93 cronet_pb::CertVerificationRequestParams* request_params) { |
| 94 cronet_pb::CertVerificationCertificate* certificate = |
| 95 request_params->mutable_certificate(); |
| 96 if (!SerializeCertificate(params.certificate().get(), serialized_certs, |
| 97 certificate)) { |
| 98 return false; |
| 99 } |
| 100 request_params->set_hostname(params.hostname()); |
| 101 request_params->set_flags(params.flags()); |
| 102 request_params->set_ocsp_response(params.ocsp_response()); |
| 103 for (const auto& cert : params.additional_trust_anchors()) { |
| 104 certificate = request_params->add_additional_trust_anchors(); |
| 105 if (!SerializeCertificate(cert.get(), serialized_certs, certificate)) |
| 106 return false; |
| 107 } |
| 108 return true; |
| 109 } |
| 110 |
| 111 // Serializes |result| into |cached_result|, updating |serialized_certs| with |
| 112 // the set of raw certificates that will be needed to deserialize the |
| 113 // certificate in |cached_result| via DeserializeCertificate(). |
| 114 bool SerializeCachedResult( |
| 115 const net::CertVerifyResult& result, |
| 116 SerializedCertMap* serialized_certs, |
| 117 cronet_pb::CertVerificationCachedResult* cached_result) { |
| 118 cronet_pb::CertVerificationResult* cert_verification_result = |
| 119 cached_result->mutable_result(); |
| 120 cronet_pb::CertVerificationCertificate* certificate = |
| 121 cert_verification_result->mutable_verified_cert(); |
| 122 if (!SerializeCertificate(result.verified_cert.get(), serialized_certs, |
| 123 certificate)) { |
| 124 return false; |
| 125 } |
| 126 cert_verification_result->set_cert_status(result.cert_status); |
| 127 cert_verification_result->set_has_md2(result.has_md2); |
| 128 cert_verification_result->set_has_md4(result.has_md4); |
| 129 cert_verification_result->set_has_md5(result.has_md5); |
| 130 cert_verification_result->set_has_sha1(result.has_sha1); |
| 131 cert_verification_result->set_has_sha1_leaf(result.has_sha1_leaf); |
| 132 for (const auto& value : result.public_key_hashes) |
| 133 cert_verification_result->add_public_key_hashes(value.ToString()); |
| 134 cert_verification_result->set_is_issued_by_known_root( |
| 135 result.is_issued_by_known_root); |
| 136 cert_verification_result->set_is_issued_by_additional_trust_anchor( |
| 137 result.is_issued_by_additional_trust_anchor); |
| 138 cert_verification_result->set_common_name_fallback_used( |
| 139 result.common_name_fallback_used); |
| 140 return true; |
| 141 } |
| 142 |
| 143 // Deserializes |cached_result| using the certificate database provided in |
| 144 // |deserialized_certs|. Returns the parsed net::CertVerifyResult on success, or |
| 145 // nullptr if deserialization failed. |
| 146 bool DeserializeCachedResult( |
| 147 const cronet_pb::CertVerificationCachedResult& cached_result, |
| 148 const DeserializedCertMap& deserialized_certs, |
| 149 int* error, |
| 150 net::CertVerifyResult* result) { |
| 151 if (!cached_result.has_error() || !cached_result.has_result()) |
| 152 return false; |
| 153 |
| 154 const cronet_pb::CertVerificationResult& cert_verification_result = |
| 155 cached_result.result(); |
| 156 if (!cert_verification_result.has_verified_cert() || |
| 157 !cert_verification_result.has_cert_status()) { |
| 158 return false; |
| 159 } |
| 160 |
| 161 *error = cached_result.error(); |
| 162 |
| 163 result->verified_cert = DeserializeCertificate( |
| 164 cert_verification_result.verified_cert(), deserialized_certs); |
| 165 if (!result->verified_cert) |
| 166 return false; |
| 167 |
| 168 for (int i = 0; i < cert_verification_result.public_key_hashes_size(); ++i) { |
| 169 const std::string& public_key_hash = |
| 170 cert_verification_result.public_key_hashes(i); |
| 171 net::HashValue hash; |
| 172 if (!hash.FromString(public_key_hash)) |
| 173 return false; |
| 174 result->public_key_hashes.push_back(hash); |
| 175 } |
| 176 result->cert_status = cert_verification_result.cert_status(); |
| 177 result->has_md2 = cert_verification_result.has_md2(); |
| 178 result->has_md4 = cert_verification_result.has_md4(); |
| 179 result->has_md5 = cert_verification_result.has_md5(); |
| 180 result->has_sha1 = cert_verification_result.has_sha1(); |
| 181 result->has_sha1_leaf = cert_verification_result.has_sha1_leaf(); |
| 182 result->is_issued_by_known_root = |
| 183 cert_verification_result.is_issued_by_known_root(); |
| 184 result->is_issued_by_additional_trust_anchor = |
| 185 cert_verification_result.is_issued_by_additional_trust_anchor(); |
| 186 result->common_name_fallback_used = |
| 187 cert_verification_result.common_name_fallback_used(); |
| 188 return true; |
| 189 } |
| 190 |
| 191 // Serializes |params|, |error|, |verify_result| and |verification_time| into |
| 192 // |cert_cache|, updating |serialized_certs| with the set of raw certificates |
| 193 // that will be needed to deserialize the certificate in |cert_cache| via |
| 194 // DeserializeCertificate(). |
| 195 bool SerializeCachedEntry(const net::CachingCertVerifier::RequestParams& params, |
| 196 int error, |
| 197 const net::CertVerifyResult& verify_result, |
| 198 base::Time verification_time, |
| 199 cronet_pb::CertVerificationCache* cert_cache, |
| 200 SerializedCertMap* serialized_certs) { |
| 201 cronet_pb::CertVerificationCacheEntry* cache_entry = |
| 202 cert_cache->add_cache_entry(); |
| 203 |
| 204 cronet_pb::CertVerificationRequestParams* request_params = |
| 205 cache_entry->mutable_request_params(); |
| 206 if (!SerializeRequestParams(params, serialized_certs, request_params)) |
| 207 return false; |
| 208 |
| 209 cronet_pb::CertVerificationCachedResult* cached_result = |
| 210 cache_entry->mutable_cached_result(); |
| 211 if (!SerializeCachedResult(verify_result, serialized_certs, cached_result)) |
| 212 return false; |
| 213 cached_result->set_error(error); |
| 214 |
| 215 cache_entry->set_verification_time(verification_time.ToInternalValue()); |
| 216 return true; |
| 217 } |
| 218 |
| 219 class CacheVisitor : public net::CachingCertVerifier::CacheVisitor { |
| 220 public: |
| 221 CacheVisitor() : failed_to_serialize_(false) {} |
| 222 ~CacheVisitor() override {} |
| 223 |
| 224 bool VisitEntry(const net::CachingCertVerifier::RequestParams& params, |
| 225 int error, |
| 226 const net::CertVerifyResult& verify_result, |
| 227 base::Time verification_time, |
| 228 base::Time expiration_time) override { |
| 229 if (!SerializeCachedEntry(params, error, verify_result, verification_time, |
| 230 &cert_cache_, &serialized_certs_)) { |
| 231 Reset(); |
| 232 return false; |
| 233 } |
| 234 return true; |
| 235 } |
| 236 |
| 237 void Reset() { |
| 238 cert_cache_ = cronet_pb::CertVerificationCache(); |
| 239 failed_to_serialize_ = true; |
| 240 } |
| 241 |
| 242 void SerializeCerts() { |
| 243 for (const auto& cert : serialized_certs_) { |
| 244 cronet_pb::CertVerificationCertificateData* cert_entry = |
| 245 cert_cache_.add_cert_entry(); |
| 246 cert_entry->set_cert(cert.first); |
| 247 cert_entry->set_cert_number(cert.second); |
| 248 } |
| 249 } |
| 250 |
| 251 const cronet_pb::CertVerificationCache& cert_cache() const { |
| 252 return cert_cache_; |
| 253 } |
| 254 |
| 255 bool failed_to_serialize() const { return failed_to_serialize_; } |
| 256 |
| 257 cronet_pb::CertVerificationCache cert_cache_; |
| 258 SerializedCertMap serialized_certs_; |
| 259 bool failed_to_serialize_; |
| 260 }; |
| 261 |
| 262 struct CertVerifierCacheEntry { |
| 263 CertVerifierCacheEntry(const net::CertVerifier::RequestParams& params, |
| 264 int error, |
| 265 const net::CertVerifyResult& result, |
| 266 base::Time verification_time) |
| 267 : params(params), |
| 268 error(error), |
| 269 result(result), |
| 270 verification_time(verification_time) {} |
| 271 |
| 272 net::CertVerifier::RequestParams params; |
| 273 int error; |
| 274 net::CertVerifyResult result; |
| 275 base::Time verification_time; |
| 276 }; |
| 277 |
| 278 } // namespace |
| 279 |
| 280 cronet_pb::CertVerificationCache SerializeCertVerifierCache( |
| 281 const net::CachingCertVerifier& verifier) { |
| 282 CacheVisitor visitor; |
| 283 verifier.VisitEntries(&visitor); |
| 284 |
| 285 if (!visitor.failed_to_serialize()) |
| 286 visitor.SerializeCerts(); |
| 287 return visitor.cert_cache(); |
| 288 } |
| 289 |
| 290 bool DeserializeCertVerifierCache( |
| 291 const cronet_pb::CertVerificationCache& cert_cache, |
| 292 net::CachingCertVerifier* verifier) { |
| 293 DeserializedCertMap deserialized_certs; |
| 294 |
| 295 if (cert_cache.cert_entry_size() == 0u || |
| 296 cert_cache.cache_entry_size() == 0u) { |
| 297 return false; |
| 298 } |
| 299 |
| 300 // Build |deserialized_certs|'s certificate map. |
| 301 for (int i = 0; i < cert_cache.cert_entry_size(); ++i) { |
| 302 const cronet_pb::CertVerificationCertificateData& cert_entry = |
| 303 cert_cache.cert_entry(i); |
| 304 if (!cert_entry.has_cert() || !cert_entry.has_cert_number()) |
| 305 return false; |
| 306 deserialized_certs.insert({cert_entry.cert_number(), cert_entry.cert()}); |
| 307 } |
| 308 |
| 309 std::vector<std::unique_ptr<CertVerifierCacheEntry>> |
| 310 cert_verifier_cache_entries; |
| 311 for (int i = 0; i < cert_cache.cache_entry_size(); ++i) { |
| 312 const cronet_pb::CertVerificationCacheEntry& cache_entry = |
| 313 cert_cache.cache_entry(i); |
| 314 |
| 315 // Verify |cache_entry|'s data. |
| 316 if (!cache_entry.has_request_params() || |
| 317 !cache_entry.has_verification_time() || |
| 318 !cache_entry.has_cached_result()) { |
| 319 return false; |
| 320 } |
| 321 |
| 322 const cronet_pb::CertVerificationRequestParams& request_params = |
| 323 cache_entry.request_params(); |
| 324 |
| 325 // Verify |request_params|'s data. |
| 326 if (!request_params.has_certificate() || !request_params.has_hostname() || |
| 327 request_params.hostname().empty() || !request_params.has_flags() || |
| 328 !request_params.has_ocsp_response()) { |
| 329 return false; |
| 330 } |
| 331 |
| 332 // Deserialize |request_params|'s certificate using the certificate database |
| 333 // provided in |deserialized_certs|. |
| 334 scoped_refptr<net::X509Certificate> certificate = DeserializeCertificate( |
| 335 request_params.certificate(), deserialized_certs); |
| 336 if (!certificate) |
| 337 return false; |
| 338 |
| 339 // Deserialize |request_params|'s trust anchor certificates using the |
| 340 // certificate database provided in |deserialized_certs|. |
| 341 net::CertificateList additional_trust_anchors; |
| 342 for (int i = 0; i < request_params.additional_trust_anchors_size(); ++i) { |
| 343 const cronet_pb::CertVerificationCertificate& certificate = |
| 344 request_params.additional_trust_anchors(i); |
| 345 scoped_refptr<net::X509Certificate> cert = |
| 346 DeserializeCertificate(certificate, deserialized_certs); |
| 347 if (!cert) |
| 348 return false; |
| 349 additional_trust_anchors.push_back(cert); |
| 350 } |
| 351 |
| 352 net::CertVerifier::RequestParams params( |
| 353 certificate, request_params.hostname(), request_params.flags(), |
| 354 request_params.ocsp_response(), additional_trust_anchors); |
| 355 |
| 356 // Deserialize |cached_result| into |result|. |
| 357 const cronet_pb::CertVerificationCachedResult& cached_result = |
| 358 cache_entry.cached_result(); |
| 359 net::CertVerifyResult result; |
| 360 int error; |
| 361 if (!DeserializeCachedResult(cached_result, deserialized_certs, &error, |
| 362 &result)) { |
| 363 return false; |
| 364 } |
| 365 |
| 366 base::Time verification_time = |
| 367 base::Time::FromInternalValue(cache_entry.verification_time()); |
| 368 // We are deserializing the data that was persisted in the past and thus |
| 369 // |verification_time| can not be in the future. |
| 370 if (verification_time.is_null() || verification_time >= base::Time::Now()) |
| 371 return false; |
| 372 |
| 373 std::unique_ptr<CertVerifierCacheEntry> cert_verifier_cache_entry( |
| 374 new CertVerifierCacheEntry(params, error, result, verification_time)); |
| 375 cert_verifier_cache_entries.push_back(std::move(cert_verifier_cache_entry)); |
| 376 } |
| 377 |
| 378 for (const auto& entry : cert_verifier_cache_entries) { |
| 379 verifier->AddEntry(entry->params, entry->error, entry->result, |
| 380 entry->verification_time); |
| 381 } |
| 382 return true; |
| 383 } |
| 384 |
| 385 } // namespace cronet |
OLD | NEW |