Chromium Code Reviews| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/extras/cert/cert_verifier_cache_persister.h" | |
| 6 | |
| 7 #include <vector> | |
| 8 | |
| 9 #include "base/logging.h" | |
| 10 #include "base/metrics/histogram_macros.h" | |
| 11 #include "base/strings/string_piece.h" | |
| 12 #include "base/time/time.h" | |
| 13 #include "net/base/hash_value.h" | |
| 14 #include "net/cert/caching_cert_verifier.h" | |
| 15 #include "net/cert/cert_type.h" | |
| 16 #include "net/cert/cert_verify_result.h" | |
| 17 #include "net/cert/x509_cert_types.h" | |
| 18 #include "net/cert/x509_certificate.h" | |
| 19 #include "net/extras/cert/proto/cert_verification.pb.h" | |
| 20 | |
| 21 namespace net { | |
| 22 | |
| 23 namespace { | |
| 24 | |
| 25 typedef std::vector<std::string> CertVector; | |
| 26 typedef std::map<std::string, size_t> EncodedCertMap; | |
| 27 | |
| 28 bool SerializeCertHandle(const X509Certificate::OSCertHandle& cert_handle, | |
| 29 CertVector* serialized_certs, | |
| 30 EncodedCertMap* encoded_certs, | |
| 31 size_t* cert_number) { | |
| 32 std::string encoded; | |
| 33 if (!X509Certificate::GetDEREncoded(cert_handle, &encoded)) { | |
| 34 DCHECK(false); | |
| 35 return false; | |
| 36 } | |
| 37 EncodedCertMap::const_iterator it = encoded_certs->find(encoded); | |
| 38 if (it != encoded_certs->end()) { | |
| 39 *cert_number = it->second; | |
| 40 } else { | |
| 41 serialized_certs->push_back(encoded); | |
| 42 *cert_number = serialized_certs->size() - 1; | |
| 43 encoded_certs->insert({encoded, *cert_number}); | |
| 44 } | |
| 45 return true; | |
| 46 } | |
| 47 | |
| 48 // Update |proto_certificate| with certificate number and updates | |
| 49 // |serialized_certs| with DER-encoded representation of certificate if the | |
| 50 // certicate is not in |serialized_certs|. Returns true if data is serialized | |
| 51 // correctly. | |
| 52 bool SerializeCertificate(const scoped_refptr<X509Certificate>& certificate, | |
| 53 CertVector* serialized_certs, | |
| 54 EncodedCertMap* encoded_certs, | |
| 55 CertVerificationCertificate* proto_certificate) { | |
| 56 size_t cert_number = 0; | |
| 57 if (!SerializeCertHandle(certificate->os_cert_handle(), serialized_certs, | |
| 58 encoded_certs, &cert_number)) { | |
| 59 DCHECK(false); | |
|
Ryan Sleevi
2016/06/08 21:38:10
DCHECK(false) is an anti-pattern
NOTREACHED() is
ramant (doing other things)
2016/06/09 00:51:39
Done.
| |
| 60 return false; | |
| 61 } | |
| 62 proto_certificate->add_cert_numbers(cert_number); | |
| 63 const X509Certificate::X509Certificate::OSCertHandles& intermediate_ca_certs = | |
| 64 certificate->GetIntermediateCertificates(); | |
| 65 for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) { | |
| 66 if (!SerializeCertHandle(intermediate_ca_certs[i], serialized_certs, | |
| 67 encoded_certs, &cert_number)) { | |
| 68 DCHECK(false); | |
| 69 return false; | |
| 70 } | |
| 71 proto_certificate->add_cert_numbers(cert_number); | |
| 72 } | |
| 73 return true; | |
| 74 } | |
| 75 | |
| 76 // Returns deserialized certificate with the deserialized data from | |
| 77 // |proto_certificate|. | |
| 78 scoped_refptr<X509Certificate> DeserializeCertificate( | |
| 79 const CertVerificationCertificate& proto_certificate, | |
| 80 const CertVector& deserialized_der_certs) { | |
| 81 std::vector<base::StringPiece> der_cert_pieces( | |
| 82 proto_certificate.cert_numbers_size()); | |
| 83 for (int i = 0; i < proto_certificate.cert_numbers_size(); i++) { | |
| 84 size_t cert_number = proto_certificate.cert_numbers(i); | |
| 85 CHECK_LT(cert_number, deserialized_der_certs.size()); | |
| 86 der_cert_pieces[i] = base::StringPiece(deserialized_der_certs[cert_number]); | |
| 87 } | |
| 88 return X509Certificate::CreateFromDERCertChain(der_cert_pieces); | |
| 89 } | |
| 90 | |
| 91 // Update |proto_request_param| with RequestParams data from |params|. | |
| 92 bool SerializeRequestParams( | |
| 93 const CertVerifier::RequestParams& params, | |
| 94 CertVector* serialized_certs, | |
| 95 EncodedCertMap* encoded_certs, | |
| 96 CertVerificationRequestParams* proto_request_param) { | |
| 97 CertVerificationCertificate* proto_certificate = | |
| 98 proto_request_param->mutable_certificate(); | |
| 99 if (!SerializeCertificate(params.certificate(), serialized_certs, | |
| 100 encoded_certs, proto_certificate)) { | |
| 101 DCHECK(false); | |
| 102 return false; | |
| 103 } | |
| 104 proto_request_param->set_hostname(params.hostname()); | |
| 105 proto_request_param->set_flags(params.flags()); | |
| 106 proto_request_param->set_ocsp_response(params.ocsp_response()); | |
| 107 for (const scoped_refptr<X509Certificate>& cert : | |
| 108 params.additional_trust_anchors()) { | |
| 109 proto_certificate = proto_request_param->add_additional_trust_anchors(); | |
| 110 if (!SerializeCertificate(cert, serialized_certs, encoded_certs, | |
| 111 proto_certificate)) { | |
| 112 DCHECK(false); | |
| 113 return false; | |
| 114 } | |
| 115 } | |
| 116 return true; | |
| 117 } | |
| 118 | |
| 119 // Update |proto_cached_result| with CachedResult data from |cache_iterator|. | |
| 120 // |serialized_certs| contains a list of unique DER-encoded representation of | |
| 121 // certificates. | |
| 122 bool SerializeCachedResult(CachingCertVerifier::Iterator& cache_iterator, | |
| 123 CertVector* serialized_certs, | |
| 124 EncodedCertMap* encoded_certs, | |
| 125 CertVerificationCachedResult* proto_cached_result) { | |
| 126 proto_cached_result->set_error(cache_iterator.error()); | |
| 127 | |
| 128 // Serialize CertVerifyResult. | |
| 129 const CertVerifyResult& result = cache_iterator.verify_result(); | |
| 130 | |
| 131 CertVerificationResult* proto_result = proto_cached_result->mutable_result(); | |
| 132 CertVerificationCertificate* proto_certificate = | |
| 133 proto_result->mutable_verified_cert(); | |
| 134 if (!SerializeCertificate(result.verified_cert, serialized_certs, | |
| 135 encoded_certs, proto_certificate)) { | |
| 136 DCHECK(false); | |
| 137 return false; | |
| 138 } | |
| 139 proto_result->set_cert_status(result.cert_status); | |
| 140 proto_result->set_has_md2(result.has_md2); | |
| 141 proto_result->set_has_md4(result.has_md4); | |
| 142 proto_result->set_has_md5(result.has_md5); | |
| 143 proto_result->set_has_sha1(result.has_sha1); | |
| 144 proto_result->set_has_sha1_leaf(result.has_sha1_leaf); | |
| 145 for (const HashValue& value : result.public_key_hashes) | |
| 146 proto_result->add_public_key_hashes(value.ToString()); | |
| 147 proto_result->set_is_issued_by_known_root(result.is_issued_by_known_root); | |
| 148 proto_result->set_is_issued_by_additional_trust_anchor( | |
| 149 result.is_issued_by_additional_trust_anchor); | |
| 150 proto_result->set_common_name_fallback_used(result.common_name_fallback_used); | |
| 151 return true; | |
| 152 } | |
| 153 | |
| 154 // Update |error| and |result| with deserialized CachedResult data from | |
| 155 // |proto_cached_result|. Returns true if it is deserialized correctly. | |
| 156 bool DeserializeCachedResult( | |
| 157 const CertVerificationCachedResult& proto_cached_result, | |
| 158 const CertVector& deserialized_der_certs, | |
| 159 int* error, | |
| 160 CertVerifyResult* result) { | |
| 161 if (!proto_cached_result.has_error() || !proto_cached_result.has_result()) { | |
| 162 DCHECK(false); | |
| 163 return false; | |
| 164 } | |
| 165 | |
| 166 const CertVerificationResult& proto_result = proto_cached_result.result(); | |
| 167 if (!proto_result.has_verified_cert() || !proto_result.has_cert_status()) { | |
| 168 DCHECK(false); | |
| 169 return false; | |
| 170 } | |
| 171 | |
| 172 *error = proto_cached_result.error(); | |
| 173 | |
| 174 result->verified_cert = DeserializeCertificate(proto_result.verified_cert(), | |
| 175 deserialized_der_certs); | |
| 176 if (!result->verified_cert.get()) { | |
| 177 DCHECK(false); | |
| 178 return false; | |
| 179 } | |
| 180 | |
| 181 for (int i = 0; i < proto_result.public_key_hashes_size(); ++i) { | |
| 182 const ::std::string& public_key_hash = proto_result.public_key_hashes(i); | |
| 183 HashValue hash; | |
| 184 if (!hash.FromString(public_key_hash)) { | |
| 185 DCHECK(false); | |
| 186 return false; | |
| 187 } | |
| 188 result->public_key_hashes.push_back(hash); | |
| 189 } | |
| 190 result->cert_status = proto_result.cert_status(); | |
| 191 result->has_md2 = proto_result.has_md2(); | |
| 192 result->has_md4 = proto_result.has_md4(); | |
| 193 result->has_md5 = proto_result.has_md5(); | |
| 194 result->has_sha1 = proto_result.has_sha1(); | |
| 195 result->has_sha1_leaf = proto_result.has_sha1_leaf(); | |
| 196 result->is_issued_by_known_root = proto_result.is_issued_by_known_root(); | |
| 197 result->is_issued_by_additional_trust_anchor = | |
| 198 proto_result.is_issued_by_additional_trust_anchor(); | |
| 199 result->common_name_fallback_used = proto_result.common_name_fallback_used(); | |
| 200 return true; | |
| 201 } | |
| 202 | |
| 203 // Update |proto_cache_validity_period| with ValidityPeriod data from | |
| 204 // |cache_iterator|. | |
| 205 void SerializeValidityPeriod( | |
| 206 CachingCertVerifier::Iterator& cache_iterator, | |
| 207 CertVerificationCacheValidityPeriod* proto_cache_validity_period) { | |
| 208 proto_cache_validity_period->set_verification_time( | |
| 209 cache_iterator.verification_time().ToInternalValue()); | |
| 210 proto_cache_validity_period->set_expiration_time( | |
| 211 cache_iterator.expiration_time().ToInternalValue()); | |
| 212 } | |
| 213 | |
| 214 } // namespace | |
| 215 | |
| 216 CertVerifierCachePersister::CertVerifierCachePersister( | |
| 217 CachingCertVerifier* verifier) | |
| 218 : verifier_(verifier) {} | |
| 219 | |
| 220 CertVerifierCachePersister::~CertVerifierCachePersister() {} | |
| 221 | |
| 222 void CertVerifierCachePersister::SerializeCache(std::string* data) { | |
| 223 base::TimeTicks start_time(base::TimeTicks::Now()); | |
| 224 CertVerificationCache proto_cert_cache; | |
| 225 CertVector serialized_certs; | |
| 226 EncodedCertMap encoded_certs; | |
| 227 | |
| 228 CachingCertVerifier::Iterator cache_iterator(*verifier_); | |
| 229 for (; cache_iterator.HasNext(); cache_iterator.Advance()) { | |
| 230 CertVerificationCacheEntry* proto_cache_entry = | |
| 231 proto_cert_cache.add_cache_entry(); | |
| 232 | |
| 233 CertVerificationRequestParams* proto_request_param = | |
| 234 proto_cache_entry->mutable_request_params(); | |
| 235 if (!SerializeRequestParams(cache_iterator.params(), &serialized_certs, | |
| 236 &encoded_certs, proto_request_param)) { | |
| 237 DCHECK(false); | |
| 238 continue; | |
| 239 } | |
| 240 | |
| 241 CertVerificationCachedResult* proto_cached_result = | |
| 242 proto_cache_entry->mutable_cached_result(); | |
| 243 if (!SerializeCachedResult(cache_iterator, &serialized_certs, | |
| 244 &encoded_certs, proto_cached_result)) { | |
| 245 DCHECK(false); | |
| 246 continue; | |
| 247 } | |
| 248 | |
| 249 CertVerificationCacheValidityPeriod* proto_cache_validity_period = | |
| 250 proto_cache_entry->mutable_cache_validity_period(); | |
| 251 SerializeValidityPeriod(cache_iterator, proto_cache_validity_period); | |
| 252 } | |
| 253 for (const std::string& cert : serialized_certs) | |
| 254 proto_cert_cache.add_certs(cert); | |
| 255 | |
| 256 proto_cert_cache.SerializeToString(data); | |
| 257 UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.SerializeTime", | |
| 258 base::TimeTicks::Now() - start_time); | |
| 259 } | |
| 260 | |
| 261 bool CertVerifierCachePersister::LoadCache(const std::string& data) { | |
| 262 base::TimeTicks load_cache_start_time = base::TimeTicks::Now(); | |
| 263 CertVector deserialized_der_certs; | |
| 264 CertVerificationCache proto; | |
| 265 | |
| 266 if (!proto.ParseFromString(data) || proto.certs_size() == 0u || | |
| 267 proto.cache_entry_size() == 0u) { | |
| 268 return false; | |
| 269 } | |
| 270 | |
| 271 for (int i = 0; i < proto.certs_size(); ++i) | |
| 272 deserialized_der_certs.push_back(proto.certs(i)); | |
| 273 | |
| 274 bool detected_corrupted_data = false; | |
| 275 for (int i = 0; i < proto.cache_entry_size(); ++i) { | |
| 276 const CertVerificationCacheEntry& cache_entry = proto.cache_entry(i); | |
| 277 if (!cache_entry.has_request_params() || | |
| 278 !cache_entry.has_cache_validity_period() || | |
| 279 !cache_entry.has_cached_result()) { | |
| 280 detected_corrupted_data = true; | |
| 281 continue; | |
| 282 } | |
| 283 | |
| 284 const CertVerificationRequestParams& proto_request_params = | |
| 285 cache_entry.request_params(); | |
| 286 | |
| 287 if (!proto_request_params.has_certificate() || | |
| 288 !proto_request_params.has_hostname() || | |
| 289 proto_request_params.hostname().empty() || | |
| 290 !proto_request_params.has_flags() || | |
| 291 !proto_request_params.has_ocsp_response()) { | |
| 292 detected_corrupted_data = true; | |
| 293 continue; | |
| 294 } | |
| 295 | |
| 296 scoped_refptr<X509Certificate> certificate = DeserializeCertificate( | |
| 297 proto_request_params.certificate(), deserialized_der_certs); | |
| 298 if (!certificate.get()) { | |
| 299 detected_corrupted_data = true; | |
| 300 continue; | |
| 301 } | |
| 302 | |
| 303 std::string hostname(proto_request_params.hostname()); | |
| 304 int flags = proto_request_params.flags(); | |
| 305 std::string ocsp_response(proto_request_params.ocsp_response()); | |
| 306 CertificateList additional_trust_anchors; | |
| 307 for (int i = 0; i < proto_request_params.additional_trust_anchors_size(); | |
| 308 ++i) { | |
| 309 const CertVerificationCertificate& proto_certificate = | |
| 310 proto_request_params.additional_trust_anchors(i); | |
| 311 scoped_refptr<X509Certificate> cert = | |
| 312 DeserializeCertificate(proto_certificate, deserialized_der_certs); | |
| 313 if (cert.get()) | |
| 314 additional_trust_anchors.push_back(cert); | |
| 315 } | |
| 316 | |
| 317 CertVerifier::RequestParams params(certificate, hostname, flags, | |
| 318 ocsp_response, additional_trust_anchors); | |
| 319 | |
| 320 const CertVerificationCacheValidityPeriod& proto_cache_validity_period = | |
| 321 cache_entry.cache_validity_period(); | |
| 322 if (!proto_cache_validity_period.has_verification_time() || | |
| 323 !proto_cache_validity_period.has_expiration_time()) { | |
| 324 detected_corrupted_data = true; | |
| 325 continue; | |
| 326 } | |
| 327 base::Time verification_time = base::Time::FromInternalValue( | |
| 328 proto_cache_validity_period.verification_time()); | |
| 329 | |
| 330 const CertVerificationCachedResult& proto_cached_result = | |
| 331 cache_entry.cached_result(); | |
| 332 CertVerifyResult result; | |
| 333 int error; | |
| 334 if (!DeserializeCachedResult(proto_cached_result, deserialized_der_certs, | |
| 335 &error, &result)) { | |
| 336 detected_corrupted_data = true; | |
| 337 continue; | |
| 338 } | |
| 339 | |
| 340 if (!verifier_->AddEntry(params, error, result, verification_time)) { | |
| 341 detected_corrupted_data = true; | |
| 342 continue; | |
| 343 } | |
| 344 } | |
| 345 UMA_HISTOGRAM_COUNTS("Net.CertVerifierCachePersister.LoadCacheSize", | |
| 346 proto.cache_entry_size()); | |
| 347 UMA_HISTOGRAM_TIMES("Net.CertVerifierCachePersister.LoadCacheTime", | |
| 348 base::TimeTicks::Now() - load_cache_start_time); | |
| 349 return !detected_corrupted_data; | |
| 350 } | |
| 351 | |
| 352 } // namespace net | |
| OLD | NEW |