Cert - protobufs to serialize and deserialize CertVerifierCache.

components/cronet/cert/cert_verifier_cache_persister.cc

Index: components/cronet/cert/cert_verifier_cache_persister.cc
diff --git a/components/cronet/cert/cert_verifier_cache_persister.cc b/components/cronet/cert/cert_verifier_cache_persister.cc
new file mode 100644
index 0000000000000000000000000000000000000000..f26c6be47adecc5158cf3b4054eed197897cd1da
--- /dev/null
+++ b/components/cronet/cert/cert_verifier_cache_persister.cc
@@ -0,0 +1,326 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/cronet/cert/cert_verifier_cache_persister.h"
+
+#include <string>
+#include <vector>
+
+#include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/strings/string_piece.h"
+#include "base/time/time.h"
+#include "components/cronet/cert/proto/cert_verification.pb.h"
+#include "net/base/hash_value.h"
+#include "net/cert/caching_cert_verifier.h"
+#include "net/cert/cert_type.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/x509_cert_types.h"
+#include "net/cert/x509_certificate.h"
+
+namespace cronet {
+
+namespace {
+
+typedef std::vector<std::string> CertVector;
+typedef std::map<std::string, size_t> SerializedCertMap;
+typedef std::map<size_t, std::string> DeserializedCertMap;
+
+bool SerializeCertHandle(const net::X509Certificate::OSCertHandle& cert_handle,
+                         SerializedCertMap* serialized_certs,
+                         size_t* cert_number) {
+  std::string encoded;
+  if (!net::X509Certificate::GetDEREncoded(cert_handle, &encoded)) {
+    NOTREACHED();
+    return false;
+  }
+  // Determine if |cert_handle| was already serialized. If so, simply return a
+  // reference to that entry. Otherwise, add a new entry to the set of certs to
+  // be serialized (|serialized_certs|).
+  auto result =
+      serialized_certs->insert({encoded, serialized_certs->size() + 1});
+  *cert_number = result.first->second;
+  return true;
+}
+
+// Update |certificate| with certificate number and updates |serialized_certs|
+// with DER-encoded representation of certificate if the certicate is not in
+// |serialized_certs|. Returns true if data is serialized correctly.
+bool SerializeCertificate(net::X509Certificate* cert,
+                          SerializedCertMap* serialized_certs,
+                          cronet_pb::CertVerificationCertificate* certificate) {
+  size_t cert_number = 0;
+  if (!SerializeCertHandle(cert->os_cert_handle(), serialized_certs,
+                           &cert_number)) {
+    NOTREACHED();
+    return false;
+  }
+  certificate->add_cert_numbers(cert_number);
+  const net::X509Certificate::X509Certificate::OSCertHandles&
+      intermediate_ca_certs = cert->GetIntermediateCertificates();
+  for (size_t i = 0; i < intermediate_ca_certs.size(); ++i) {
+    if (!SerializeCertHandle(intermediate_ca_certs[i], serialized_certs,
+                             &cert_number)) {
+      NOTREACHED();
+      return false;
+    }
+    certificate->add_cert_numbers(cert_number);
+  }
+  return true;
+}
+
+// Deserializes |certificate| using the certificate database provided in
+// |deserialized_certs|. Returns the parsed certificate on success, or nullptr
+// if deserialization failed.
+scoped_refptr<net::X509Certificate> DeserializeCertificate(
+    const cronet_pb::CertVerificationCertificate& certificate,
+    const DeserializedCertMap& deserialized_certs) {
+  if (0 == certificate.cert_numbers_size())
+    return nullptr;
+  std::vector<base::StringPiece> der_cert_pieces(
+      certificate.cert_numbers_size());
+  for (int i = 0; i < certificate.cert_numbers_size(); i++) {
+    size_t cert_number = certificate.cert_numbers(i);
+    DeserializedCertMap::const_iterator it =
+        deserialized_certs.find(cert_number);
+    if (it == deserialized_certs.end())
+      return nullptr;
+    der_cert_pieces[i] = base::StringPiece(it->second);
+  }
+  return net::X509Certificate::CreateFromDERCertChain(der_cert_pieces);
+}
+
+// Serializes |params| into |request_params|, updating |serialized_certs| with
+// the set of raw certificates that will be needed to deserialize the
+// certificate in |request_params| via DeserializeCertificate().
+bool SerializeRequestParams(
+    const net::CertVerifier::RequestParams& params,
+    SerializedCertMap* serialized_certs,
+    cronet_pb::CertVerificationRequestParams* request_params) {
+  cronet_pb::CertVerificationCertificate* certificate =
+      request_params->mutable_certificate();
+  if (!SerializeCertificate(params.certificate().get(), serialized_certs,
+                            certificate)) {
+    NOTREACHED();
+    return false;
+  }
+  request_params->set_hostname(params.hostname());
+  request_params->set_flags(params.flags());
+  request_params->set_ocsp_response(params.ocsp_response());
+  for (const scoped_refptr<net::X509Certificate>& cert :
+       params.additional_trust_anchors()) {
+    certificate = request_params->add_additional_trust_anchors();
+    if (!SerializeCertificate(cert.get(), serialized_certs, certificate)) {
+      NOTREACHED();
+      return false;
+    }
+  }
+  return true;
+}
+
+// Serializes |result| into |cached_result|, updating |serialized_certs| with
+// the set of raw certificates that will be needed to deserialize the
+// certificate in |cached_result| via DeserializeCertificate().
+bool SerializeCachedResult(
+    const net::CertVerifyResult& result,
+    SerializedCertMap* serialized_certs,
+    cronet_pb::CertVerificationCachedResult* cached_result) {
+  cronet_pb::CertVerificationResult* cert_verification_result =
+      cached_result->mutable_result();
+  cronet_pb::CertVerificationCertificate* certificate =
+      cert_verification_result->mutable_verified_cert();
+  if (!SerializeCertificate(result.verified_cert.get(), serialized_certs,
+                            certificate)) {
+    NOTREACHED();
+    return false;
+  }
+  cert_verification_result->set_cert_status(result.cert_status);
+  cert_verification_result->set_has_md2(result.has_md2);
+  cert_verification_result->set_has_md4(result.has_md4);
+  cert_verification_result->set_has_md5(result.has_md5);
+  cert_verification_result->set_has_sha1(result.has_sha1);
+  cert_verification_result->set_has_sha1_leaf(result.has_sha1_leaf);
+  for (const net::HashValue& value : result.public_key_hashes)
+    cert_verification_result->add_public_key_hashes(value.ToString());
+  cert_verification_result->set_is_issued_by_known_root(
+      result.is_issued_by_known_root);
+  cert_verification_result->set_is_issued_by_additional_trust_anchor(
+      result.is_issued_by_additional_trust_anchor);
+  cert_verification_result->set_common_name_fallback_used(
+      result.common_name_fallback_used);
+  return true;
+}
+
+// Deserializes |cached_result| using the certificate database provided in
+// |deserialized_certs|. Returns the parsed net::CertVerifyResult on success, or
+// nullptr if deserialization failed.
+bool DeserializeCachedResult(
+    const cronet_pb::CertVerificationCachedResult& cached_result,
+    const DeserializedCertMap& deserialized_certs,
+    int* error,
+    net::CertVerifyResult* result) {
+  if (!cached_result.has_error() || !cached_result.has_result())
+    return false;
+
+  const cronet_pb::CertVerificationResult& cert_verification_result =
+      cached_result.result();
+  if (!cert_verification_result.has_verified_cert() ||
+      !cert_verification_result.has_cert_status()) {
+    return false;
+  }
+
+  *error = cached_result.error();
+
+  result->verified_cert = DeserializeCertificate(
+      cert_verification_result.verified_cert(), deserialized_certs);
+  if (!result->verified_cert)
+    return false;
+
+  for (int i = 0; i < cert_verification_result.public_key_hashes_size(); ++i) {
+    const std::string& public_key_hash =
+        cert_verification_result.public_key_hashes(i);
+    net::HashValue hash;
+    if (!hash.FromString(public_key_hash))
+      return false;
+    result->public_key_hashes.push_back(hash);
+  }
+  result->cert_status = cert_verification_result.cert_status();
+  result->has_md2 = cert_verification_result.has_md2();
+  result->has_md4 = cert_verification_result.has_md4();
+  result->has_md5 = cert_verification_result.has_md5();
+  result->has_sha1 = cert_verification_result.has_sha1();
+  result->has_sha1_leaf = cert_verification_result.has_sha1_leaf();
+  result->is_issued_by_known_root =
+      cert_verification_result.is_issued_by_known_root();
+  result->is_issued_by_additional_trust_anchor =
+      cert_verification_result.is_issued_by_additional_trust_anchor();
+  result->common_name_fallback_used =
+      cert_verification_result.common_name_fallback_used();
+  return true;
+}
+
+}  // namespace
+
+cronet_pb::CertVerificationCache SerializeCertVerifierCache(
+    const net::CachingCertVerifier& verifier) {
+  cronet_pb::CertVerificationCache cert_cache;
+  SerializedCertMap serialized_certs;
+
+  net::CachingCertVerifier::Iterator cache_iterator(verifier);
+  for (; cache_iterator.HasNext(); cache_iterator.Advance()) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.add_cache_entry();
+
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    if (!SerializeRequestParams(cache_iterator.params(), &serialized_certs,
+                                request_params)) {
+      NOTREACHED();
+      continue;
+    }
+
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cached_result->set_error(cache_iterator.error());
+    if (!SerializeCachedResult(cache_iterator.verify_result(),
+                               &serialized_certs, cached_result)) {
+      NOTREACHED();
+      continue;
+    }
+
+    cache_entry->set_verification_time(
+        cache_iterator.verification_time().ToInternalValue());
+  }
+  for (auto cert : serialized_certs) {
+    cronet_pb::CertVerificationCertificateData* cert_entry =
+        cert_cache.add_cert_entry();
+    cert_entry->set_cert(cert.first);
+    cert_entry->set_cert_number(cert.second);
+  }
+
+  return cert_cache;

[Ryan Sleevi, 2016/06/15 23:31:32]

Note: You're mutating |cert_cache| throughout your serialization, even if it
fails. That means you potentially end up serializing junk data in a way that can
seriously mess with your deserialization.

If serialization fails, shouldn't you fail-closed and serialize nothing?

[ramant (doing other things), 2016/06/17 02:45:14]

Done.

+}
+
+bool DeserializeCertVerifierCache(
+    const cronet_pb::CertVerificationCache& cert_cache,
+    net::CachingCertVerifier* verifier) {
+  DeserializedCertMap deserialized_certs;
+
+  if (cert_cache.cert_entry_size() == 0u ||
+      cert_cache.cache_entry_size() == 0u) {
+    return false;
+  }
+
+  // Build |deserialized_certs|'s certificate map.
+  for (int i = 0; i < cert_cache.cert_entry_size(); ++i) {
+    const cronet_pb::CertVerificationCertificateData& cert_entry =
+        cert_cache.cert_entry(i);
+    if (!cert_entry.has_cert() || !cert_entry.has_cert_number())
+      return false;
+    deserialized_certs.insert({cert_entry.cert_number(), cert_entry.cert()});
+  }
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    const cronet_pb::CertVerificationCacheEntry& cache_entry =
+        cert_cache.cache_entry(i);
+
+    // Verify |cache_entry|'s data.
+    if (!cache_entry.has_request_params() ||
+        !cache_entry.has_verification_time() ||
+        !cache_entry.has_cached_result()) {
+      return false;
+    }
+
+    const cronet_pb::CertVerificationRequestParams& request_params =
+        cache_entry.request_params();
+
+    // Verify |request_params|'s data.
+    if (!request_params.has_certificate() || !request_params.has_hostname() ||
+        request_params.hostname().empty() || !request_params.has_flags() ||
+        !request_params.has_ocsp_response()) {
+      return false;
+    }
+
+    // Deserialize |request_params|'s certificate  using the certificate
+    // database provided in |deserialized_certs|.
+    scoped_refptr<net::X509Certificate> certificate = DeserializeCertificate(
+        request_params.certificate(), deserialized_certs);
+    if (!certificate)
+      return false;
+
+    // Deserialize |request_params|'s trust anchor certificates using the
+    // certificate database provided in |deserialized_certs|.
+    net::CertificateList additional_trust_anchors;
+    for (int i = 0; i < request_params.additional_trust_anchors_size(); ++i) {
+      const cronet_pb::CertVerificationCertificate& certificate =
+          request_params.additional_trust_anchors(i);
+      scoped_refptr<net::X509Certificate> cert =
+          DeserializeCertificate(certificate, deserialized_certs);
+      if (!cert)
+        return false;
+      additional_trust_anchors.push_back(cert);
+    }
+
+    net::CertVerifier::RequestParams params(
+        certificate, request_params.hostname(), request_params.flags(),
+        request_params.ocsp_response(), additional_trust_anchors);
+
+    // Deserialize |cached_result| into |result|.
+    const cronet_pb::CertVerificationCachedResult& cached_result =
+        cache_entry.cached_result();
+    net::CertVerifyResult result;
+    int error;
+    if (!DeserializeCachedResult(cached_result, deserialized_certs, &error,
+                                 &result)) {
+      return false;
+    }
+
+    verifier->AddEntry(
+        params, error, result,
+        base::Time::FromInternalValue(cache_entry.verification_time()));

[Ryan Sleevi, 2016/06/15 23:31:31]

BUG?: Not checking if this deserializes properly into a valid time

[ramant (doing other things), 2016/06/17 02:45:14]

At line 270 was doing !cache_entry.has_verification_time().
Added check for is_null.
Added a check for verification_time not being in future.
Any other checks?

Done.

+  }
+  return true;
+}
+
+}  // namespace cronet