| Index: components/cronet/android/cert/cert_verifier_cache_serializer.cc
|
| diff --git a/components/cronet/android/cert/cert_verifier_cache_serializer.cc b/components/cronet/android/cert/cert_verifier_cache_serializer.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..c6c1513092461bc5ba016b6778c278d032ba9397
|
| --- /dev/null
|
| +++ b/components/cronet/android/cert/cert_verifier_cache_serializer.cc
|
| @@ -0,0 +1,385 @@
|
| +// Copyright 2016 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "components/cronet/android/cert/cert_verifier_cache_serializer.h"
|
| +
|
| +#include <string>
|
| +#include <vector>
|
| +
|
| +#include "base/logging.h"
|
| +#include "base/strings/string_piece.h"
|
| +#include "base/time/time.h"
|
| +#include "components/cronet/android/cert/proto/cert_verification.pb.h"
|
| +#include "net/base/hash_value.h"
|
| +#include "net/cert/caching_cert_verifier.h"
|
| +#include "net/cert/cert_verify_result.h"
|
| +#include "net/cert/x509_certificate.h"
|
| +
|
| +namespace cronet {
|
| +
|
| +namespace {
|
| +
|
| +// Map from each unique certificate to certificate number.
|
| +typedef std::map<std::string, size_t> SerializedCertMap;
|
| +// Map from certificate number to each unique certificate.
|
| +typedef std::map<size_t, std::string> DeserializedCertMap;
|
| +
|
| +// Determine if |cert_handle| was already serialized. If so, simply return a
|
| +// reference to that entry. Otherwise, add a new entry to the set of certs to
|
| +// be serialized (|serialized_certs|). Returns true if |cert_handle| is
|
| +// serialized correctly.
|
| +bool SerializeCertHandle(const net::X509Certificate::OSCertHandle& cert_handle,
|
| + SerializedCertMap* serialized_certs,
|
| + size_t* cert_number) {
|
| + std::string encoded;
|
| + if (!net::X509Certificate::GetDEREncoded(cert_handle, &encoded))
|
| + return false;
|
| + auto result =
|
| + serialized_certs->insert({encoded, serialized_certs->size() + 1});
|
| + *cert_number = result.first->second;
|
| + return true;
|
| +}
|
| +
|
| +// Update |certificate| with certificate number and updates |serialized_certs|
|
| +// with DER-encoded representation of certificate if the certicate is not in
|
| +// |serialized_certs|. Returns true if data is serialized correctly.
|
| +bool SerializeCertificate(net::X509Certificate* cert,
|
| + SerializedCertMap* serialized_certs,
|
| + cronet_pb::CertVerificationCertificate* certificate) {
|
| + size_t cert_number = 0;
|
| + if (!SerializeCertHandle(cert->os_cert_handle(), serialized_certs,
|
| + &cert_number)) {
|
| + return false;
|
| + }
|
| + certificate->add_cert_numbers(cert_number);
|
| + const net::X509Certificate::X509Certificate::OSCertHandles&
|
| + intermediate_ca_certs = cert->GetIntermediateCertificates();
|
| + for (const auto& intermediate : intermediate_ca_certs) {
|
| + if (!SerializeCertHandle(intermediate, serialized_certs, &cert_number))
|
| + return false;
|
| + certificate->add_cert_numbers(cert_number);
|
| + }
|
| + return true;
|
| +}
|
| +
|
| +// Deserializes |certificate| using the certificate database provided in
|
| +// |deserialized_certs|. Returns the parsed certificate on success, or nullptr
|
| +// if deserialization failed.
|
| +scoped_refptr<net::X509Certificate> DeserializeCertificate(
|
| + const cronet_pb::CertVerificationCertificate& certificate,
|
| + const DeserializedCertMap& deserialized_certs) {
|
| + if (0 == certificate.cert_numbers_size())
|
| + return nullptr;
|
| + std::vector<base::StringPiece> der_cert_pieces(
|
| + certificate.cert_numbers_size());
|
| + for (int i = 0; i < certificate.cert_numbers_size(); ++i) {
|
| + size_t cert_number = certificate.cert_numbers(i);
|
| + DeserializedCertMap::const_iterator it =
|
| + deserialized_certs.find(cert_number);
|
| + if (it == deserialized_certs.end())
|
| + return nullptr;
|
| + der_cert_pieces[i] = base::StringPiece(it->second);
|
| + }
|
| + return net::X509Certificate::CreateFromDERCertChain(der_cert_pieces);
|
| +}
|
| +
|
| +// Serializes |params| into |request_params|, updating |serialized_certs| with
|
| +// the set of raw certificates that will be needed to deserialize the
|
| +// certificate in |request_params| via DeserializeCertificate().
|
| +bool SerializeRequestParams(
|
| + const net::CertVerifier::RequestParams& params,
|
| + SerializedCertMap* serialized_certs,
|
| + cronet_pb::CertVerificationRequestParams* request_params) {
|
| + cronet_pb::CertVerificationCertificate* certificate =
|
| + request_params->mutable_certificate();
|
| + if (!SerializeCertificate(params.certificate().get(), serialized_certs,
|
| + certificate)) {
|
| + return false;
|
| + }
|
| + request_params->set_hostname(params.hostname());
|
| + request_params->set_flags(params.flags());
|
| + request_params->set_ocsp_response(params.ocsp_response());
|
| + for (const auto& cert : params.additional_trust_anchors()) {
|
| + certificate = request_params->add_additional_trust_anchors();
|
| + if (!SerializeCertificate(cert.get(), serialized_certs, certificate))
|
| + return false;
|
| + }
|
| + return true;
|
| +}
|
| +
|
| +// Serializes |result| into |cached_result|, updating |serialized_certs| with
|
| +// the set of raw certificates that will be needed to deserialize the
|
| +// certificate in |cached_result| via DeserializeCertificate().
|
| +bool SerializeCachedResult(
|
| + const net::CertVerifyResult& result,
|
| + SerializedCertMap* serialized_certs,
|
| + cronet_pb::CertVerificationCachedResult* cached_result) {
|
| + cronet_pb::CertVerificationResult* cert_verification_result =
|
| + cached_result->mutable_result();
|
| + cronet_pb::CertVerificationCertificate* certificate =
|
| + cert_verification_result->mutable_verified_cert();
|
| + if (!SerializeCertificate(result.verified_cert.get(), serialized_certs,
|
| + certificate)) {
|
| + return false;
|
| + }
|
| + cert_verification_result->set_cert_status(result.cert_status);
|
| + cert_verification_result->set_has_md2(result.has_md2);
|
| + cert_verification_result->set_has_md4(result.has_md4);
|
| + cert_verification_result->set_has_md5(result.has_md5);
|
| + cert_verification_result->set_has_sha1(result.has_sha1);
|
| + cert_verification_result->set_has_sha1_leaf(result.has_sha1_leaf);
|
| + for (const auto& value : result.public_key_hashes)
|
| + cert_verification_result->add_public_key_hashes(value.ToString());
|
| + cert_verification_result->set_is_issued_by_known_root(
|
| + result.is_issued_by_known_root);
|
| + cert_verification_result->set_is_issued_by_additional_trust_anchor(
|
| + result.is_issued_by_additional_trust_anchor);
|
| + cert_verification_result->set_common_name_fallback_used(
|
| + result.common_name_fallback_used);
|
| + return true;
|
| +}
|
| +
|
| +// Deserializes |cached_result| using the certificate database provided in
|
| +// |deserialized_certs|. Returns the parsed net::CertVerifyResult on success, or
|
| +// nullptr if deserialization failed.
|
| +bool DeserializeCachedResult(
|
| + const cronet_pb::CertVerificationCachedResult& cached_result,
|
| + const DeserializedCertMap& deserialized_certs,
|
| + int* error,
|
| + net::CertVerifyResult* result) {
|
| + if (!cached_result.has_error() || !cached_result.has_result())
|
| + return false;
|
| +
|
| + const cronet_pb::CertVerificationResult& cert_verification_result =
|
| + cached_result.result();
|
| + if (!cert_verification_result.has_verified_cert() ||
|
| + !cert_verification_result.has_cert_status()) {
|
| + return false;
|
| + }
|
| +
|
| + *error = cached_result.error();
|
| +
|
| + result->verified_cert = DeserializeCertificate(
|
| + cert_verification_result.verified_cert(), deserialized_certs);
|
| + if (!result->verified_cert)
|
| + return false;
|
| +
|
| + for (int i = 0; i < cert_verification_result.public_key_hashes_size(); ++i) {
|
| + const std::string& public_key_hash =
|
| + cert_verification_result.public_key_hashes(i);
|
| + net::HashValue hash;
|
| + if (!hash.FromString(public_key_hash))
|
| + return false;
|
| + result->public_key_hashes.push_back(hash);
|
| + }
|
| + result->cert_status = cert_verification_result.cert_status();
|
| + result->has_md2 = cert_verification_result.has_md2();
|
| + result->has_md4 = cert_verification_result.has_md4();
|
| + result->has_md5 = cert_verification_result.has_md5();
|
| + result->has_sha1 = cert_verification_result.has_sha1();
|
| + result->has_sha1_leaf = cert_verification_result.has_sha1_leaf();
|
| + result->is_issued_by_known_root =
|
| + cert_verification_result.is_issued_by_known_root();
|
| + result->is_issued_by_additional_trust_anchor =
|
| + cert_verification_result.is_issued_by_additional_trust_anchor();
|
| + result->common_name_fallback_used =
|
| + cert_verification_result.common_name_fallback_used();
|
| + return true;
|
| +}
|
| +
|
| +// Serializes |params|, |error|, |verify_result| and |verification_time| into
|
| +// |cert_cache|, updating |serialized_certs| with the set of raw certificates
|
| +// that will be needed to deserialize the certificate in |cert_cache| via
|
| +// DeserializeCertificate().
|
| +bool SerializeCachedEntry(const net::CachingCertVerifier::RequestParams& params,
|
| + int error,
|
| + const net::CertVerifyResult& verify_result,
|
| + base::Time verification_time,
|
| + cronet_pb::CertVerificationCache* cert_cache,
|
| + SerializedCertMap* serialized_certs) {
|
| + cronet_pb::CertVerificationCacheEntry* cache_entry =
|
| + cert_cache->add_cache_entry();
|
| +
|
| + cronet_pb::CertVerificationRequestParams* request_params =
|
| + cache_entry->mutable_request_params();
|
| + if (!SerializeRequestParams(params, serialized_certs, request_params))
|
| + return false;
|
| +
|
| + cronet_pb::CertVerificationCachedResult* cached_result =
|
| + cache_entry->mutable_cached_result();
|
| + if (!SerializeCachedResult(verify_result, serialized_certs, cached_result))
|
| + return false;
|
| + cached_result->set_error(error);
|
| +
|
| + cache_entry->set_verification_time(verification_time.ToInternalValue());
|
| + return true;
|
| +}
|
| +
|
| +class CacheVisitor : public net::CachingCertVerifier::CacheVisitor {
|
| + public:
|
| + CacheVisitor() : failed_to_serialize_(false) {}
|
| + ~CacheVisitor() override {}
|
| +
|
| + bool VisitEntry(const net::CachingCertVerifier::RequestParams& params,
|
| + int error,
|
| + const net::CertVerifyResult& verify_result,
|
| + base::Time verification_time,
|
| + base::Time expiration_time) override {
|
| + if (!SerializeCachedEntry(params, error, verify_result, verification_time,
|
| + &cert_cache_, &serialized_certs_)) {
|
| + Reset();
|
| + return false;
|
| + }
|
| + return true;
|
| + }
|
| +
|
| + void Reset() {
|
| + cert_cache_ = cronet_pb::CertVerificationCache();
|
| + failed_to_serialize_ = true;
|
| + }
|
| +
|
| + void SerializeCerts() {
|
| + for (const auto& cert : serialized_certs_) {
|
| + cronet_pb::CertVerificationCertificateData* cert_entry =
|
| + cert_cache_.add_cert_entry();
|
| + cert_entry->set_cert(cert.first);
|
| + cert_entry->set_cert_number(cert.second);
|
| + }
|
| + }
|
| +
|
| + const cronet_pb::CertVerificationCache& cert_cache() const {
|
| + return cert_cache_;
|
| + }
|
| +
|
| + bool failed_to_serialize() const { return failed_to_serialize_; }
|
| +
|
| + cronet_pb::CertVerificationCache cert_cache_;
|
| + SerializedCertMap serialized_certs_;
|
| + bool failed_to_serialize_;
|
| +};
|
| +
|
| +struct CertVerifierCacheEntry {
|
| + CertVerifierCacheEntry(const net::CertVerifier::RequestParams& params,
|
| + int error,
|
| + const net::CertVerifyResult& result,
|
| + base::Time verification_time)
|
| + : params(params),
|
| + error(error),
|
| + result(result),
|
| + verification_time(verification_time) {}
|
| +
|
| + net::CertVerifier::RequestParams params;
|
| + int error;
|
| + net::CertVerifyResult result;
|
| + base::Time verification_time;
|
| +};
|
| +
|
| +} // namespace
|
| +
|
| +cronet_pb::CertVerificationCache SerializeCertVerifierCache(
|
| + const net::CachingCertVerifier& verifier) {
|
| + CacheVisitor visitor;
|
| + verifier.VisitEntries(&visitor);
|
| +
|
| + if (!visitor.failed_to_serialize())
|
| + visitor.SerializeCerts();
|
| + return visitor.cert_cache();
|
| +}
|
| +
|
| +bool DeserializeCertVerifierCache(
|
| + const cronet_pb::CertVerificationCache& cert_cache,
|
| + net::CachingCertVerifier* verifier) {
|
| + DeserializedCertMap deserialized_certs;
|
| +
|
| + if (cert_cache.cert_entry_size() == 0u ||
|
| + cert_cache.cache_entry_size() == 0u) {
|
| + return false;
|
| + }
|
| +
|
| + // Build |deserialized_certs|'s certificate map.
|
| + for (int i = 0; i < cert_cache.cert_entry_size(); ++i) {
|
| + const cronet_pb::CertVerificationCertificateData& cert_entry =
|
| + cert_cache.cert_entry(i);
|
| + if (!cert_entry.has_cert() || !cert_entry.has_cert_number())
|
| + return false;
|
| + deserialized_certs.insert({cert_entry.cert_number(), cert_entry.cert()});
|
| + }
|
| +
|
| + std::vector<std::unique_ptr<CertVerifierCacheEntry>>
|
| + cert_verifier_cache_entries;
|
| + for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
|
| + const cronet_pb::CertVerificationCacheEntry& cache_entry =
|
| + cert_cache.cache_entry(i);
|
| +
|
| + // Verify |cache_entry|'s data.
|
| + if (!cache_entry.has_request_params() ||
|
| + !cache_entry.has_verification_time() ||
|
| + !cache_entry.has_cached_result()) {
|
| + return false;
|
| + }
|
| +
|
| + const cronet_pb::CertVerificationRequestParams& request_params =
|
| + cache_entry.request_params();
|
| +
|
| + // Verify |request_params|'s data.
|
| + if (!request_params.has_certificate() || !request_params.has_hostname() ||
|
| + request_params.hostname().empty() || !request_params.has_flags() ||
|
| + !request_params.has_ocsp_response()) {
|
| + return false;
|
| + }
|
| +
|
| + // Deserialize |request_params|'s certificate using the certificate database
|
| + // provided in |deserialized_certs|.
|
| + scoped_refptr<net::X509Certificate> certificate = DeserializeCertificate(
|
| + request_params.certificate(), deserialized_certs);
|
| + if (!certificate)
|
| + return false;
|
| +
|
| + // Deserialize |request_params|'s trust anchor certificates using the
|
| + // certificate database provided in |deserialized_certs|.
|
| + net::CertificateList additional_trust_anchors;
|
| + for (int i = 0; i < request_params.additional_trust_anchors_size(); ++i) {
|
| + const cronet_pb::CertVerificationCertificate& certificate =
|
| + request_params.additional_trust_anchors(i);
|
| + scoped_refptr<net::X509Certificate> cert =
|
| + DeserializeCertificate(certificate, deserialized_certs);
|
| + if (!cert)
|
| + return false;
|
| + additional_trust_anchors.push_back(cert);
|
| + }
|
| +
|
| + net::CertVerifier::RequestParams params(
|
| + certificate, request_params.hostname(), request_params.flags(),
|
| + request_params.ocsp_response(), additional_trust_anchors);
|
| +
|
| + // Deserialize |cached_result| into |result|.
|
| + const cronet_pb::CertVerificationCachedResult& cached_result =
|
| + cache_entry.cached_result();
|
| + net::CertVerifyResult result;
|
| + int error;
|
| + if (!DeserializeCachedResult(cached_result, deserialized_certs, &error,
|
| + &result)) {
|
| + return false;
|
| + }
|
| +
|
| + base::Time verification_time =
|
| + base::Time::FromInternalValue(cache_entry.verification_time());
|
| + // We are deserializing the data that was persisted in the past and thus
|
| + // |verification_time| can not be in the future.
|
| + if (verification_time.is_null() || verification_time >= base::Time::Now())
|
| + return false;
|
| +
|
| + std::unique_ptr<CertVerifierCacheEntry> cert_verifier_cache_entry(
|
| + new CertVerifierCacheEntry(params, error, result, verification_time));
|
| + cert_verifier_cache_entries.push_back(std::move(cert_verifier_cache_entry));
|
| + }
|
| +
|
| + for (const auto& entry : cert_verifier_cache_entries) {
|
| + verifier->AddEntry(entry->params, entry->error, entry->result,
|
| + entry->verification_time);
|
| + }
|
| + return true;
|
| +}
|
| +
|
| +} // namespace cronet
|
|
|
Chromium Code Reviews
Issue 2021433004:
Cert - protobufs to serialize and deserialize CertVerifierCache. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@Add_support_for_walking_1999733002