OLD | NEW |
(Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/cert/internal/cert_issuer_source_aia.h" |
| 6 |
| 7 #include "base/bind.h" |
| 8 #include "net/cert/cert_net_fetcher.h" |
| 9 #include "net/cert/internal/parsed_certificate.h" |
| 10 #include "url/gurl.h" |
| 11 |
| 12 namespace net { |
| 13 |
| 14 namespace { |
| 15 |
| 16 // TODO(mattm): These are arbitrary choices. Re-evaluate. |
| 17 const int kTimeoutMilliseconds = 10000; |
| 18 const int kMaxResponseBytes = 65536; |
| 19 const int kMaxFetchesPerCert = 5; |
| 20 |
| 21 class AiaRequest : public CertIssuerSource::Request { |
| 22 public: |
| 23 explicit AiaRequest(const CertIssuerSource::IssuerCallback& issuers_callback); |
| 24 ~AiaRequest() override; |
| 25 |
| 26 // CertIssuerSource::Request implementation. |
| 27 CompletionStatus GetNext(scoped_refptr<ParsedCertificate>* out_cert) override; |
| 28 |
| 29 void AddCertFetcherRequest( |
| 30 std::unique_ptr<CertNetFetcher::Request> cert_fetcher_request); |
| 31 |
| 32 void OnFetchCompleted(Error error, const std::vector<uint8_t>& fetched_bytes); |
| 33 |
| 34 private: |
| 35 bool HasNext() const { return current_result_ < results_.size(); } |
| 36 |
| 37 CertIssuerSource::IssuerCallback issuers_callback_; |
| 38 std::vector<std::unique_ptr<CertNetFetcher::Request>> cert_fetcher_requests_; |
| 39 size_t pending_requests_ = 0; |
| 40 std::vector<scoped_refptr<ParsedCertificate>> results_; |
| 41 size_t current_result_ = 0; |
| 42 |
| 43 DISALLOW_COPY_AND_ASSIGN(AiaRequest); |
| 44 }; |
| 45 |
| 46 AiaRequest::AiaRequest(const CertIssuerSource::IssuerCallback& issuers_callback) |
| 47 : issuers_callback_(issuers_callback) {} |
| 48 |
| 49 AiaRequest::~AiaRequest() = default; |
| 50 |
| 51 CompletionStatus AiaRequest::GetNext( |
| 52 scoped_refptr<ParsedCertificate>* out_cert) { |
| 53 if (HasNext()) { |
| 54 *out_cert = std::move(results_[current_result_++]); |
| 55 return CompletionStatus::SYNC; |
| 56 } |
| 57 *out_cert = nullptr; |
| 58 if (pending_requests_) |
| 59 return CompletionStatus::ASYNC; |
| 60 return CompletionStatus::SYNC; |
| 61 } |
| 62 |
| 63 void AiaRequest::AddCertFetcherRequest( |
| 64 std::unique_ptr<CertNetFetcher::Request> cert_fetcher_request) { |
| 65 DCHECK(cert_fetcher_request); |
| 66 cert_fetcher_requests_.push_back(std::move(cert_fetcher_request)); |
| 67 pending_requests_++; |
| 68 } |
| 69 |
| 70 void AiaRequest::OnFetchCompleted(Error error, |
| 71 const std::vector<uint8_t>& fetched_bytes) { |
| 72 DCHECK_GT(pending_requests_, 0U); |
| 73 pending_requests_--; |
| 74 bool client_waiting_for_callback = !HasNext(); |
| 75 if (error != OK) { |
| 76 // TODO(mattm): propagate error info. |
| 77 LOG(ERROR) << "AiaRequest::OnFetchCompleted got error " << error; |
| 78 } else { |
| 79 // RFC 5280 section 4.2.2.1: |
| 80 // |
| 81 // Conforming applications that support HTTP or FTP for accessing |
| 82 // certificates MUST be able to accept individual DER encoded |
| 83 // certificates and SHOULD be able to accept "certs-only" CMS messages. |
| 84 // |
| 85 // TODO(mattm): Is supporting CMS message format important? |
| 86 // |
| 87 // TODO(mattm): Avoid copying bytes. Change the CertNetFetcher and |
| 88 // ParsedCertificate interface to allow passing through ownership of the |
| 89 // bytes. |
| 90 if (!ParsedCertificate::CreateAndAddToVector( |
| 91 fetched_bytes.data(), fetched_bytes.size(), |
| 92 ParsedCertificate::DataSource::INTERNAL_COPY, &results_)) { |
| 93 // TODO(mattm): propagate error info. |
| 94 LOG(ERROR) << "Error parsing AIA data"; |
| 95 } |
| 96 } |
| 97 // If the client is waiting for results, need to run callback if: |
| 98 // * Some are available now. |
| 99 // * The last fetch finished, even with no results. (Client needs to know to |
| 100 // stop waiting.) |
| 101 if (client_waiting_for_callback && (HasNext() || pending_requests_ == 0)) |
| 102 issuers_callback_.Run(this); |
| 103 } |
| 104 |
| 105 } // namespace |
| 106 |
| 107 CertIssuerSourceAia::CertIssuerSourceAia(CertNetFetcher* cert_fetcher) |
| 108 : cert_fetcher_(cert_fetcher) {} |
| 109 |
| 110 CertIssuerSourceAia::~CertIssuerSourceAia() = default; |
| 111 |
| 112 void CertIssuerSourceAia::SyncGetIssuersOf( |
| 113 const ParsedCertificate* cert, |
| 114 std::vector<scoped_refptr<ParsedCertificate>>* issuers) { |
| 115 // CertIssuerSourceAia never returns synchronous results. |
| 116 } |
| 117 |
| 118 void CertIssuerSourceAia::AsyncGetIssuersOf( |
| 119 const ParsedCertificate* cert, |
| 120 const IssuerCallback& issuers_callback, |
| 121 std::unique_ptr<Request>* out_req) { |
| 122 out_req->reset(); |
| 123 |
| 124 if (!cert->has_authority_info_access()) |
| 125 return; |
| 126 |
| 127 // RFC 5280 section 4.2.2.1: |
| 128 // |
| 129 // An authorityInfoAccess extension may include multiple instances of |
| 130 // the id-ad-caIssuers accessMethod. The different instances may |
| 131 // specify different methods for accessing the same information or may |
| 132 // point to different information. |
| 133 |
| 134 std::vector<GURL> urls; |
| 135 for (const auto& uri : cert->ca_issuers_uris()) { |
| 136 GURL url(uri); |
| 137 if (url.is_valid()) { |
| 138 // TODO(mattm): do the kMaxFetchesPerCert check only on the number of |
| 139 // supported URL schemes, not all the URLs. |
| 140 if (urls.size() < kMaxFetchesPerCert) { |
| 141 urls.push_back(url); |
| 142 } else { |
| 143 // TODO(mattm): propagate error info. |
| 144 LOG(ERROR) << "kMaxFetchesPerCert exceeded, skipping"; |
| 145 } |
| 146 } else { |
| 147 // TODO(mattm): propagate error info. |
| 148 LOG(ERROR) << "invalid AIA URL: " << uri; |
| 149 } |
| 150 } |
| 151 if (urls.empty()) |
| 152 return; |
| 153 |
| 154 std::unique_ptr<AiaRequest> aia_request(new AiaRequest(issuers_callback)); |
| 155 |
| 156 for (const auto& url : urls) { |
| 157 // TODO(mattm): add synchronous failure mode to FetchCaIssuers interface so |
| 158 // that this doesn't need to wait for async callback just to tell that an |
| 159 // URL has an unsupported scheme? |
| 160 aia_request->AddCertFetcherRequest(cert_fetcher_->FetchCaIssuers( |
| 161 url, kTimeoutMilliseconds, kMaxResponseBytes, |
| 162 base::Bind(&AiaRequest::OnFetchCompleted, |
| 163 base::Unretained(aia_request.get())))); |
| 164 } |
| 165 |
| 166 *out_req = std::move(aia_request); |
| 167 } |
| 168 |
| 169 } // namespace net |
OLD | NEW |