OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/internal/cert_issuer_source_aia.h" | |
6 | |
7 #include "base/bind.h" | |
8 #include "net/cert/internal/parsed_certificate.h" | |
9 #include "url/gurl.h" | |
10 | |
11 namespace net { | |
12 | |
13 namespace { | |
14 | |
15 // TODO(mattm): These are arbitrary choices. Re-evaluate. | |
16 const int kTimeoutMilliseconds = 10000; | |
17 const int kMaxResponseBytes = 65536; | |
18 const int kMaxFetchesPerCert = 5; | |
19 | |
20 } // namespace | |
21 | |
22 CertIssuerSourceAia::CertIssuerSourceAia(CertNetFetcher* cert_fetcher) | |
23 : cert_fetcher_(cert_fetcher) {} | |
24 | |
25 CertIssuerSourceAia::~CertIssuerSourceAia() = default; | |
26 | |
27 void CertIssuerSourceAia::SyncGetIssuersOf( | |
28 const ParsedCertificate* cert, | |
29 std::vector<scoped_refptr<ParsedCertificate>>* issuers) { | |
30 // CertIssuerSourceAia never returns synchronous results. | |
31 } | |
32 | |
33 void CertIssuerSourceAia::AsyncGetIssuersOf( | |
34 const ParsedCertificate* cert, | |
35 const IssuerCallback& issuers_callback, | |
36 std::unique_ptr<Request>* out_req) { | |
37 if (!cert->has_authority_info_access()) | |
38 return; | |
39 | |
40 // RFC 5280 section 4.2.2.1: | |
41 // | |
42 // An authorityInfoAccess extension may include multiple instances of | |
43 // the id-ad-caIssuers accessMethod. The different instances may | |
44 // specify different methods for accessing the same information or may | |
45 // point to different information. | |
46 | |
47 std::vector<GURL> urls; | |
48 for (const auto& uri : cert->ca_issuers_uris()) { | |
49 GURL url(uri); | |
50 if (url.is_valid()) { | |
51 // TODO(mattm): do the kMaxFetchesPerCert check only on the number of | |
52 // supported URL schemes, not all the URLs. | |
53 if (urls.size() < kMaxFetchesPerCert) { | |
54 urls.push_back(url); | |
55 } else { | |
56 // TODO(mattm): propagate error info. | |
57 LOG(ERROR) << "kMaxFetchesPerCert exceeded, skipping"; | |
58 } | |
59 } else { | |
60 // TODO(mattm): propagate error info. | |
61 LOG(ERROR) << "invalid AIA URL: " << uri; | |
62 } | |
63 } | |
64 if (urls.empty()) | |
65 return; | |
66 | |
67 std::unique_ptr<AiaRequest> aia_request(new AiaRequest(issuers_callback)); | |
68 | |
69 for (const auto& url : urls) { | |
70 // TODO(mattm): add synchronous failure mode to FetchCaIssuers interface so | |
71 // that this doesn't need to wait for async callback just to tell that an | |
72 // URL has an unsupported scheme? | |
73 aia_request->AddCertFetcherRequest(cert_fetcher_->FetchCaIssuers( | |
74 url, kTimeoutMilliseconds, kMaxResponseBytes, | |
75 base::Bind(&AiaRequest::FetchCallback, | |
76 base::Unretained(aia_request.get())))); | |
77 } | |
78 | |
79 *out_req = std::move(aia_request); | |
80 } | |
81 | |
82 CertIssuerSourceAia::AiaRequest::AiaRequest( | |
83 const IssuerCallback& issuers_callback) | |
84 : issuers_callback_(issuers_callback) {} | |
85 | |
86 CertIssuerSourceAia::AiaRequest::~AiaRequest() = default; | |
87 | |
88 CompletionStatus CertIssuerSourceAia::AiaRequest::GetNext( | |
89 scoped_refptr<ParsedCertificate>* out_cert) { | |
90 if (current_result_ < results_.size()) { | |
91 *out_cert = std::move(results_[current_result_++]); | |
92 return CompletionStatus::SYNC; | |
93 } | |
94 *out_cert = nullptr; | |
95 if (pending_requests_) | |
96 return CompletionStatus::ASYNC; | |
97 return CompletionStatus::SYNC; | |
98 } | |
99 | |
100 void CertIssuerSourceAia::AiaRequest::AddCertFetcherRequest( | |
101 std::unique_ptr<CertNetFetcher::Request> cert_fetcher_request) { | |
102 cert_fetcher_requests_.push_back(std::move(cert_fetcher_request)); | |
eroman
2016/06/04 01:08:47
Should this DCHECK that cert_fetcher_request != nu
mattm
2016/06/04 03:24:08
Done.
| |
103 pending_requests_++; | |
104 } | |
105 | |
106 void CertIssuerSourceAia::AiaRequest::FetchCallback( | |
eroman
2016/06/04 01:08:47
optional nit: Might I suggest OnFetchCompleted() o
mattm
2016/06/04 03:24:08
Done.
| |
107 Error error, | |
108 const std::vector<uint8_t>& fetched_bytes) { | |
109 DCHECK(pending_requests_ > 0); | |
eroman
2016/06/04 01:08:47
nit: DCHECK_GT
mattm
2016/06/04 03:24:08
Done.
| |
110 pending_requests_--; | |
111 bool client_waiting_for_callback = current_result_ >= results_.size(); | |
112 if (error != OK) { | |
113 // TODO(mattm): propagate error info. | |
114 LOG(ERROR) << "AiaRequest::FetchCallback got error " << error; | |
115 } else { | |
116 // RFC 5280 section 4.2.2.1: | |
117 // | |
118 // Conforming applications that support HTTP or FTP for accessing | |
119 // certificates MUST be able to accept individual DER encoded | |
120 // certificates and SHOULD be able to accept "certs-only" CMS messages. | |
121 // | |
122 // TODO(mattm): Is supporting CMS message format important? | |
eroman
2016/06/04 01:08:47
My expectation is no, but TODO sgtm until we can d
mattm
2016/06/04 03:24:08
Acknowledged.
| |
123 // | |
124 // TODO(mattm): Avoid copying bytes. Change the CertNetFetcher and | |
125 // ParsedCertificate interface to allow passing through ownership of the | |
126 // bytes. | |
127 if (!ParsedCertificate::CreateAndAddToVector( | |
128 fetched_bytes.data(), fetched_bytes.size(), | |
129 ParsedCertificate::DataSource::INTERNAL_COPY, &results_)) { | |
130 // TODO(mattm): propagate error info. | |
131 LOG(ERROR) << "Error parsing AIA data"; | |
132 } | |
133 } | |
134 // If the client is waiting for results, need to run callback if: | |
135 // * Some are available now. | |
136 // * The last fetch finished, even with no results. (Client needs to know to | |
137 // stop waiting.) | |
138 if (client_waiting_for_callback && | |
139 (current_result_ < results_.size() || pending_requests_ == 0)) { | |
eroman
2016/06/04 01:08:47
I suggest extracting this to a helper. Maybe somet
mattm
2016/06/04 03:24:08
Done.
| |
140 issuers_callback_.Run(this); | |
141 } | |
142 } | |
143 | |
144 } // namespace net | |
OLD | NEW |