Chromium Code Reviews Chromium Code Reviews
Issue 2153123002:
Certificate Transparency: Collect metrics on age of SCT vs STH (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/certificate_transparency/single_tree_tracker.h" | 5 #include "components/certificate_transparency/single_tree_tracker.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/metrics/histogram_macros.h" | |
| 9 #include "net/cert/ct_log_verifier.h" | 10 #include "net/cert/ct_log_verifier.h" |
| 10 #include "net/cert/signed_certificate_timestamp.h" | 11 #include "net/cert/signed_certificate_timestamp.h" |
| 11 #include "net/cert/x509_certificate.h" | 12 #include "net/cert/x509_certificate.h" |
| 12 | 13 |
| 13 using net::ct::SignedTreeHead; | 14 using net::ct::SignedTreeHead; |
| 14 | 15 |
| 16 namespace { | |
| 17 | |
| 18 enum SCTCanBeCheckedForInclusion { | |
|
Alexei Svitkine (slow)
2016/07/22 13:37:33
Add a comment not to renumber these since they're
Eran Messeri
2016/07/25 13:22:52
Done.
| |
| 19 VALID_STH_REQUIRED = 0, | |
| 20 NEWER_STH_REQUIRED = 1, | |
| 21 CAN_BE_CHECKED = 2, | |
|
Ryan Sleevi
2016/07/22 16:57:30
Document these. This is the perfect place to captu
Eran Messeri
2016/07/25 13:22:52
Done.
| |
| 22 SCT_CAN_BE_CHECKED_MAX | |
| 23 }; | |
| 24 | |
| 25 // Measure how often clients encounter very new SCTs, by measuring whether an | |
| 26 // SCT can be checked for inclusion upon first observation. | |
| 27 // | |
| 28 // When an SCT is observed, if the SingleTreeTracker instance has a valid STH | |
| 29 // and the STH covers the SCT (the timestamp in the SCT is less than MMD + | |
| 30 // timestamp in the STH), then it can be checked for inclusion. | |
| 31 // set to true. | |
| 32 // If the STH does not cover the SCT (the timestamp in the SCT is greater than | |
| 33 // MMD + timestamp in the STH), then a newer STH is needed. | |
| 34 // | |
| 35 // If the SingleTreeTracker does not have a valid STH, then a valid STH is | |
| 36 // first required to evaluate whether the SCT can be checked for inclusion | |
| 37 // or not. | |
| 38 void LogCanBeCheckedForInclusionToUMA( | |
| 39 SCTCanBeCheckedForInclusion can_be_checked) { | |
| 40 UMA_HISTOGRAM_ENUMERATION("Net.CertificateTransparency.CanInclusionCheckSCT", | |
| 41 can_be_checked, SCT_CAN_BE_CHECKED_MAX); | |
| 42 } | |
| 43 | |
| 44 } // namespace | |
| 45 | |
| 15 namespace certificate_transparency { | 46 namespace certificate_transparency { |
| 16 | 47 |
| 17 SingleTreeTracker::SingleTreeTracker( | 48 SingleTreeTracker::SingleTreeTracker( |
| 18 scoped_refptr<const net::CTLogVerifier> ct_log) | 49 scoped_refptr<const net::CTLogVerifier> ct_log) |
| 19 : ct_log_(std::move(ct_log)) {} | 50 : ct_log_(std::move(ct_log)) {} |
| 20 | 51 |
| 21 SingleTreeTracker::~SingleTreeTracker() {} | 52 SingleTreeTracker::~SingleTreeTracker() {} |
| 22 | 53 |
| 23 void SingleTreeTracker::OnSCTVerified( | 54 void SingleTreeTracker::OnSCTVerified( |
| 24 net::X509Certificate* cert, | 55 net::X509Certificate* cert, |
| 25 const net::ct::SignedCertificateTimestamp* sct) { | 56 const net::ct::SignedCertificateTimestamp* sct) { |
| 26 DCHECK_EQ(ct_log_->key_id(), sct->log_id); | 57 DCHECK_EQ(ct_log_->key_id(), sct->log_id); |
| 27 | 58 |
| 28 // SCT was previously observed, so its status should not be changed. | 59 // SCT was previously observed, so its status should not be changed. |
| 29 if (entries_status_.find(sct->timestamp) != entries_status_.end()) | 60 if (entries_status_.find(sct->timestamp) != entries_status_.end()) |
| 30 return; | 61 return; |
| 31 | 62 |
| 32 // If there isn't a valid STH or the STH is not fresh enough to check | 63 // If there isn't a valid STH or the STH is not fresh enough to check |
| 33 // inclusion against, store the SCT for future checking and return. | 64 // inclusion against, store the SCT for future checking and return. |
| 34 if (verified_sth_.timestamp.is_null() || | 65 if (verified_sth_.timestamp.is_null() || |
| 35 (verified_sth_.timestamp < | 66 (verified_sth_.timestamp < |
| 36 (sct->timestamp + base::TimeDelta::FromHours(24)))) { | 67 (sct->timestamp + base::TimeDelta::FromHours(24)))) { |
| 37 // TODO(eranm): UMA - how often SCTs have to wait for a newer STH for | |
| 38 // inclusion check. | |
| 39 entries_status_.insert( | 68 entries_status_.insert( |
| 40 std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH)); | 69 std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH)); |
| 70 | |
| 71 // Do not log histogram if there's no STH for this log yet, as it does | |
|
Ryan Sleevi
2016/07/22 16:57:30
Comment needs updating
Eran Messeri
2016/07/25 13:22:51
Done.
| |
| 72 // not provide any meaningful data on how fresh SCTs usually are. | |
| 73 if (!verified_sth_.timestamp.is_null()) { | |
| 74 LogCanBeCheckedForInclusionToUMA(NEWER_STH_REQUIRED); | |
| 75 } else { | |
| 76 LogCanBeCheckedForInclusionToUMA(VALID_STH_REQUIRED); | |
| 77 } | |
| 78 | |
| 41 return; | 79 return; |
| 42 } | 80 } |
| 43 | 81 |
| 82 LogCanBeCheckedForInclusionToUMA(CAN_BE_CHECKED); | |
| 44 // TODO(eranm): Check inclusion here. | 83 // TODO(eranm): Check inclusion here. |
| 45 // TODO(eranm): UMA - how often inclusion can be checked immediately. | |
| 46 entries_status_.insert( | 84 entries_status_.insert( |
| 47 std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK)); | 85 std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK)); |
| 48 } | 86 } |
| 49 | 87 |
| 50 void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) { | 88 void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) { |
| 51 DCHECK_EQ(ct_log_->key_id(), sth.log_id); | 89 DCHECK_EQ(ct_log_->key_id(), sth.log_id); |
| 52 | 90 |
| 53 if (!ct_log_->VerifySignedTreeHead(sth)) { | 91 if (!ct_log_->VerifySignedTreeHead(sth)) { |
| 54 // Sanity check the STH; the caller should have done this | 92 // Sanity check the STH; the caller should have done this |
| 55 // already, but being paranoid here. | 93 // already, but being paranoid here. |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 91 SingleTreeTracker::SCTInclusionStatus | 129 SingleTreeTracker::SCTInclusionStatus |
| 92 SingleTreeTracker::GetLogEntryInclusionStatus( | 130 SingleTreeTracker::GetLogEntryInclusionStatus( |
| 93 net::X509Certificate* cert, | 131 net::X509Certificate* cert, |
| 94 const net::ct::SignedCertificateTimestamp* sct) { | 132 const net::ct::SignedCertificateTimestamp* sct) { |
| 95 auto it = entries_status_.find(sct->timestamp); | 133 auto it = entries_status_.find(sct->timestamp); |
| 96 | 134 |
| 97 return it == entries_status_.end() ? SCT_NOT_OBSERVED : it->second; | 135 return it == entries_status_.end() ? SCT_NOT_OBSERVED : it->second; |
| 98 } | 136 } |
| 99 | 137 |
| 100 } // namespace certificate_transparency | 138 } // namespace certificate_transparency |
| OLD | NEW |
