Allow TrustStore queries to be asynchronous.

net/cert/internal/path_builder.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/path_builder.h"
 
 #include <set>
 #include <unordered_set>
 
 #include "base/callback_helpers.h"
@@ skipping 47 matching lines @@
   bool IsEmpty() const { return !IsTrustAnchor() && !IsCertificate(); }
 
   scoped_refptr<ParsedCertificate> cert;
   scoped_refptr<TrustAnchor> anchor;
 };
 
 // CertIssuersIter iterates through the intermediates from |cert_issuer_sources|
 // which may be issuers of |cert|.
 class CertIssuersIter {
  public:
-  // Constructs the CertIssuersIter. |*cert_issuer_sources| must be valid for
-  // the lifetime of the CertIssuersIter.
+  // Constructs the CertIssuersIter. |*cert_issuer_sources| and |*trust_store|
+  // must be valid for the lifetime of the CertIssuersIter.
   CertIssuersIter(scoped_refptr<ParsedCertificate> cert,
                   CertIssuerSources* cert_issuer_sources,
-                  const TrustStore& trust_store);
+                  const TrustStore* trust_store);
 
   // Gets the next candidate issuer. If an issuer is ready synchronously, SYNC
   // is returned and the cert is stored in |*cert|.  If an issuer is not
   // ready, ASYNC is returned and |callback| will be called once |*out_cert| has
   // been set. If |callback| is null, always completes synchronously.
   //
   // In either case, if all issuers have been exhausted, |*out| is cleared.
   CompletionStatus GetNextIssuer(CertificateOrTrustAnchor* out,
                                  const base::Closure& callback);
 
   // Returns the |cert| for which issuers are being retrieved.
   const ParsedCertificate* cert() const { return cert_.get(); }
   scoped_refptr<ParsedCertificate> reference_cert() const { return cert_; }
 
  private:
+  void DoAsyncIssuerQuery();
+  void GotAsyncAnchors(TrustAnchors anchors);
   void GotAsyncCerts(CertIssuerSource::Request* request);
+  void NotifyIfNecessary();
 
   scoped_refptr<ParsedCertificate> cert_;
   CertIssuerSources* cert_issuer_sources_;
+  const TrustStore* trust_store_;
 
   // The list of trust anchors that match the issuer name for |cert_|.
   TrustAnchors anchors_;
   // The index of the next trust anchor in |anchors_| to return.
   size_t cur_anchor_ = 0;
 
   // The list of issuers for |cert_|. This is added to incrementally (first
   // synchronous results, then possibly multiple times as asynchronous results
   // arrive.) The issuers may be re-sorted each time new issuers are added, but
   // only the results from |cur_| onwards should be sorted, since the earlier
   // results were already returned.
   // Elements should not be removed from |issuers_| once added, since
   // |present_issuers_| will point to data owned by the certs.
   ParsedCertificateList issuers_;
   // The index of the next cert in |issuers_| to return.
   size_t cur_issuer_ = 0;
 
   // Set of DER-encoded values for the certs in |issuers_|. Used to prevent
   // duplicates. This is based on the full DER of the cert to allow different
   // versions of the same certificate to be tried in different candidate paths.
   // This points to data owned by |issuers_|.
   std::unordered_set<base::StringPiece, base::StringPieceHash> present_issuers_;
 
-  // Tracks whether asynchronous requests have been made yet.
-  bool did_async_query_ = false;
+  // Tracks which requests have been made yet.
+  bool did_initial_query_ = false;
+  bool did_async_issuer_query_ = false;
   // If asynchronous requests were made, how many of them are still outstanding?
   size_t pending_async_results_;
   // Owns the Request objects for any asynchronous requests so that they will be
   // cancelled if CertIssuersIter is destroyed.
   std::vector<std::unique_ptr<CertIssuerSource::Request>>
       pending_async_requests_;
+  std::unique_ptr<TrustStore::Request> pending_anchor_request_;
 
   // When GetNextIssuer was called and returned asynchronously, |*out_| is
   // where the result will be stored, and |callback_| will be run when the
   // result is ready.
   CertificateOrTrustAnchor* out_;
   base::Closure callback_;
 
   DISALLOW_COPY_AND_ASSIGN(CertIssuersIter);
 };
 
 CertIssuersIter::CertIssuersIter(scoped_refptr<ParsedCertificate> in_cert,
                                  CertIssuerSources* cert_issuer_sources,
-                                 const TrustStore& trust_store)
-    : cert_(in_cert), cert_issuer_sources_(cert_issuer_sources) {
+                                 const TrustStore* trust_store)
+    : cert_(in_cert),
+      cert_issuer_sources_(cert_issuer_sources),
+      trust_store_(trust_store) {
   DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert()) << ") created";
-  trust_store.FindTrustAnchorsByNormalizedName(in_cert->normalized_issuer(),
-                                               &anchors_);
-
-  for (auto* cert_issuer_source : *cert_issuer_sources_) {
-    ParsedCertificateList new_issuers;
-    cert_issuer_source->SyncGetIssuersOf(cert(), &new_issuers);
-    for (scoped_refptr<ParsedCertificate>& issuer : new_issuers) {
-      if (present_issuers_.find(issuer->der_cert().AsStringPiece()) !=
-          present_issuers_.end())
-        continue;
-      present_issuers_.insert(issuer->der_cert().AsStringPiece());
-      issuers_.push_back(std::move(issuer));
-    }
-  }
-  // TODO(mattm): sort by notbefore, etc (eg if cert issuer matches a trust
-  // anchor subject (or is a trust anchor), that should be sorted higher too.
-  // See big list of possible sorting hints in RFC 4158.)
-  // (Update PathBuilderKeyRolloverTest.TestRolloverBothRootsTrusted once that
-  // is done)
 }
 
 CompletionStatus CertIssuersIter::GetNextIssuer(CertificateOrTrustAnchor* out,
                                                 const base::Closure& callback) {
   // Should not be called again while already waiting for an async result.
   DCHECK(callback_.is_null());
 
+  if (!did_initial_query_) {
+    did_initial_query_ = true;
+    trust_store_->FindTrustAnchorsForCert(
+        cert_.get(),
+        callback.is_null() ? TrustStore::TrustAnchorsCallback()
+                           : base::Bind(&CertIssuersIter::GotAsyncAnchors,
+                                        base::Unretained(this)),
+        &anchors_, &pending_anchor_request_);
+
+    for (auto* cert_issuer_source : *cert_issuer_sources_) {
+      ParsedCertificateList new_issuers;
+      cert_issuer_source->SyncGetIssuersOf(cert(), &new_issuers);
+      for (scoped_refptr<ParsedCertificate>& issuer : new_issuers) {
+        if (present_issuers_.find(issuer->der_cert().AsStringPiece()) !=
+            present_issuers_.end())
+          continue;
+        present_issuers_.insert(issuer->der_cert().AsStringPiece());
+        issuers_.push_back(std::move(issuer));
+      }
+    }
+    DVLOG(1) << anchors_.size() << " sync anchors, " << issuers_.size()
+             << " sync issuers";
+    // TODO(mattm): sort by notbefore, etc (eg if cert issuer matches a trust
+    // anchor subject (or is a trust anchor), that should be sorted higher too.
+    // See big list of possible sorting hints in RFC 4158.)
+    // (Update PathBuilderKeyRolloverTest.TestRolloverBothRootsTrusted once that
+    // is done)
+  }
+
   // Return possible trust anchors first.
   if (cur_anchor_ < anchors_.size()) {
     DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
              << "): returning anchor " << cur_anchor_ << " of "
              << anchors_.size();
     // Still have anchors that haven't been returned yet, return one of them.
     *out = CertificateOrTrustAnchor(anchors_[cur_anchor_++]);
     return CompletionStatus::SYNC;
   }
 
+  if (pending_anchor_request_) {
+    DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
+             << ") Still waiting for async trust anchor results.";
+    out_ = out;
+    callback_ = callback;
+    return CompletionStatus::ASYNC;
+  }
+
   if (cur_issuer_ < issuers_.size()) {
     DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
              << "): returning issuer " << cur_issuer_ << " of "
              << issuers_.size();
     // Still have issuers that haven't been returned yet, return one of them.
     // A reference to the returned issuer is retained, since |present_issuers_|
     // points to data owned by it.
     *out = CertificateOrTrustAnchor(issuers_[cur_issuer_++]);
     return CompletionStatus::SYNC;
   }
-  if (did_async_query_) {
+
+  if (did_async_issuer_query_) {
     if (pending_async_results_ == 0) {
       DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
                << ") Reached the end of all available issuers.";
       // Reached the end of all available issuers.
       *out = CertificateOrTrustAnchor();
       return CompletionStatus::SYNC;
     }
 
     DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
              << ") Still waiting for async results from other "
                 "CertIssuerSources.";
     // Still waiting for async results from other CertIssuerSources.
     out_ = out;
     callback_ = callback;
     return CompletionStatus::ASYNC;
   }
   // Reached the end of synchronously gathered issuers.
 
   if (callback.is_null()) {
     // Synchronous-only mode, don't try to query async sources.
     *out = CertificateOrTrustAnchor();
     return CompletionStatus::SYNC;
   }
 
   // Now issue request(s) for async ones (AIA, etc).
-  did_async_query_ = true;
+  DoAsyncIssuerQuery();
+
+  if (pending_async_results_ == 0) {
+    DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
+             << ") No cert sources have async results.";
+    // No cert sources have async results.
+    *out = CertificateOrTrustAnchor();
+    return CompletionStatus::SYNC;
+  }
+
+  DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
+           << ") issued AsyncGetIssuersOf call(s) (n=" << pending_async_results_
+           << ")";
+  out_ = out;
+  callback_ = callback;
+  return CompletionStatus::ASYNC;
+}
+
+void CertIssuersIter::DoAsyncIssuerQuery() {
+  DCHECK(!did_async_issuer_query_);
+  did_async_issuer_query_ = true;
   pending_async_results_ = 0;
   for (auto* cert_issuer_source : *cert_issuer_sources_) {
     std::unique_ptr<CertIssuerSource::Request> request;
     cert_issuer_source->AsyncGetIssuersOf(
         cert(),
         base::Bind(&CertIssuersIter::GotAsyncCerts, base::Unretained(this)),
         &request);
     if (request) {
       DVLOG(1) << "AsyncGetIssuersOf(" << CertDebugString(cert())
                << ") pending...";
       pending_async_results_++;
       pending_async_requests_.push_back(std::move(request));
     }
   }
+}
 
-  if (pending_async_results_ == 0) {
-    DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
-             << ") No cert sources have async results.";
-    // No cert sources have async results.
-    *out = CertificateOrTrustAnchor();
-    return CompletionStatus::SYNC;
-  }
+void CertIssuersIter::GotAsyncAnchors(TrustAnchors anchors) {
+  DVLOG(1) << "CertIssuersIter::GotAsyncAnchors(" << CertDebugString(cert())
+           << "): " << anchors.size() << " anchors";
+  for (scoped_refptr<TrustAnchor>& anchor : anchors)
+    anchors_.push_back(std::move(anchor));
+  pending_anchor_request_.reset();
 
-  DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
-           << ") issued AsyncGetIssuersOf call(s) (n=" << pending_async_results_
-           << ")";
-  out_ = out;
-  callback_ = callback;
-  return CompletionStatus::ASYNC;
+  NotifyIfNecessary();
 }
 
 void CertIssuersIter::GotAsyncCerts(CertIssuerSource::Request* request) {
   DVLOG(1) << "CertIssuersIter::GotAsyncCerts(" << CertDebugString(cert())
            << ")";
   while (true) {
     scoped_refptr<ParsedCertificate> cert;
     CompletionStatus status = request->GetNext(&cert);
     if (!cert) {
       if (status == CompletionStatus::SYNC) {
         // Request is exhausted, no more results pending from that
         // CertIssuerSource.
         DCHECK_GT(pending_async_results_, 0U);
         pending_async_results_--;
       }
       break;
     }
     DCHECK_EQ(status, CompletionStatus::SYNC);
     if (present_issuers_.find(cert->der_cert().AsStringPiece()) !=
         present_issuers_.end())
       continue;
     present_issuers_.insert(cert->der_cert().AsStringPiece());
     issuers_.push_back(std::move(cert));
   }
 
   // TODO(mattm): re-sort remaining elements of issuers_ (remaining elements may
   // be more than the ones just inserted, depending on |cur_| value).
 
+  NotifyIfNecessary();
+}
+
+void CertIssuersIter::NotifyIfNecessary() {
   // Notify that more results are available, if necessary.
   if (!callback_.is_null()) {
-    DCHECK_GE(cur_anchor_, anchors_.size());
+    if (cur_anchor_ < anchors_.size()) {
+      DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
+               << "): async returning anchor " << cur_anchor_ << " of "
+               << anchors_.size();
+      *out_ = CertificateOrTrustAnchor(std::move(anchors_[cur_anchor_++]));
+      base::ResetAndReturn(&callback_).Run();
+      return;
+    }
     if (cur_issuer_ < issuers_.size()) {
+      DCHECK(!pending_anchor_request_);
       DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
-               << "): async returning item " << cur_issuer_ << " of "
+               << "): async returning issuer " << cur_issuer_ << " of "
                << issuers_.size();
       *out_ = CertificateOrTrustAnchor(std::move(issuers_[cur_issuer_++]));
       base::ResetAndReturn(&callback_).Run();
-    } else if (pending_async_results_ == 0) {
+      return;
+    }
+
+    if (!did_async_issuer_query_)
+      DoAsyncIssuerQuery();
+
+    if (pending_async_results_ == 0) {
       DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
                << "): async returning empty result";
       *out_ = CertificateOrTrustAnchor();
       base::ResetAndReturn(&callback_).Run();
-    } else {
-      DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
-               << "): empty result, but other async results "
-                  "pending, waiting..";
+      return;
     }
+    DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert())
+             << "): empty result, but other async results "
+                "pending, waiting..";
   }
 }
 
 // CertIssuerIterPath tracks which certs are present in the path and prevents
 // paths from being built which repeat any certs (including different versions
 // of the same cert, based on Subject+SubjectAltName+SPKI).
 class CertIssuerIterPath {
  public:
   // Returns true if |cert| is already present in the path.
   bool IsPresent(const ParsedCertificate* cert) const {
@@ skipping 213 matching lines @@
   }
 
   if (next_issuer_.IsCertificate()) {
     // Skip this cert if it is already in the chain.
     if (cur_path_.IsPresent(next_issuer_.cert.get())) {
       next_state_ = STATE_GET_NEXT_ISSUER;
       return CompletionStatus::SYNC;
     }
 
     cur_path_.Append(base::WrapUnique(new CertIssuersIter(
-        std::move(next_issuer_.cert), &cert_issuer_sources_, *trust_store_)));
+        std::move(next_issuer_.cert), &cert_issuer_sources_, trust_store_)));
     next_issuer_ = CertificateOrTrustAnchor();
     DVLOG(1) << "CertPathIter cur_path_ = " << cur_path_.PathDebugString();
     // Continue descending the tree.
     next_state_ = STATE_GET_NEXT_ISSUER;
   } else {
     // TODO(mattm): should also include such paths in CertPathBuilder::Result,
     // maybe with a flag to enable it. Or use a visitor pattern so the caller
     // can decide what to do with any failed paths.
     // No more issuers for current chain, go back up and see if there are any
     // more for the previous cert.
@@ skipping 132 matching lines @@
   result_path->error = is_success ? OK : ERR_CERT_AUTHORITY_INVALID;
   // TODO(mattm): set best_result_index based on number or severity of errors.
   if (result_path->error == OK)
     out_result_->best_result_index = out_result_->paths.size();
   // TODO(mattm): add flag to only return a single path or all attempted paths?
   result_path->path = path;
   out_result_->paths.push_back(std::move(result_path));
 }
 
 }  // namespace net