OLD | NEW |
---|---|
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 5 #ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
6 #define COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 6 #define COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <memory> | 9 #include <memory> |
10 #include <string> | 10 #include <string> |
11 | 11 |
12 #include "base/containers/mru_cache.h" | 12 #include "base/containers/mru_cache.h" |
13 #include "base/memory/memory_pressure_monitor.h" | 13 #include "base/memory/memory_pressure_monitor.h" |
14 #include "base/memory/ref_counted.h" | 14 #include "base/memory/ref_counted.h" |
15 #include "base/memory/weak_ptr.h" | 15 #include "base/memory/weak_ptr.h" |
16 #include "net/base/hash_value.h" | 16 #include "net/base/hash_value.h" |
17 #include "net/base/network_change_notifier.h" | |
17 #include "net/cert/ct_verifier.h" | 18 #include "net/cert/ct_verifier.h" |
18 #include "net/cert/signed_tree_head.h" | 19 #include "net/cert/signed_tree_head.h" |
19 #include "net/cert/sth_observer.h" | 20 #include "net/cert/sth_observer.h" |
20 | 21 |
21 namespace net { | 22 namespace net { |
22 | 23 |
23 class CTLogVerifier; | 24 class CTLogVerifier; |
24 class X509Certificate; | 25 class X509Certificate; |
25 | 26 |
26 namespace ct { | 27 namespace ct { |
(...skipping 21 matching lines...) Expand all Loading... | |
48 // observed, their status is checked against the latest STH to ensure they were | 49 // observed, their status is checked against the latest STH to ensure they were |
49 // properly logged. If an SCT is newer than the latest STH, then this class | 50 // properly logged. If an SCT is newer than the latest STH, then this class |
50 // verifies that when an STH is observed that should have incorporated those | 51 // verifies that when an STH is observed that should have incorporated those |
51 // SCTs, the SCTs (and their corresponding entries) are present in the log. | 52 // SCTs, the SCTs (and their corresponding entries) are present in the log. |
52 // | 53 // |
53 // To accomplish this, this class needs to be notified of when new SCTs are | 54 // To accomplish this, this class needs to be notified of when new SCTs are |
54 // observed (which it does by implementing net::CTVerifier::Observer) and when | 55 // observed (which it does by implementing net::CTVerifier::Observer) and when |
55 // new STHs are observed (which it does by implementing net::ct::STHObserver). | 56 // new STHs are observed (which it does by implementing net::ct::STHObserver). |
56 // Once connected to sources providing that data, the status for a given SCT | 57 // Once connected to sources providing that data, the status for a given SCT |
57 // can be queried by calling GetLogEntryInclusionCheck. | 58 // can be queried by calling GetLogEntryInclusionCheck. |
58 class SingleTreeTracker : public net::CTVerifier::Observer, | 59 class SingleTreeTracker |
59 public net::ct::STHObserver { | 60 : public net::CTVerifier::Observer, |
61 public net::ct::STHObserver, | |
62 public net::NetworkChangeNotifier::NetworkChangeObserver { | |
Ryan Sleevi
2017/02/01 22:26:58
nit: I'm not going to block this CL, but one thing
Eran Messeri
2017/02/02 14:54:40
Done - adopted your suggestion of having a private
| |
60 public: | 63 public: |
61 enum SCTInclusionStatus { | 64 enum SCTInclusionStatus { |
62 // SCT was not observed by this class and is not currently pending | 65 // SCT was not observed by this class and is not currently pending |
63 // inclusion check. As there's no evidence the SCT this status relates | 66 // inclusion check. As there's no evidence the SCT this status relates |
64 // to is verified (it was never observed via OnSCTVerified), nothing | 67 // to is verified (it was never observed via OnSCTVerified), nothing |
65 // is done with it. | 68 // is done with it. |
66 SCT_NOT_OBSERVED, | 69 SCT_NOT_OBSERVED, |
67 | 70 |
68 // SCT was observed but the STH known to this class is not old | 71 // SCT was observed but the STH known to this class is not old |
69 // enough to check for inclusion, so a newer STH is needed first. | 72 // enough to check for inclusion, so a newer STH is needed first. |
(...skipping 22 matching lines...) Expand all Loading... | |
92 // here as this callback is invoked during certificate validation. | 95 // here as this callback is invoked during certificate validation. |
93 void OnSCTVerified(net::X509Certificate* cert, | 96 void OnSCTVerified(net::X509Certificate* cert, |
94 const net::ct::SignedCertificateTimestamp* sct) override; | 97 const net::ct::SignedCertificateTimestamp* sct) override; |
95 | 98 |
96 // net::ct::STHObserver implementation. | 99 // net::ct::STHObserver implementation. |
97 // After verification of the signature over the |sth|, uses this | 100 // After verification of the signature over the |sth|, uses this |
98 // STH for future inclusion checks. | 101 // STH for future inclusion checks. |
99 // Must only be called for STHs issued by the log this instance tracks. | 102 // Must only be called for STHs issued by the log this instance tracks. |
100 void NewSTHObserved(const net::ct::SignedTreeHead& sth) override; | 103 void NewSTHObserved(const net::ct::SignedTreeHead& sth) override; |
101 | 104 |
105 // net::NetworkChangeNotifier::NetworkChangeObserver implementation. | |
106 // Discards all entries pending inclusion check on network change. | |
107 // That is done to prevent the client looking up inclusion proofs for | |
108 // certificates received from one network, on another network, thus | |
109 // leaking state between networks. | |
110 void OnNetworkChanged( | |
111 net::NetworkChangeNotifier::ConnectionType type) override; | |
112 | |
102 // Returns the status of a given log entry that is assembled from | 113 // Returns the status of a given log entry that is assembled from |
103 // |cert| and |sct|. If |cert| and |sct| were not previously observed, | 114 // |cert| and |sct|. If |cert| and |sct| were not previously observed, |
104 // |sct| is not an SCT for |cert| or |sct| is not for this log, | 115 // |sct| is not an SCT for |cert| or |sct| is not for this log, |
105 // SCT_NOT_OBSERVED will be returned. | 116 // SCT_NOT_OBSERVED will be returned. |
106 SCTInclusionStatus GetLogEntryInclusionStatus( | 117 SCTInclusionStatus GetLogEntryInclusionStatus( |
107 net::X509Certificate* cert, | 118 net::X509Certificate* cert, |
108 const net::ct::SignedCertificateTimestamp* sct); | 119 const net::ct::SignedCertificateTimestamp* sct); |
109 | 120 |
110 private: | 121 private: |
111 struct EntryToAudit; | 122 struct EntryToAudit; |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
168 std::unique_ptr<base::MemoryPressureListener> memory_pressure_listener_; | 179 std::unique_ptr<base::MemoryPressureListener> memory_pressure_listener_; |
169 | 180 |
170 base::WeakPtrFactory<SingleTreeTracker> weak_factory_; | 181 base::WeakPtrFactory<SingleTreeTracker> weak_factory_; |
171 | 182 |
172 DISALLOW_COPY_AND_ASSIGN(SingleTreeTracker); | 183 DISALLOW_COPY_AND_ASSIGN(SingleTreeTracker); |
173 }; | 184 }; |
174 | 185 |
175 } // namespace certificate_transparency | 186 } // namespace certificate_transparency |
176 | 187 |
177 #endif // COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 188 #endif // COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
OLD | NEW |