net/cert/multi_threaded_cert_verifier.cc - Issue 303133006: Added net_log logging statments for CertVerifyResult

Side by Side Diff: net/cert/multi_threaded_cert_verifier.cc

Issue 303133006: Added net_log logging statments for CertVerifyResult (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: removed changes to base/base.gyp Created 6 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/multi_threaded_cert_verifier.h"	5 #include "net/cert/multi_threaded_cert_verifier.h"

6	6

7 #include <algorithm>	7 #include <algorithm>

	8 #include <cstdlib>

	9 #include <iostream>
	Ryan Sleevi 2014/05/30 22:46:24 Unnecessary includes, I suspect? Unnecessary includes, I suspect? mshelley 2014/05/31 00:38:19 Done. Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > Unnecessary includes, I suspect? Done.
8	10

9 #include "base/bind.h"	11 #include "base/bind.h"

10 #include "base/bind_helpers.h"	12 #include "base/bind_helpers.h"

11 #include "base/compiler_specific.h"	13 #include "base/compiler_specific.h"

12 #include "base/message_loop/message_loop.h"	14 #include "base/message_loop/message_loop.h"

13 #include "base/metrics/histogram.h"	15 #include "base/metrics/histogram.h"

14 #include "base/stl_util.h"	16 #include "base/stl_util.h"

15 #include "base/synchronization/lock.h"	17 #include "base/synchronization/lock.h"

16 #include "base/threading/worker_pool.h"	18 #include "base/threading/worker_pool.h"

17 #include "base/time/time.h"	19 #include "base/time/time.h"

	20 #include "net/base/hash_value.h"

18 #include "net/base/net_errors.h"	21 #include "net/base/net_errors.h"

19 #include "net/base/net_log.h"	22 #include "net/cert/cert_status_flags.h"

20 #include "net/cert/cert_trust_anchor_provider.h"	23 #include "net/cert/cert_trust_anchor_provider.h"

21 #include "net/cert/cert_verify_proc.h"	24 #include "net/cert/cert_verify_proc.h"

22 #include "net/cert/crl_set.h"	25 #include "net/cert/crl_set.h"

23 #include "net/cert/x509_certificate.h"	26 #include "net/cert/x509_certificate.h"

24 #include "net/cert/x509_certificate_net_log_param.h"	27 #include "net/cert/x509_certificate_net_log_param.h"

25	28

26 #if defined(USE_NSS) \|\| defined(OS_IOS)	29 #if defined(USE_NSS) \|\| defined(OS_IOS)

27 #include <private/pprthred.h> // PR_DetachThread	30 #include <private/pprthred.h> // PR_DetachThread

28 #endif	31 #endif

29	32

	33 using namespace std;
	Ryan Sleevi 2014/05/30 22:46:24 STYLE: This is forbidden by the style guide. See STYLE: This is forbidden by the style guide. See http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Namesp... and search for "Using-directive" within the Decision section of Named Namespaces. mshelley 2014/05/31 00:38:19 Done. Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > STYLE: This is forbidden by the style guide. > > See > http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Namesp... > and search for "Using-directive" within the Decision section of Named > Namespaces. Done.
	34

30 namespace net {	35 namespace net {

31	36

32 ////////////////////////////////////////////////////////////////////////////	37 ////////////////////////////////////////////////////////////////////////////

33	38

34 // Life of a request:	39 // Life of a request:

35 //	40 //

36 // MultiThreadedCertVerifier CertVerifierJob CertVerifierWorker Request	41 // MultiThreadedCertVerifier CertVerifierJob CertVerifierWorker Request

37 // \| (origin loop) (worker loop)	42 // \| (origin loop) (worker loop)

38 // \|	43 // \|

39 // Verify()	44 // Verify()

(...skipping 30 matching lines...) Expand all Loading...
70 // On a cache hit, MultiThreadedCertVerifier::Verify() returns synchronously	75 // On a cache hit, MultiThreadedCertVerifier::Verify() returns synchronously

71 // without posting a task to a worker thread.	76 // without posting a task to a worker thread.

72	77

73 namespace {	78 namespace {

74	79

75 // The default value of max_cache_entries_.	80 // The default value of max_cache_entries_.

76 const unsigned kMaxCacheEntries = 256;	81 const unsigned kMaxCacheEntries = 256;

77	82

78 // The number of seconds for which we'll cache a cache entry.	83 // The number of seconds for which we'll cache a cache entry.

79 const unsigned kTTLSecs = 1800; // 30 minutes.	84 const unsigned kTTLSecs = 1800; // 30 minutes.

80	85
	Ryan Sleevi 2014/05/30 22:46:24 STYLE: You would move lines 590-660 here Longer e STYLE: You would move lines 590-660 here Longer explanation: http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Declar... documents the recommended order for declarations. While this section is specific to classes, it also generally applies to unnamed namespaces. The only exception is with respect to the "inline in the class definition" - we generally inline functions within an unnamed namespace if they're free functions, but recommend (but not require) that functions be out of line when within classes within unnamed namespaces. Ryan Sleevi 2014/05/31 00:53:02 Still need to do this one. Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > STYLE: You would move lines 590-660 here > > Longer explanation: > http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Declar... > documents the recommended order for declarations. While this section is specific > to classes, it also generally applies to unnamed namespaces. > > The only exception is with respect to the "inline in the class definition" - we > generally inline functions within an unnamed namespace if they're free > functions, but recommend (but not require) that functions be out of line when > within classes within unnamed namespaces. Still need to do this one.
81 } // namespace	86 } // namespace

82	87

83 MultiThreadedCertVerifier::CachedResult::CachedResult() : error(ERR_FAILED) {}	88 MultiThreadedCertVerifier::CachedResult::CachedResult() : error(ERR_FAILED) {}

84	89

85 MultiThreadedCertVerifier::CachedResult::~CachedResult() {}	90 MultiThreadedCertVerifier::CachedResult::~CachedResult() {}

86	91

87 MultiThreadedCertVerifier::CacheValidityPeriod::CacheValidityPeriod(	92 MultiThreadedCertVerifier::CacheValidityPeriod::CacheValidityPeriod(

88 const base::Time& now)	93 const base::Time& now)

89 : verification_time(now),	94 : verification_time(now),

90 expiration_time(now) {	95 expiration_time(now) {

(...skipping 252 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
343 request->net_log().AddEvent(	348 request->net_log().AddEvent(

344 NetLog::TYPE_CERT_VERIFIER_REQUEST_BOUND_TO_JOB,	349 NetLog::TYPE_CERT_VERIFIER_REQUEST_BOUND_TO_JOB,

345 net_log_.source().ToEventParametersCallback());	350 net_log_.source().ToEventParametersCallback());

346	351

347 requests_.push_back(request);	352 requests_.push_back(request);

348 }	353 }

349	354

350 void HandleResult(	355 void HandleResult(

351 const MultiThreadedCertVerifier::CachedResult& verify_result,	356 const MultiThreadedCertVerifier::CachedResult& verify_result,

352 bool is_first_job) {	357 bool is_first_job) {

	358 net_log_.AddEvent(NetLog::TYPE_CERT_VERIFIER_JOB,

	359 base::Bind(&NetLogX509CertificateCallback,

	360 verify_result.result.verified_cert));
	Ryan Sleevi 2014/05/30 22:46:24 Instead of logging this as a distinct event, use b Instead of logging this as a distinct event, use base::DictionaryValue::Set to store the result of NetLogX509CertificateCallback Say, on line 612 results->Set("verified_cert", NetLogX509CertificateCallback(verify_result.result.verified_cert)); mshelley 2014/05/31 00:38:19 When I explicitly call NetLogX509CC, I have to pas Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > Instead of logging this as a distinct event, use base::DictionaryValue::Set to > store the result of NetLogX509CertificateCallback > > Say, on line 612 > > results->Set("verified_cert", > NetLogX509CertificateCallback(verify_result.result.verified_cert)); When I explicitly call NetLogX509CC, I have to pass it a LogLevel -- I know the options for this are: LOG_ALL, LOG_ALL_BUT_BYTES, LOG_STRIP_PRIVATE_DATA, and LOG_NONE, but I'm not sure which I'm supposed to use?
	361 net_log_.AddEvent(

	362 NetLog::TYPE_CERT_VERIFIER_JOB,

	363 base::Bind(&CertVerifyResultCallback, verify_result.result));
	Ryan Sleevi 2014/05/30 22:46:24 Instead of using AddEvent to do this, update the E Instead of using AddEvent to do this, update the EndEvent (line 365) to use the CertVerifyResultCallback. Note: You will also need to update the documentation in net_log_event_type_list.h, at https://code.google.com/p/chromium/codesearch#chromium/src/net/base/net_log_e... mshelley 2014/05/31 00:38:19 Done. Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > Instead of using AddEvent to do this, update the EndEvent (line 365) to use the > CertVerifyResultCallback. > > Note: You will also need to update the documentation in > net_log_event_type_list.h, at > https://code.google.com/p/chromium/codesearch#chromium/src/net/base/net_log_e... Done.
353 worker_ = NULL;	364 worker_ = NULL;

354 net_log_.EndEvent(NetLog::TYPE_CERT_VERIFIER_JOB);	365 net_log_.EndEvent(NetLog::TYPE_CERT_VERIFIER_JOB);

355 base::TimeDelta latency = base::TimeTicks::Now() - start_time_;	366 base::TimeDelta latency = base::TimeTicks::Now() - start_time_;

356 UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency",	367 UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency",

357 latency,	368 latency,

358 base::TimeDelta::FromMilliseconds(1),	369 base::TimeDelta::FromMilliseconds(1),

359 base::TimeDelta::FromMinutes(10),	370 base::TimeDelta::FromMinutes(10),

360 100);	371 100);

361 if (is_first_job) {	372 if (is_first_job) {

362 UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_First_Job_Latency",	373 UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_First_Job_Latency",

(...skipping 213 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
576 }	587 }

577	588

578 void MultiThreadedCertVerifier::OnCACertChanged(	589 void MultiThreadedCertVerifier::OnCACertChanged(

579 const X509Certificate* cert) {	590 const X509Certificate* cert) {

580 DCHECK(CalledOnValidThread());	591 DCHECK(CalledOnValidThread());

581	592

582 ClearCache();	593 ClearCache();

583 }	594 }

584	595

585 } // namespace net	596 } // namespace net

	597

	598 namespace {
	Ryan Sleevi 2014/05/30 22:46:24 STYLE: Add a newline between 598 and 599. Long An STYLE: Add a newline between 598 and 599. Long Answer: The general namespace formatting, which is not required so much as suggested, is at http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Namesp... Within this, we usually place a blank line between the "namespace {" and the first symbol within that namespace. mshelley 2014/05/31 00:38:19 Done. Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > STYLE: Add a newline between 598 and 599. > > Long Answer: The general namespace formatting, which is not required so much > as suggested, is at > http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Namesp... > > Within this, we usually place a blank line between the "namespace {" and the > first symbol within that namespace. Done.
	599 base::Value* CertVerifyResultCallback(net::CertVerifyResult verify_result,

	600 net::NetLog::LogLevel log_level) {

	601 base::DictionaryValue* results = new base::DictionaryValue();

	602 results->SetBoolean("has_md5", verify_result.has_md5);

	603 results->SetBoolean("has_md2", verify_result.has_md2);

	604 results->SetBoolean("has_md4", verify_result.has_md4);

	605 results->SetBoolean("is_issued_by_known_root",

	606 verify_result.is_issued_by_known_root);

	607 results->SetBoolean("is_issued_by_additional_trust_anchor",

	608 verify_result.is_issued_by_additional_trust_anchor);

	609 results->SetBoolean("common_name_fallback_used",

	610 verify_result.common_name_fallback_used);

	611 results->SetInteger("cert_status.value", verify_result.cert_status);
	Ryan Sleevi 2014/05/30 22:46:24 Just call this results->SetInteger("cert_status", Just call this results->SetInteger("cert_status", verify_result.cert_status) I explain why below. mshelley 2014/05/31 00:38:19 Done. Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > Just call this > > results->SetInteger("cert_status", verify_result.cert_status) > > I explain why below. Done.
	612 base::ListValue* flags = new base::ListValue();

	613

	614 // Parse bitmasked value into individual flags

	615 if (verify_result.cert_status & (0xFFFF == 15))

	616 flags->AppendString("CERT_STATUS_ALL_ERRORS");
	Ryan Sleevi 2014/05/30 22:46:24 This is a mask value for processing in conditional This is a mask value for processing in conditionals. You don't need to log this. mshelley 2014/05/31 00:38:19 Done. Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > This is a mask value for processing in conditionals. You don't need to log this. Done.
	617 else {

	618 if (verify_result.cert_status & net::CERT_STATUS_COMMON_NAME_INVALID)

	619 flags->AppendString("CERT_STATUS_COMMON_NAME_INVALID");
	Ryan Sleevi 2014/05/30 22:46:24 So, turns out I steered you wrong, and this partic So, turns out I steered you wrong, and this particular logging is actually going to be a bit more complex, but we can defer that to a follow-up commit. For this commit, just log the numeric value of the cert_status You'd need to match how LoadFlags are handled. You can see how this works in https://code.google.com/p/chromium/codesearch#chromium/src/net/base/net_log_l... This would involve changing how CertStatus is declared (in net/cert/cert_status_flags.h) to behave like load_flags.h / load_flags_list.h ( see https://code.google.com/p/chromium/codesearch#chromium/src/net/base/load_flag... and https://code.google.com/p/chromium/codesearch#chromium/src/net/base/net_log_l... ) Once this is in place (and it's creating symbolic names for CERT_STATUS), you'd then need to update the .js responsible for chrome://net-internals (see https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/res... for the starting point) Once updated, you'd then also update https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/res...
	620 if (verify_result.cert_status & net::CERT_STATUS_DATE_INVALID)

	621 flags->AppendString("CERT_STATUS_DATE_INVALID");

	622 if (verify_result.cert_status & net::CERT_STATUS_AUTHORITY_INVALID)

	623 flags->AppendString("CERT_STATUS_AUTHORITY_INVALID");

	624 if (verify_result.cert_status & net::CERT_STATUS_NO_REVOCATION_MECHANISM)

	625 flags->AppendString("CERT_STATUS_NO_REVOCATION_MECHANISM");

	626 if (verify_result.cert_status & net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)

	627 flags->AppendString("CERT_STATUS_UNABLE_TO_CHECK_REVOCATION");

	628 if (verify_result.cert_status & net::CERT_STATUS_REVOKED)

	629 flags->AppendString("CERT_STATUS_REVOKED");

	630 if (verify_result.cert_status & net::CERT_STATUS_INVALID)

	631 flags->AppendString("CERT_STATUS_INVALID");

	632 if (verify_result.cert_status & net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM)

	633 flags->AppendString("CERT_STATUS_WEAK_SIGNATURE_ALGORITHM");

	634 if (verify_result.cert_status & net::CERT_STATUS_NON_UNIQUE_NAME)

	635 flags->AppendString("CERT_STATUS_NON_UNIQUE_NAME");

	636 if (verify_result.cert_status & net::CERT_STATUS_WEAK_KEY)

	637 flags->AppendString("CERT_STATUS_WEAK_KEY");

	638 if (verify_result.cert_status & net::CERT_STATUS_PINNED_KEY_MISSING)

	639 flags->AppendString("CERT_STATUS_PINNED_KEY_MISSING");

	640 if (verify_result.cert_status & net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION)

	641 flags->AppendString("CERT_STATUS_NAME_CONSTRAINT_VIOLATION");

	642 }

	643 if (verify_result.cert_status & net::CERT_STATUS_IS_EV)

	644 flags->AppendString("CERT_STATUS_IS_EV");

	645 if (verify_result.cert_status & net::CERT_STATUS_REV_CHECKING_ENABLED)

	646 flags->AppendString("CERT_STATUS_REV_CHECKING_ENABLED");

	647 results->Set("cert_status.flags_set", flags);

	648

	649 base::ListValue* hashes = new base::ListValue();

	650 for (vector<net::HashValue>::iterator it =
	Ryan Sleevi 2014/05/30 22:46:24 When iterating in loops, prefer a const_iterator t When iterating in loops, prefer a const_iterator to an iterator. Not only does it allow the compiler to generate more efficient code (or at least spend less time doing the same code), it also helps clarify that you're not modifying anything. mshelley 2014/05/31 00:38:19 Done. Show quoted text On 2014/05/30 22:46:24, Ryan Sleevi wrote: > When iterating in loops, prefer a const_iterator to an iterator. Not only does > it allow the compiler to generate more efficient code (or at least spend less > time doing the same code), it also helps clarify that you're not modifying > anything. Done.
	651 verify_result.public_key_hashes.begin();

	652 it != verify_result.public_key_hashes.end();

	653 it++) {

	654 hashes->AppendString(it->ToString());

	655 }

	656

	657 results->Set("public_key_hashes", hashes);

	658

	659 return results;

	660 }

	661 }

OLD	NEW

« net/cert/multi_threaded_cert_verifier.h ('K') | « net/cert/multi_threaded_cert_verifier.h ('k') | no next file » | no next file with comments »