Change the HTTP cache to cache the entire certificate chain for SSL sites

net/base/x509_certificate.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 61 matching lines @@
   class LessThan {
    public:
     bool operator() (X509Certificate* lhs,  X509Certificate* rhs) const;
   };
 
   // Where the certificate comes from.  The enumeration constants are
   // listed in increasing order of preference.
   enum Source {
     SOURCE_UNUSED = 0,            // The source_ member is not used.
     SOURCE_LONE_CERT_IMPORT = 1,  // From importing a certificate without
-                                  // its intermediate CA certificates.
-    SOURCE_FROM_NETWORK = 2,      // From the network.
+                                  // any intermediate CA certificates.
+    SOURCE_FROM_CACHE = 2,        // From the disk cache - which contains
+                                  // intermediate CA certificates, but may be
+                                  // stale.
+    SOURCE_FROM_NETWORK = 3,      // From the network.
   };

[wtc, 2011/04/20 23:07:58]

IMPORTANT: I added the enum Source to work around this bug.
Therefore, when we fixed this bug, we should be able to
remove enum Source, rather than extending it.

SOURCE_LONE_CERT_IMPORT was intended to mean importing a
certificate from the HTTP cache.  So it is exactly what
SOURCE_FROM_CACHE is, for version 1.

In any case, please try to remove enum Source.

[Ryan Sleevi, 2011/04/20 23:59:10]

The motivation for extending it in M12 was to minimize a regression of the
original issue. Because the user's existing cache only contains single
certificates, any cached resources the user loads after upgrading to M12 would
regress, while any newly cached resources would be fine.

By deferring removal to M13 (as part of the X509Certificate* cache changes),
this allowed a full release for users to transition from single-cert V1 to
chained V2. This should reduce the potential impact to just users who skip M12
entirely.

The preference here is:
1) < M12 HTTP Cache (cached EE only)
2) M12 HTTP Cache (cached EE + cached intermediates)
3) Network in current browsing session (EE + intermediates)

 
   enum VerifyFlags {
     VERIFY_REV_CHECKING_ENABLED = 1 << 0,
     VERIFY_EV_CERT = 1 << 1,
   };
 
   enum Format {
     // The data contains a single DER-encoded certificate, or a PEM-encoded
     // DER certificate with the PEM encoding block name of "CERTIFICATE".
     // Any subsequent blocks will be ignored.
     FORMAT_SINGLE_CERTIFICATE = 1 << 0,
 
     // The data contains a sequence of one or more PEM-encoded, DER
     // certificates, with the PEM encoding block name of "CERTIFICATE".
     // All PEM blocks will be parsed, until the first error is encountered.
     FORMAT_PEM_CERT_SEQUENCE = 1 << 1,
 
     // The data contains a PKCS#7 SignedData structure, whose certificates
     // member is to be used to initialize the certificate and intermediates.
     // The data may further be encoded using PEM, specifying block names of
     // either "PKCS7" or "CERTIFICATE".
     FORMAT_PKCS7 = 1 << 2,
 
     // Automatically detect the format.
     FORMAT_AUTO = FORMAT_SINGLE_CERTIFICATE | FORMAT_PEM_CERT_SEQUENCE |
                   FORMAT_PKCS7,
   };
 
+  enum PickleType {

[wtc, 2011/04/20 23:07:58]

The motivation for enum PickleType should be documented.
It is not obvious why PickleType does not apply to writing
a certificate to a Pickle unless one also looks at the
corresponding code in http_response_info.cc.

+    // When reading a certificate from a Pickle, the Pickle only contains a
+    // single certificate.
+    PICKLETYPE_SINGLE_CERTIFICATE,
+
+    // When reading a certificate from a Pickle, the Pickle contains the
+    // the certificate plus any certificates that were stored in
+    // |intermediate_ca_certificates_| at the time it was serialized.
+    PICKLETYPE_CERTIFICATE_CHAIN,
+  };
+
   // Creates a X509Certificate from the ground up.  Used by tests that simulate
   // SSL connections.
   X509Certificate(const std::string& subject, const std::string& issuer,
                   base::Time start_date, base::Time expiration_date);
 
   // Create an X509Certificate from a handle to the certificate object in the
   // underlying crypto library. |source| specifies where |cert_handle| comes
   // from.  Given two certificate handles for the same certificate, our
   // certificate cache prefers the handle from the network because our HTTP
   // cache isn't caching the corresponding intermediate CA certificates yet
   // (http://crbug.com/7065).
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
-      Source source,
-      const OSCertHandles& intermediates);
+                                           Source source,
+                                           const OSCertHandles& intermediates);
 
   // Create an X509Certificate from a chain of DER encoded certificates. The
   // first certificate in the chain is the end-entity certificate to which a
   // handle is returned. The other certificates in the chain are intermediate
   // certificates. See the comment for |CreateFromHandle| about the |source|
   // argument.
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromDERCertChain(
       const std::vector<base::StringPiece>& der_certs);
 
   // Create an X509Certificate from the DER-encoded representation.
   // Returns NULL on failure.
   //
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromBytes(const char* data, int length);
 
   // Create an X509Certificate from the representation stored in the given
   // pickle.  The data for this object is found relative to the given
   // pickle_iter, which should be passed to the pickle's various Read* methods.
   // Returns NULL on failure.
   //
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromPickle(const Pickle& pickle,
-                                           void** pickle_iter);
+                                           void** pickle_iter,
+                                           PickleType type);
 
   // Parses all of the certificates possible from |data|. |format| is a
   // bit-wise OR of Format, indicating the possible formats the
   // certificates may have been serialized as. If an error occurs, an empty
   // collection will be returned.
   static CertificateList CreateCertificateListFromBytes(const char* data,
                                                         int length,
                                                         int format);
 
   // Create a self-signed certificate containing the public key in |key|.
@@ skipping 220 matching lines @@
 
   // IsBlacklisted returns true if this certificate is explicitly blacklisted.
   bool IsBlacklisted() const;
 
   // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted
   // array of SHA1 hashes.
   static bool IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
                                       const uint8* array,
                                       size_t array_byte_len);
 
+  // Reads a single certificate from |pickle| and returns a platform-specific
+  // certificate handle. The format of the certificate stored in |pickle| is
+  // not guaranteed to be the same across different underlying cryptographic
+  // libraries, nor acceptable to CreateFromBytes(). Returns an invalid
+  // handle, NULL, on failure.
+  static OSCertHandle ReadCertHandleFromPickle(const Pickle& pickle,
+                                               void** pickle_iter);
+
+  // Writes a single certificate to |pickle|. Returns false on failure.
+  static bool WriteCertHandleToPickle(OSCertHandle handle, Pickle* pickle);

[wtc, 2011/04/20 23:07:58]

Nit: these two function names should say "OSCertHandle" instead
of just "CertHandle".

+
   // The subject of the certificate.
   CertPrincipal subject_;
 
   // The issuer of the certificate.
   CertPrincipal issuer_;
 
   // This certificate is not valid before |valid_start_|
   base::Time valid_start_;
 
   // This certificate is not valid after |valid_expiry_|
@@ skipping 20 matching lines @@
 
   // Where the certificate comes from.
   Source source_;
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_