Change the HTTP cache to cache the entire certificate chain for SSL sites

net/http/http_response_info.cc

-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_response_info.h"
 
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "base/time.h"
 #include "net/base/auth.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_cert_request_info.h"
 #include "net/base/x509_certificate.h"
 #include "net/http/http_response_headers.h"
 
 using base::Time;
 
 namespace net {
 
 // These values can be bit-wise combined to form the flags field of the
 // serialized HttpResponseInfo.
 enum {
   // The version of the response info used when persisting response info.
-  RESPONSE_INFO_VERSION = 1,
+  RESPONSE_INFO_VERSION = 2,
+
+  // The minimum version supported for deserializing response info.
+  RESPONSE_INFO_MINIMUM_VERSION = 1,
 
   // We reserve up to 8 bits for the version number.
   RESPONSE_INFO_VERSION_MASK = 0xFF,
 
   // This bit is set if the response info has a cert at the end.
   RESPONSE_INFO_HAS_CERT = 1 << 8,
 
   // This bit is set if the response info has a security-bits field (security
   // strength, in bits, of the SSL connection) at the end.
   RESPONSE_INFO_HAS_SECURITY_BITS = 1 << 9,
@@ skipping 65 matching lines @@
 
 bool HttpResponseInfo::InitFromPickle(const Pickle& pickle,
                                       bool* response_truncated) {
   void* iter = NULL;
 
   // read flags and verify version
   int flags;
   if (!pickle.ReadInt(&iter, &flags))
     return false;
   int version = flags & RESPONSE_INFO_VERSION_MASK;
-  if (version != RESPONSE_INFO_VERSION) {
+  if (version < RESPONSE_INFO_MINIMUM_VERSION ||
+      version > RESPONSE_INFO_VERSION) {
     DLOG(ERROR) << "unexpected response info version: " << version;
     return false;
   }
 
   // read request-time
   int64 time_val;
   if (!pickle.ReadInt64(&iter, &time_val))
     return false;
   request_time = Time::FromInternalValue(time_val);
   was_cached = true;  // Set status to show cache resurrection.
 
   // read response-time
   if (!pickle.ReadInt64(&iter, &time_val))
     return false;
   response_time = Time::FromInternalValue(time_val);
 
   // read response-headers
   headers = new HttpResponseHeaders(pickle, &iter);
   DCHECK_NE(headers->response_code(), -1);
 
   // read ssl-info
   if (flags & RESPONSE_INFO_HAS_CERT) {
-    ssl_info.cert =
-        X509Certificate::CreateFromPickle(pickle, &iter);
+    // Version 1 only serialized only the end-entity certificate,

[rvargas (doing something else), 2011/04/20 23:51:14]

nit: extra only

+    // while subsequent versions include the entire chain.

[wtc, 2011/04/20 23:07:58]

This comment should be moved (or copied) to the definition of
RESPONSE_INFO_HAS_CERT at lines 33-34 above.

+    X509Certificate::PickleType type = (version == 1) ?
+        X509Certificate::PICKLETYPE_SINGLE_CERTIFICATE :
+        X509Certificate::PICKLETYPE_CERTIFICATE_CHAIN;
+    ssl_info.cert = X509Certificate::CreateFromPickle(pickle, &iter, type);
   }
   if (flags & RESPONSE_INFO_HAS_CERT_STATUS) {
     int cert_status;
     if (!pickle.ReadInt(&iter, &cert_status))
       return false;
     ssl_info.cert_status = cert_status;
   }
   if (flags & RESPONSE_INFO_HAS_SECURITY_BITS) {
     int security_bits;
     if (!pickle.ReadInt(&iter, &security_bits))
@@ skipping 78 matching lines @@
   }
 
   if (vary_data.is_valid())
     vary_data.Persist(pickle);
 
   pickle->WriteString(socket_address.host());
   pickle->WriteUInt16(socket_address.port());
 }
 
 }  // namespace net