net/cert/multi_log_ct_verifier.cc - Issue 67513008: Certificate Transparency: Add the high-level interface for verifying SCTs over multiple logs

Side by Side Diff: net/cert/multi_log_ct_verifier.cc

Issue 67513008: Certificate Transparency: Add the high-level interface for verifying SCTs over multiple logs (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Fixed using of released pointer. Created 7 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« net/cert/multi_log_ct_verifier.h ('K') | « net/cert/multi_log_ct_verifier.h ('k') | net/cert/multi_log_ct_verifier_unittest.cc » ('j') | net/data/ssl/certificates/ct-test-embedded-with-preca-chain.pem » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/cert/multi_log_ct_verifier.h"

	6

	7 #include "net/base/net_errors.h"

	8 #include "net/cert/ct_log_verifier.h"

	9 #include "net/cert/ct_objects_extractor.h"

	10 #include "net/cert/ct_serialization.h"

	11 #include "net/cert/ct_verify_result.h"

	12 #include "net/cert/signed_certificate_timestamp.h"
	wtc 2013/11/21 02:05:02 Nit: already included by the .h file. Nit: already included by the .h file. Eran M. (Google) 2013/11/21 20:06:02 Done. Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Nit: already included by the .h file. Done.
	13 #include "net/cert/x509_certificate.h"

	14

	15 namespace net {

	16

	17 MultiLogCTVerifier::MultiLogCTVerifier() {

	18 }

	19

	20 MultiLogCTVerifier::~MultiLogCTVerifier() { }
	wtc 2013/11/21 02:05:02 Nit: the constructor and destructor should use the Nit: the constructor and destructor should use the same style for an empty function body. wtc 2013/11/21 02:05:02 Nit: the constructor and destructor should use the Nit: the constructor and destructor should use the same style for an empty function body. Eran M. (Google) 2013/11/21 20:06:02 Done. Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Nit: the constructor and destructor should use the same style for an empty > function body. Done. Eran M. (Google) 2013/11/21 20:06:02 Done. Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Nit: the constructor and destructor should use the same style for an empty > function body. Done.
	21

	22 void MultiLogCTVerifier::AddLog(scoped_ptr<CTLogVerifier> log_verifier) {

	23 std::string log_id(log_verifier->key_id());

	24 logs_[log_id] = linked_ptr<CTLogVerifier>(log_verifier.release());
	wtc 2013/11/21 02:05:02 1. Nit: you should be able to do logs_[log_id].r 1. Nit: you should be able to do logs_[log_id].reset(log_verifier.release()); 2. Nit: It seems wrong to mix scoped_ptr and linked_ptr. Eran M. (Google) 2013/11/21 20:06:02 1. Done 2. Will look into changing the type of th Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > 1. Nit: you should be able to do > logs_[log_id].reset(log_verifier.release()); > > 2. Nit: It seems wrong to mix scoped_ptr and linked_ptr. 1. Done 2. Will look into changing the type of the input parameter to linked_ptr as well wtc 2013/11/21 23:26:34 You can declare the \|log_verifier\| parameter as a Show quoted text On 2013/11/21 20:06:02, eranm wrote: > > 2. Will look into changing the type of the input parameter to linked_ptr as well You can declare the \|log_verifier\| parameter as a plain pointer and document that MultiLogCTVerifier takes ownership of \|log_verifier\|. Declaring \|log_verifier\| as a linked_ptr also seems fine. I am not an expert in this area, so my opinion may be wrong. Ryan Sleevi 2013/11/21 23:37:02 Taking a scoped_ptr<CTLogVerifier> and turning it Show quoted text On 2013/11/21 23:26:34, wtc wrote: > > On 2013/11/21 20:06:02, eranm wrote: > > > > 2. Will look into changing the type of the input parameter to linked_ptr as > well > > You can declare the \|log_verifier\| parameter as a plain pointer and document > that MultiLogCTVerifier takes ownership of \|log_verifier\|. > > Declaring \|log_verifier\| as a linked_ptr also seems fine. > > I am not an expert in this area, so my opinion may be wrong. Taking a scoped_ptr<CTLogVerifier> and turning it into a linked_ptr<> is the "Right Way". The scoped_ptr<> clearly communicates that ownership is transferred; this is the preferred pattern over documentation. Releasing it into a linked_ptr<> is also fine, as the ownership is then transferred into a linked_ptr<>. So this code looks fine to me. The only thing I'm not sure of is why you don't do linked_ptr<CTLogVerifier> log(log_verifier); logs_[log->key_id()] = log; I checked the C++03 spec and couldn't find a guarantee that logs_[log_verifier->key_id()] = linked_ptr<...> was safe (even though I'm 95% sure it is), but at least with the above construct, you trade a malloc (since the default small-string optimization size for GCC and MSVC is ~16 bytes, and ISTR that key IDs are ~20 bytes) for an int inc/dec (to the linked_ptr's refcount) Eran M. (Google) 2013/11/23 21:02:06 Done as Ryan suggested - only modification is I've Show quoted text On 2013/11/21 23:37:02, Ryan Sleevi wrote: > On 2013/11/21 23:26:34, wtc wrote: > > > > On 2013/11/21 20:06:02, eranm wrote: > > > > > > 2. Will look into changing the type of the input parameter to linked_ptr as > > well > > > > You can declare the \|log_verifier\| parameter as a plain pointer and document > > that MultiLogCTVerifier takes ownership of \|log_verifier\|. > > > > Declaring \|log_verifier\| as a linked_ptr also seems fine. > > > > I am not an expert in this area, so my opinion may be wrong. > > Taking a scoped_ptr<CTLogVerifier> and turning it into a linked_ptr<> is the > "Right Way". The scoped_ptr<> clearly communicates that ownership is > transferred; this is the preferred pattern over documentation. Releasing it into > a linked_ptr<> is also fine, as the ownership is then transferred into a > linked_ptr<>. > > So this code looks fine to me. > > The only thing I'm not sure of is why you don't do > linked_ptr<CTLogVerifier> log(log_verifier); > logs_[log->key_id()] = log; > > I checked the C++03 spec and couldn't find a guarantee that > logs_[log_verifier->key_id()] = linked_ptr<...> was safe (even though I'm 95% > sure it is), but at least with the above construct, you trade a malloc (since > the default small-string optimization size for GCC and MSVC is ~16 bytes, and > ISTR that key IDs are ~20 bytes) for an int inc/dec (to the linked_ptr's > refcount) > Done as Ryan suggested - only modification is I've initialized log with log_verifier.release(). wtc 2013/11/25 01:48:32 I think logs_[log_id].reset(log_verifier.relea Show quoted text On 2013/11/21 23:37:02, Ryan Sleevi wrote: > > So this code looks fine to me. > > The only thing I'm not sure of is why you don't do > linked_ptr<CTLogVerifier> log(log_verifier); > logs_[log->key_id()] = log; > > I checked the C++03 spec and couldn't find a guarantee that > logs_[log_verifier->key_id()] = linked_ptr<...> was safe (even though I'm 95% > sure it is), but at least with the above construct, you trade a malloc (since > the default small-string optimization size for GCC and MSVC is ~16 bytes, and > ISTR that key IDs are ~20 bytes) for an int inc/dec (to the linked_ptr's > refcount) I think logs_[log_id].reset(log_verifier.release()); is cheaper because it avoids a linked_ptr constructor and destructor call, which is why I suggested it. It seems that the reset() method is intended exactly for taking a plain pointer. I am curious why you prefer the assignment operator. wtc 2013/11/25 23:01:59 Thanks for the explanation. You wrote: Thanks for the explanation. You wrote: Show quoted text > It's the same cost (aka trivial). However, the syntax of the assignment allows > for an optimization > > logs_[log_id].reset() is equivalent to > logs_.insert(make_pair(log_id, > linked_ptr<LogVerifier>())).second.first.reset() > > logs_[log_id] = linked_ptr<...> is equivalent to > logs_.insert(make_pair(log_id, linked_ptr<LogVerifier>())).second.first = ... > > Which is roughly the same, except because of the assignment, may be RVO'd, > whereas .reset() cannot. So the local variable \|log\| in linked_ptr<CTLogVerifier> log(log_verifier.release()); logs_[log->key_id()] = log; can used by the compiler (through RVO) as the second argument for the make_pair in the equivalent code you showed? I am surprised the compiler can pull that off. That would indeed be cheaper than using reset(), which doesn't require a link_ptr local variable or temporary object but requires constructing an empty linked_ptr for make_pair.
	25 }

	26

	27 int MultiLogCTVerifier::Verify(

	28 X509Certificate* verified_cert,

	29 const std::string& sct_list_from_ocsp,

	30 const std::string& sct_list_from_tls_handshake,

	31 ct::CTVerifyResult* result) {

	32 DCHECK(verified_cert);

	33 DCHECK(result);

	34

	35 result->verified_scts.clear();

	36 result->unverified_scts.clear();

	37 result->unknown_logs_scts.clear();

	38

	39 bool has_verified_scts = false;

	40

	41 std::string embedded_scts;

	42 if (!verified_cert->GetIntermediateCertificates().empty() &&

	43 ct::ExtractEmbeddedSCTList(

	44 verified_cert->os_cert_handle(),

	45 &embedded_scts)) {
	wtc 2013/11/21 02:05:02 Nit: indent by four spaces with respect to "ct::Ex Nit: indent by four spaces with respect to "ct::ExtractEmbeddedSCTList(". Eran M. (Google) 2013/11/21 20:06:02 Done. Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Nit: indent by four spaces with respect to "ct::ExtractEmbeddedSCTList(". Done.
	46 ct::LogEntry embedded_log_entry;
	wtc 2013/11/21 02:05:02 Nit: if the \|x509_entry\| variable you declare belo Nit: if the \|x509_entry\| variable you declare below is also an embedded log entry, then I suggest renaming this variable to "precert_entry". Eran M. (Google) 2013/11/21 20:06:02 Done. Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Nit: if the \|x509_entry\| variable you declare below is also an embedded log > entry, then I suggest renaming this variable to "precert_entry". Done.
	47

	48 has_verified_scts =

	49 ct::GetPrecertLogEntry(
	wtc 2013/11/21 02:05:02 Nit: indent by four spaces. Nit: indent by four spaces. Eran M. (Google) 2013/11/21 20:06:02 Done. Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Nit: indent by four spaces. Done.
	50 verified_cert->os_cert_handle(),

	51 verified_cert->GetIntermediateCertificates().front(),

	52 &embedded_log_entry) &&

	53 VerifySCTs(

	54 embedded_scts,

	55 embedded_log_entry,

	56 ct::SignedCertificateTimestamp::SCT_EMBEDDED,

	57 result);

	58 }

	59

	60 ct::LogEntry x509_entry;

	61 if (!ct::GetX509LogEntry(verified_cert->os_cert_handle(), &x509_entry)) {

	62 return has_verified_scts ? OK : ERR_FAILED;
	wtc 2013/11/21 02:05:02 IMPORTANT: use a more informative error code than IMPORTANT: use a more informative error code than ERR_FAILED. You can add a new error code to net/base/net_error_list.h for CT verification. Eran M. (Google) 2013/11/21 20:06:02 Done - ended up adding another category for the va Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > IMPORTANT: use a more informative error code than ERR_FAILED. You can add a new > error code to net/base/net_error_list.h for CT verification. Done - ended up adding another category for the various CT errors. PTAL and let me know if it better fits one of the existing sections.
	63 }
	wtc 2013/11/21 02:05:02 Nit: omit curly braces. Nit: omit curly braces. Eran M. (Google) 2013/11/21 20:06:02 Done. Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Nit: omit curly braces. Done.
	64

	65 has_verified_scts \|= VerifySCTs(

	66 sct_list_from_ocsp,

	67 x509_entry,

	68 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE,

	69 result);

	70

	71 has_verified_scts \|= VerifySCTs(

	72 sct_list_from_tls_handshake,

	73 x509_entry,

	74 ct::SignedCertificateTimestamp::SCT_FROM_TLS_HANDSHAKE,

	75 result);

	76

	77 //XXX(eranm): Add a specific error code to indicate no presence

	78 // of SCTs at all.

	79 return has_verified_scts ? OK : ERR_FAILED;

	80 }

	81

	82 bool MultiLogCTVerifier::VerifySCTs(

	83 const std::string& encoded_sct_list,

	84 const ct::LogEntry& expected_entry,

	85 ct::SignedCertificateTimestamp::Origin origin,

	86 ct::CTVerifyResult* result) {

	87 if (logs_.empty())

	88 return false;

	89

	90 base::StringPiece temp(encoded_sct_list);

	91 std::vector<base::StringPiece> sct_list;

	92

	93 if (!ct::DecodeSCTList(&temp, &sct_list))

	94 return false;

	95

	96 bool verified = false;

	97 for (std::vector<base::StringPiece>::const_iterator it = sct_list.begin();

	98 it != sct_list.end(); ++it) {

	99 base::StringPiece encoded_sct(*it);

	100 ct::SignedCertificateTimestamp decoded_sct;

	101 if (!DecodeSignedCertificateTimestamp(&encoded_sct, &decoded_sct)) {

	102 // XXX(rsleevi): Should we really just skip over bad SCTs?

	103 continue;

	104 }

	105 decoded_sct.origin = origin;

	106

	107 verified \|= VerifySingleSCT(decoded_sct, expected_entry, result);

	108 }

	109

	110 return verified;

	111 }

	112

	113 bool MultiLogCTVerifier::VerifySingleSCT(

	114 const ct::SignedCertificateTimestamp& sct,

	115 const ct::LogEntry& expected_entry,

	116 ct::CTVerifyResult* result) {

	117

	118 // Assume this SCT is untrusted until proven otherwise.

	119 result->unverified_scts.push_back(sct);
	wtc 2013/11/21 02:05:02 Nit: it seems clearer to just push \|sct\| to the ap Nit: it seems clearer to just push \|sct\| to the appropriate member of \|result\| before each return statement. This way the person who reads this code doesn't need to check where we need to pop_back(). Eran M. (Google) 2013/11/21 20:06:02 Done - that was my attempt at defensive programmin Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Nit: it seems clearer to just push \|sct\| to the appropriate member of \|result\| > before each return statement. This way the person who reads this code doesn't > need to check where we need to pop_back(). Done - that was my attempt at defensive programming, does not sound like it's necessary.
	120

	121 IDToLogMap::iterator it = logs_.find(sct.log_id);

	122 if (it == logs_.end()) {

	123 DVLOG(1) << "SCT does not match any known log.";

	124 result->unverified_scts.pop_back();

	125 result->unknown_logs_scts.push_back(sct);

	126 return false;

	127 }

	128

	129 if (!it->second->Verify(expected_entry, sct)) {

	130 DVLOG(1) << "Unable to verify SCT signature.";

	131 return false;

	132 }

	133

	134 // SCT verified ok, just make sure the timestamp is legitimate.

	135 if (sct.timestamp + base::TimeDelta::FromSeconds(1) > base::Time::Now()) {
	wtc 2013/11/21 02:05:02 Should add a comment to explain why we need to add Should add a comment to explain why we need to add one second. Eran M. (Google) 2013/11/21 20:06:02 Done, although I'll be the first to admit it's not Show quoted text On 2013/11/21 02:05:02, wtc wrote: > > Should add a comment to explain why we need to add one second. Done, although I'll be the first to admit it's not a convincing one. The basic reasoning is to not disqualify SCTs which have just been issued in case the client and log's clocks are not in perfect sync. This is taken from here: https://code.google.com/p/certificate-transparency/source/browse/src/log/log_...
	136 DVLOG(1) << "SCT is from the future!";

	137 return false;

	138 }

	139

	140 result->unverified_scts.pop_back();

	141 result->verified_scts.push_back(sct);

	142 return true;

	143 }

	144

	145 } // namespace net

OLD	NEW