Certificate Transparency: Logging SCTs to the NetLog.

net/cert/ct_signed_certificate_timestamp_log_param.cc

Index: net/cert/ct_signed_certificate_timestamp_log_param.cc
diff --git a/net/cert/ct_signed_certificate_timestamp_log_param.cc b/net/cert/ct_signed_certificate_timestamp_log_param.cc
new file mode 100644
index 0000000000000000000000000000000000000000..f3025125bebb54900ef8ba84816ecaa92ac429fc
--- /dev/null
+++ b/net/cert/ct_signed_certificate_timestamp_log_param.cc
@@ -0,0 +1,131 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/ct_signed_certificate_timestamp_log_param.h"
+
+#include <algorithm>
+#include <string>
+
+#include "base/base64.h"
+#include "base/strings/stringprintf.h"
+#include "base/values.h"
+#include "net/cert/ct_verify_result.h"
+#include "net/cert/signed_certificate_timestamp.h"
+
+namespace net {
+
+namespace ct {
+
+namespace {
+
+void GetSCTFieldsAsStrings(

[eroman, 2013/11/27 00:03:20]

I don't understand this --> why not write directly into a base::Value? The
indirection of writing to a std::map and then transferring to a
base::DictionaryValue seems unnecessary.

[Eran M. (Google), 2013/11/27 12:40:22]

Done - this was leftover from a previous attempt in implementation, not
necessary anymore.

+    const SignedCertificateTimestamp& sct,
+    std::map<std::string, std::string>* out) {
+  std::string origin_string;
+  switch (sct.origin) {
+    case SignedCertificateTimestamp::SCT_EMBEDDED:
+      origin_string = "embedded_in_certificate";
+      break;
+    case SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION:
+      origin_string = "tls_extension";
+      break;
+    case SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE:
+      origin_string = "ocsp";
+      break;
+  }
+
+  (*out)["origin"] = origin_string;
+  (*out)["version"] = base::StringPrintf("%d", sct.version);

[eroman, 2013/11/27 00:03:20]

sct.version as I understand is an unsigned value (enum), so technically %d isn't
the right choice. Since this is being written into a base::DictionaryValue and
will be jsonified you can write it out directly as a number for the interchange.

[Eran M. (Google), 2013/11/27 12:40:22]

Done - I assume you meant base::DictionaryValue::SetInteger?

[eroman, 2013/11/27 20:39:55]

Correct.

+  base::Base64Encode(sct.log_id, &((*out)["log_id"]));

[eroman, 2013/11/27 00:03:20]

what is the format of the log_id? base::Values can directly receive a UTF-8
string if it is already one.

[Eran M. (Google), 2013/11/27 12:40:22]

It's not a human-readable string, but a hash of a public key, so I'm base-64
encoding it.

+  base::TimeDelta time_since_epoch = sct.timestamp - base::Time::UnixEpoch();
+  (*out)["timestamp"] =
+      base::StringPrintf("%lld", time_since_epoch.InMilliseconds());

[eroman, 2013/11/27 00:03:20]

things like base::Int64ToString() would be cleaner.

[Eran M. (Google), 2013/11/27 12:40:22]

Done.

+  base::Base64Encode(sct.extensions, &((*out)["extensions"]));
+  (*out)["hash_algorithm"] =
+      base::StringPrintf("%d", sct.signature.hash_algorithm);

[eroman, 2013/11/27 00:03:20]

Same nit, i believe this is an unsigned value. Moreover doesn't need to be
serialized to a string, can be left as a Number.

[Eran M. (Google), 2013/11/27 12:40:22]

Done and done, for both values.

+  (*out)["signature_algorithm"] =
+      base::StringPrintf("%d", sct.signature.signature_algorithm);
+  base::Base64Encode(sct.signature.signature_data, &((*out)["signature_data"]));
+}
+
+class AddToDictionary {
+  public:
+    AddToDictionary(base::DictionaryValue* dict) : dict_(dict) {}

[eroman, 2013/11/27 00:03:20]

Explicit. But really I don't believe this class should exist, since can directly
populate the base::Value without generating a map<> first.

[Eran M. (Google), 2013/11/27 12:40:22]

Removed this class together with the associated map use.

+    ~AddToDictionary() {}
+
+    void operator()(const std::pair<std::string, std::string>& p) {
+      dict_->Set(p.first, new base::StringValue(p.second));

[eroman, 2013/11/27 00:03:20]

dict_->SetString()

[Eran M. (Google), 2013/11/27 12:40:22]

Done - removed class.

+    }
+
+  private:
+    base::DictionaryValue* dict_;
+};
+
+base::ListValue* SCTListToPrintableValues(
+    const ct::SCTList& sct_list) {
+
+  base::ListValue* output_scts = new base::ListValue();
+  for (ct::SCTList::const_iterator it = sct_list.begin();
+      it != sct_list.end();
+      ++it) {
+    std::map<std::string, std::string> sct_fields;
+    GetSCTFieldsAsStrings(*(it->get()), &sct_fields);
+
+    base::DictionaryValue* sct_dict = new base::DictionaryValue();
+    std::for_each(
+        sct_fields.begin(), sct_fields.end(), AddToDictionary(sct_dict));
+    output_scts->Append(sct_dict);
+  }
+
+  return output_scts;
+}
+
+void AddBase64EncodedStringToDictionary(
+    base::DictionaryValue* dict,
+    const char* description,
+    const std::string& data) {
+
+  std::string b64_data;
+  base::Base64Encode(data, &b64_data);
+
+  dict->Set(description, new base::StringValue(b64_data));

[eroman, 2013/11/27 00:03:20]

dict->SetString()

[Eran M. (Google), 2013/11/27 12:40:22]

Done.

[Eran M. (Google), 2013/11/27 12:40:22]

Done.

+}
+
+}  // namespace
+
+}  // namespace ct
+
+base::Value* NetLogSignedCertificateTimestampCallback(
+    const ct::CTVerifyResult* ct_result, NetLog::LogLevel log_level) {
+  base::DictionaryValue* dict = new base::DictionaryValue();
+
+  dict->Set("verified_scts",
+      ct::SCTListToPrintableValues(ct_result->verified_scts));
+
+  dict->Set("failed_to_verify_scts",
+      ct::SCTListToPrintableValues(ct_result->unverified_scts));
+
+  dict->Set("scts_from_unknown_logs",
+      ct::SCTListToPrintableValues(ct_result->unknown_logs_scts));
+
+  return dict;
+}
+
+base::Value* NetLogRawSignedCertificateTimestampCallback(
+    const std::string* embedded_scts,
+    const std::string* sct_list_from_ocsp,
+    const std::string* sct_list_from_tls_extension,
+    NetLog::LogLevel log_level) {
+  base::DictionaryValue* dict = new base::DictionaryValue();
+
+  ct::AddBase64EncodedStringToDictionary(dict, "embedded_scts", *embedded_scts);
+  ct::AddBase64EncodedStringToDictionary(
+      dict, "scts_from_ocsp_response", *sct_list_from_ocsp);
+  ct::AddBase64EncodedStringToDictionary(
+      dict, "scts_from_tls_extension", *sct_list_from_tls_extension);
+
+  return dict;
+}
+
+}  // namespace net