net/cert/trial_comparison_cert_verifier.cc - chromium/src.git - Git at Google

 // Copyright 2018 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "net/cert/trial_comparison_cert_verifier.h"

 #include <memory>
 #include <utility>

 #include "base/bind.h"
 #include "base/location.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/task/post_task.h"
 #include "base/values.h"
 #include "build/build_config.h"
 #include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_verify_proc.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/multi_threaded_cert_verifier.h"
 #include "net/cert/x509_util.h"
 #include "net/log/net_log.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source_type.h"
 #include "net/log/net_log_with_source.h"

 namespace net {

 namespace {

 std::unique_ptr<base::Value> TrialVerificationJobResultCallback(
     bool trial_success,
     NetLogCaptureMode capture_mode) {
   std::unique_ptr<base::DictionaryValue> results(new base::DictionaryValue());
   results->SetKey("trial_success", base::Value(trial_success));
   return std::move(results);
 }

 bool CertVerifyResultEqual(const CertVerifyResult& a,
                            const CertVerifyResult& b) {
   return std::tie(a.cert_status, a.is_issued_by_known_root) ==
              std::tie(b.cert_status, b.is_issued_by_known_root) &&
          (!!a.verified_cert == !!b.verified_cert) &&
          (!a.verified_cert ||
           a.verified_cert->EqualsIncludingChain(b.verified_cert.get()));
 }

 scoped_refptr<ParsedCertificate> ParsedCertificateFromBuffer(
     CRYPTO_BUFFER* cert_handle,
     CertErrors* errors) {
   return ParsedCertificate::Create(bssl::UpRef(cert_handle),
                                    x509_util::DefaultParseCertificateOptions(),
                                    errors);
 }

 ParsedCertificateList ParsedCertificateListFromX509Certificate(
     const X509Certificate* cert) {
   CertErrors parsing_errors;

   ParsedCertificateList certs;
   scoped_refptr<ParsedCertificate> target =
       ParsedCertificateFromBuffer(cert->cert_buffer(), &parsing_errors);
   if (!target)
     return {};
   certs.push_back(target);

   for (const auto& buf : cert->intermediate_buffers()) {
     scoped_refptr<ParsedCertificate> intermediate =
         ParsedCertificateFromBuffer(buf.get(), &parsing_errors);
     if (!intermediate)
       return {};
     certs.push_back(intermediate);
   }

   return certs;
 }

 // Tests whether cert has multiple EV policies, and at least one matches the
 // root. This is not a complete test of EV, but just enough to give a possible
 // explanation as to why the platform verifier did not validate as EV while
 // builtin did. (Since only the builtin verifier correctly handles multiple
 // candidate EV policies.)
 bool CertHasMultipleEVPoliciesAndOneMatchesRoot(const X509Certificate* cert) {
   if (cert->intermediate_buffers().empty())
     return false;

   ParsedCertificateList certs = ParsedCertificateListFromX509Certificate(cert);
   if (certs.empty())
     return false;

   ParsedCertificate* leaf = certs.front().get();
   ParsedCertificate* root = certs.back().get();

   if (!leaf->has_policy_oids())
     return false;

   const EVRootCAMetadata* ev_metadata = EVRootCAMetadata::GetInstance();
   std::set<der::Input> candidate_oids;
   for (const der::Input& oid : leaf->policy_oids()) {
     if (ev_metadata->IsEVPolicyOIDGivenBytes(oid))
       candidate_oids.insert(oid);
   }

   if (candidate_oids.size() <= 1)
     return false;

   SHA256HashValue root_fingerprint;
   crypto::SHA256HashString(root->der_cert().AsStringPiece(),
                            root_fingerprint.data,
                            sizeof(root_fingerprint.data));

   for (const der::Input& oid : candidate_oids) {
     if (ev_metadata->HasEVPolicyOIDGivenBytes(root_fingerprint, oid))
       return true;
   }

   return false;
 }

 }  // namespace

 class TrialComparisonCertVerifier::TrialVerificationJob {
  public:
   TrialVerificationJob(const CertVerifier::Config& config,
                        const CertVerifier::RequestParams& params,
                        const NetLogWithSource& source_net_log,
                        TrialComparisonCertVerifier* cert_verifier,
                        int primary_error,
                        const CertVerifyResult& primary_result)
       : config_(config),
         config_changed_(false),
         params_(params),
         net_log_(
             NetLogWithSource::Make(source_net_log.net_log(),
                                    NetLogSourceType::TRIAL_CERT_VERIFIER_JOB)),
         cert_verifier_(cert_verifier),
         primary_error_(primary_error),
         primary_result_(primary_result) {
     net_log_.BeginEvent(NetLogEventType::TRIAL_CERT_VERIFIER_JOB);
     source_net_log.AddEvent(
         NetLogEventType::TRIAL_CERT_VERIFIER_JOB_COMPARISON_STARTED,
         net_log_.source().ToEventParametersCallback());
   }

   ~TrialVerificationJob() {
     if (cert_verifier_) {
       net_log_.AddEvent(NetLogEventType::CANCELLED);
       net_log_.EndEvent(NetLogEventType::TRIAL_CERT_VERIFIER_JOB);
     }
   }

   void Start() {
     // Unretained is safe because trial_request_ will cancel the callback on
     // destruction.
     int rv = cert_verifier_->trial_verifier()->Verify(
         params_, &trial_result_,
         base::BindOnce(&TrialVerificationJob::OnJobCompleted,
                        base::Unretained(this)),
         &trial_request_, net_log_);
     if (rv != ERR_IO_PENDING)
       OnJobCompleted(rv);
   }

   void OnConfigChanged() { config_changed_ = true; }

   void Finish(bool is_success, TrialComparisonResult result_code) {
     TrialComparisonCertVerifier* cert_verifier = cert_verifier_;
     cert_verifier_ = nullptr;

     UMA_HISTOGRAM_ENUMERATION("Net.CertVerifier_TrialComparisonResult",
                               result_code);

     net_log_.EndEvent(
         NetLogEventType::TRIAL_CERT_VERIFIER_JOB,
         base::BindRepeating(&TrialVerificationJobResultCallback, is_success));

     if (!is_success) {
       cert_verifier->report_callback_.Run(
           params_.hostname(), params_.certificate(),
           config_.enable_rev_checking,
           config_.require_rev_checking_local_anchors,
           config_.enable_sha1_local_anchors,
           config_.disable_symantec_enforcement, primary_result_, trial_result_);
     }

     // |this| is deleted after RemoveJob returns.
     cert_verifier->RemoveJob(this);
   }

   void FinishSuccess(TrialComparisonResult result_code) {
     Finish(true /* is_success */, result_code);
   }

   void FinishWithError() {
     DCHECK(trial_error_ != primary_error_ ||
            !CertVerifyResultEqual(trial_result_, primary_result_));

     TrialComparisonResult result_code = kInvalid;

     if (primary_error_ == OK && trial_error_ == OK) {
       result_code = kBothValidDifferentDetails;
     } else if (primary_error_ == OK) {
       result_code = kPrimaryValidSecondaryError;
     } else if (trial_error_ == OK) {
       result_code = kPrimaryErrorSecondaryValid;
     } else {
       result_code = kBothErrorDifferentDetails;
     }
     Finish(false /* is_success */, result_code);
   }

   void OnJobCompleted(int trial_result_error) {
     DCHECK(primary_result_.verified_cert);
     DCHECK(trial_result_.verified_cert);

     trial_error_ = trial_result_error;

     bool errors_equal = trial_result_error == primary_error_;
     bool details_equal = CertVerifyResultEqual(trial_result_, primary_result_);
     bool trial_success = errors_equal && details_equal;

     if (trial_success) {
       FinishSuccess(kEqual);
       return;
     }

 #if defined(OS_MACOSX)
     if (primary_error_ == ERR_CERT_REVOKED && !config_.enable_rev_checking &&
         !(primary_result_.cert_status & CERT_STATUS_REV_CHECKING_ENABLED) &&
         !(trial_result_.cert_status &
           (CERT_STATUS_REVOKED | CERT_STATUS_REV_CHECKING_ENABLED))) {
       if (config_changed_) {
         FinishSuccess(kIgnoredConfigurationChanged);
         return;
       }
       // CertVerifyProcMac does some revocation checking even if we didn't want
       // it. Try verifying with the trial verifier with revocation checking
       // enabled, see if it then returns REVOKED.

       int rv = cert_verifier_->revocation_trial_verifier()->Verify(
           params_, &reverification_result_,
           base::BindOnce(
               &TrialVerificationJob::OnMacRevcheckingReverificationJobCompleted,
               base::Unretained(this)),
           &reverification_request_, net_log_);
       if (rv != ERR_IO_PENDING)
         OnMacRevcheckingReverificationJobCompleted(rv);
       return;
     }
 #endif

     const bool chains_equal =
         primary_result_.verified_cert->EqualsIncludingChain(
             trial_result_.verified_cert.get());

     if (!chains_equal && (trial_error_ == OK || primary_error_ != OK)) {
       if (config_changed_) {
         FinishSuccess(kIgnoredConfigurationChanged);
         return;
       }
       // Chains were different, reverify the trial_result_.verified_cert chain
       // using the platform verifier and compare results again.
       RequestParams reverification_params(trial_result_.verified_cert,
                                           params_.hostname(), params_.flags(),
                                           params_.ocsp_response());

       int rv = cert_verifier_->primary_reverifier()->Verify(
           reverification_params, &reverification_result_,
           base::BindOnce(&TrialVerificationJob::
                              OnPrimaryReverifiyWithSecondaryChainCompleted,
                          base::Unretained(this)),
           &reverification_request_, net_log_);
       if (rv != ERR_IO_PENDING)
         OnPrimaryReverifiyWithSecondaryChainCompleted(rv);
       return;
     }

     TrialComparisonResult ignorable_difference =
         IsSynchronouslyIgnorableDifference(primary_error_, primary_result_,
                                            trial_error_, trial_result_);
     if (ignorable_difference != kInvalid) {
       FinishSuccess(ignorable_difference);
       return;
     }

     FinishWithError();
   }

   // Check if the differences between the primary and trial verifiers can be
   // ignored. This only handles differences that can be checked synchronously.
   // If the difference is ignorable, returns the relevant TrialComparisonResult,
   // otherwise returns kInvalid.
   static TrialComparisonResult IsSynchronouslyIgnorableDifference(
       int primary_error,
       const CertVerifyResult& primary_result,
       int trial_error,
       const CertVerifyResult& trial_result) {
     DCHECK(primary_result.verified_cert);
     DCHECK(trial_result.verified_cert);

     if (primary_error == OK &&
         primary_result.verified_cert->intermediate_buffers().empty()) {
       // Platform may support trusting a leaf certificate directly. Builtin
       // verifier does not. See https://crbug.com/814994.
       return kIgnoredLocallyTrustedLeaf;
     }

     const bool chains_equal =
         primary_result.verified_cert->EqualsIncludingChain(
             trial_result.verified_cert.get());

     if (chains_equal && (trial_result.cert_status & CERT_STATUS_IS_EV) &&
         !(primary_result.cert_status & CERT_STATUS_IS_EV) &&
         (primary_error == trial_error)) {
       // The platform CertVerifyProc impls only check a single potential EV
       // policy from the leaf.  If the leaf had multiple policies, builtin
       // verifier may verify it as EV when the platform verifier did not.
       if (CertHasMultipleEVPoliciesAndOneMatchesRoot(
               trial_result.verified_cert.get())) {
         return kIgnoredMultipleEVPoliciesAndOneMatchesRoot;
       }
     }
     return kInvalid;
   }

 #if defined(OS_MACOSX)
   void OnMacRevcheckingReverificationJobCompleted(int reverification_error) {
     if (reverification_error == ERR_CERT_REVOKED) {
       FinishSuccess(kIgnoredMacUndesiredRevocationChecking);
       return;
     }
     FinishWithError();
   }
 #endif

   void OnPrimaryReverifiyWithSecondaryChainCompleted(int reverification_error) {
     if (reverification_error == trial_error_ &&
         CertVerifyResultEqual(reverification_result_, trial_result_)) {
       // The new result matches the builtin verifier, so this was just
       // a difference in the platform's path-building ability.
       // Ignore the difference.
       FinishSuccess(kIgnoredDifferentPathReVerifiesEquivalent);
       return;
     }

     if (IsSynchronouslyIgnorableDifference(reverification_error,
                                            reverification_result_, trial_error_,
                                            trial_result_) != kInvalid) {
       // The new result matches if ignoring differences. Still use the
       // |kIgnoredDifferentPathReVerifiesEquivalent| code rather than the
       // result of IsSynchronouslyIgnorableDifference, since it's the higher
       // level description of what the difference is in this case.
       FinishSuccess(kIgnoredDifferentPathReVerifiesEquivalent);
       return;
     }

     FinishWithError();
   }

  private:
   const CertVerifier::Config config_;
   bool config_changed_;
   const CertVerifier::RequestParams params_;
   const NetLogWithSource net_log_;
   TrialComparisonCertVerifier* cert_verifier_;  // Non-owned.

   // Results from the trial verification.
   int trial_error_;
   CertVerifyResult trial_result_;
   std::unique_ptr<CertVerifier::Request> trial_request_;

   // Saved results of the primary verification.
   int primary_error_;
   const CertVerifyResult primary_result_;

   // Results from re-verification attempt.
   CertVerifyResult reverification_result_;
   std::unique_ptr<CertVerifier::Request> reverification_request_;

   DISALLOW_COPY_AND_ASSIGN(TrialVerificationJob);
 };

 TrialComparisonCertVerifier::TrialComparisonCertVerifier(
     bool initial_allowed,
     scoped_refptr<CertVerifyProc> primary_verify_proc,
     scoped_refptr<CertVerifyProc> trial_verify_proc,
     ReportCallback report_callback)
     : allowed_(initial_allowed),
       report_callback_(report_callback),
       primary_verifier_(
           MultiThreadedCertVerifier::CreateForDualVerificationTrial(
               primary_verify_proc,
               // Unretained is safe since the callback won't be called after
               // |primary_verifier_| is destroyed.
               base::BindRepeating(
                   &TrialComparisonCertVerifier::OnPrimaryVerifierComplete,
                   base::Unretained(this)),
               true /* should_record_histograms */)),
       primary_reverifier_(
           std::make_unique<MultiThreadedCertVerifier>(primary_verify_proc)),
       trial_verifier_(MultiThreadedCertVerifier::CreateForDualVerificationTrial(
           trial_verify_proc,
           // Unretained is safe since the callback won't be called after
           // |trial_verifier_| is destroyed.
           base::BindRepeating(
               &TrialComparisonCertVerifier::OnTrialVerifierComplete,
               base::Unretained(this)),
           false /* should_record_histograms */)),
       revocation_trial_verifier_(
           MultiThreadedCertVerifier::CreateForDualVerificationTrial(
               trial_verify_proc,
               // Unretained is safe since the callback won't be called after
               // |trial_verifier_| is destroyed.
               base::BindRepeating(
                   &TrialComparisonCertVerifier::OnTrialVerifierComplete,
                   base::Unretained(this)),
               false /* should_record_histograms */)) {
   CertVerifier::Config config;
   config.enable_rev_checking = true;
   revocation_trial_verifier_->SetConfig(config);
 }

 TrialComparisonCertVerifier::~TrialComparisonCertVerifier() = default;

 int TrialComparisonCertVerifier::Verify(const RequestParams& params,
                                         CertVerifyResult* verify_result,
                                         CompletionOnceCallback callback,
                                         std::unique_ptr<Request>* out_req,
                                         const NetLogWithSource& net_log) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);

   return primary_verifier_->Verify(params, verify_result, std::move(callback),
                                    out_req, net_log);
 }

 void TrialComparisonCertVerifier::SetConfig(const Config& config) {
   config_ = config;

   primary_verifier_->SetConfig(config);
   primary_reverifier_->SetConfig(config);
   trial_verifier_->SetConfig(config);

   // Always enable revocation checking for the revocation trial verifier.
   CertVerifier::Config config_with_revocation = config;
   config_with_revocation.enable_rev_checking = true;
   revocation_trial_verifier_->SetConfig(config_with_revocation);

   // Notify all in-process jobs that the underlying configuration has changed.
   for (auto& job : jobs_) {
     job->OnConfigChanged();
   }
 }

 void TrialComparisonCertVerifier::OnPrimaryVerifierComplete(
     const RequestParams& params,
     const NetLogWithSource& net_log,
     int primary_error,
     const CertVerifyResult& primary_result,
     base::TimeDelta primary_latency,
     bool is_first_job) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);

   if (!trial_allowed())
     return;

   // Only record the TrialPrimary histograms for the same set of requests
   // that TrialSecondary histograms will be recorded for, in order to get a
   // direct comparison.
   UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency_TrialPrimary",
                              primary_latency,
                              base::TimeDelta::FromMilliseconds(1),
                              base::TimeDelta::FromMinutes(10), 100);
   if (is_first_job) {
     UMA_HISTOGRAM_CUSTOM_TIMES(
         "Net.CertVerifier_First_Job_Latency_TrialPrimary", primary_latency,
         base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
         100);
   }

   std::unique_ptr<TrialVerificationJob> job =
       std::make_unique<TrialVerificationJob>(config_, params, net_log, this,
                                              primary_error, primary_result);
   TrialVerificationJob* job_ptr = job.get();
   jobs_.insert(std::move(job));
   job_ptr->Start();
 }

 void TrialComparisonCertVerifier::OnTrialVerifierComplete(
     const RequestParams& params,
     const NetLogWithSource& net_log,
     int trial_error,
     const CertVerifyResult& trial_result,
     base::TimeDelta latency,
     bool is_first_job) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);

   UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency_TrialSecondary",
                              latency, base::TimeDelta::FromMilliseconds(1),
                              base::TimeDelta::FromMinutes(10), 100);
   if (is_first_job) {
     UMA_HISTOGRAM_CUSTOM_TIMES(
         "Net.CertVerifier_First_Job_Latency_TrialSecondary", latency,
         base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
         100);
   }
 }

 void TrialComparisonCertVerifier::RemoveJob(TrialVerificationJob* job_ptr) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   auto it = jobs_.find(job_ptr);
   DCHECK(it != jobs_.end());
   jobs_.erase(it);
 }

 }  // namespace net
	// Copyright 2018 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "net/cert/trial_comparison_cert_verifier.h"

	#include <memory>
	#include <utility>

	#include "base/bind.h"
	#include "base/location.h"
	#include "base/metrics/histogram_macros.h"
	#include "base/task/post_task.h"
	#include "base/values.h"
	#include "build/build_config.h"
	#include "crypto/sha2.h"
	#include "net/base/net_errors.h"
	#include "net/cert/cert_verify_proc.h"
	#include "net/cert/cert_verify_result.h"
	#include "net/cert/ev_root_ca_metadata.h"
	#include "net/cert/internal/cert_errors.h"
	#include "net/cert/internal/parsed_certificate.h"
	#include "net/cert/multi_threaded_cert_verifier.h"
	#include "net/cert/x509_util.h"
	#include "net/log/net_log.h"
	#include "net/log/net_log_event_type.h"
	#include "net/log/net_log_source_type.h"
	#include "net/log/net_log_with_source.h"

	namespace net {

	namespace {

	std::unique_ptr<base::Value> TrialVerificationJobResultCallback(
	bool trial_success,
	NetLogCaptureMode capture_mode) {
	std::unique_ptr<base::DictionaryValue> results(new base::DictionaryValue());
	results->SetKey("trial_success", base::Value(trial_success));
	return std::move(results);
	}

	bool CertVerifyResultEqual(const CertVerifyResult& a,
	const CertVerifyResult& b) {
	return std::tie(a.cert_status, a.is_issued_by_known_root) ==
	std::tie(b.cert_status, b.is_issued_by_known_root) &&
	(!!a.verified_cert == !!b.verified_cert) &&
	(!a.verified_cert \|\|
	a.verified_cert->EqualsIncludingChain(b.verified_cert.get()));
	}

	scoped_refptr<ParsedCertificate> ParsedCertificateFromBuffer(
	CRYPTO_BUFFER* cert_handle,
	CertErrors* errors) {
	return ParsedCertificate::Create(bssl::UpRef(cert_handle),
	x509_util::DefaultParseCertificateOptions(),
	errors);
	}

	ParsedCertificateList ParsedCertificateListFromX509Certificate(
	const X509Certificate* cert) {
	CertErrors parsing_errors;

	ParsedCertificateList certs;
	scoped_refptr<ParsedCertificate> target =
	ParsedCertificateFromBuffer(cert->cert_buffer(), &parsing_errors);
	if (!target)
	return {};
	certs.push_back(target);

	for (const auto& buf : cert->intermediate_buffers()) {
	scoped_refptr<ParsedCertificate> intermediate =
	ParsedCertificateFromBuffer(buf.get(), &parsing_errors);
	if (!intermediate)
	return {};
	certs.push_back(intermediate);
	}

	return certs;
	}

	// Tests whether cert has multiple EV policies, and at least one matches the
	// root. This is not a complete test of EV, but just enough to give a possible
	// explanation as to why the platform verifier did not validate as EV while
	// builtin did. (Since only the builtin verifier correctly handles multiple
	// candidate EV policies.)
	bool CertHasMultipleEVPoliciesAndOneMatchesRoot(const X509Certificate* cert) {
	if (cert->intermediate_buffers().empty())
	return false;

	ParsedCertificateList certs = ParsedCertificateListFromX509Certificate(cert);
	if (certs.empty())
	return false;

	ParsedCertificate* leaf = certs.front().get();
	ParsedCertificate* root = certs.back().get();

	if (!leaf->has_policy_oids())
	return false;

	const EVRootCAMetadata* ev_metadata = EVRootCAMetadata::GetInstance();
	std::set<der::Input> candidate_oids;
	for (const der::Input& oid : leaf->policy_oids()) {
	if (ev_metadata->IsEVPolicyOIDGivenBytes(oid))
	candidate_oids.insert(oid);
	}

	if (candidate_oids.size() <= 1)
	return false;

	SHA256HashValue root_fingerprint;
	crypto::SHA256HashString(root->der_cert().AsStringPiece(),
	root_fingerprint.data,
	sizeof(root_fingerprint.data));

	for (const der::Input& oid : candidate_oids) {
	if (ev_metadata->HasEVPolicyOIDGivenBytes(root_fingerprint, oid))
	return true;
	}

	return false;
	}

	} // namespace

	class TrialComparisonCertVerifier::TrialVerificationJob {
	public:
	TrialVerificationJob(const CertVerifier::Config& config,
	const CertVerifier::RequestParams& params,
	const NetLogWithSource& source_net_log,
	TrialComparisonCertVerifier* cert_verifier,
	int primary_error,
	const CertVerifyResult& primary_result)
	: config_(config),
	config_changed_(false),
	params_(params),
	net_log_(
	NetLogWithSource::Make(source_net_log.net_log(),
	NetLogSourceType::TRIAL_CERT_VERIFIER_JOB)),
	cert_verifier_(cert_verifier),
	primary_error_(primary_error),
	primary_result_(primary_result) {
	net_log_.BeginEvent(NetLogEventType::TRIAL_CERT_VERIFIER_JOB);
	source_net_log.AddEvent(
	NetLogEventType::TRIAL_CERT_VERIFIER_JOB_COMPARISON_STARTED,
	net_log_.source().ToEventParametersCallback());
	}

	~TrialVerificationJob() {
	if (cert_verifier_) {
	net_log_.AddEvent(NetLogEventType::CANCELLED);
	net_log_.EndEvent(NetLogEventType::TRIAL_CERT_VERIFIER_JOB);
	}
	}

	void Start() {
	// Unretained is safe because trial_request_ will cancel the callback on
	// destruction.
	int rv = cert_verifier_->trial_verifier()->Verify(
	params_, &trial_result_,
	base::BindOnce(&TrialVerificationJob::OnJobCompleted,
	base::Unretained(this)),
	&trial_request_, net_log_);
	if (rv != ERR_IO_PENDING)
	OnJobCompleted(rv);
	}

	void OnConfigChanged() { config_changed_ = true; }

	void Finish(bool is_success, TrialComparisonResult result_code) {
	TrialComparisonCertVerifier* cert_verifier = cert_verifier_;
	cert_verifier_ = nullptr;

	UMA_HISTOGRAM_ENUMERATION("Net.CertVerifier_TrialComparisonResult",
	result_code);

	net_log_.EndEvent(
	NetLogEventType::TRIAL_CERT_VERIFIER_JOB,
	base::BindRepeating(&TrialVerificationJobResultCallback, is_success));

	if (!is_success) {
	cert_verifier->report_callback_.Run(
	params_.hostname(), params_.certificate(),
	config_.enable_rev_checking,
	config_.require_rev_checking_local_anchors,
	config_.enable_sha1_local_anchors,
	config_.disable_symantec_enforcement, primary_result_, trial_result_);
	}

	// \|this\| is deleted after RemoveJob returns.
	cert_verifier->RemoveJob(this);
	}

	void FinishSuccess(TrialComparisonResult result_code) {
	Finish(true /* is_success */, result_code);
	}

	void FinishWithError() {
	DCHECK(trial_error_ != primary_error_ \|\|
	!CertVerifyResultEqual(trial_result_, primary_result_));

	TrialComparisonResult result_code = kInvalid;

	if (primary_error_ == OK && trial_error_ == OK) {
	result_code = kBothValidDifferentDetails;
	} else if (primary_error_ == OK) {
	result_code = kPrimaryValidSecondaryError;
	} else if (trial_error_ == OK) {
	result_code = kPrimaryErrorSecondaryValid;
	} else {
	result_code = kBothErrorDifferentDetails;
	}
	Finish(false /* is_success */, result_code);
	}

	void OnJobCompleted(int trial_result_error) {
	DCHECK(primary_result_.verified_cert);
	DCHECK(trial_result_.verified_cert);

	trial_error_ = trial_result_error;

	bool errors_equal = trial_result_error == primary_error_;
	bool details_equal = CertVerifyResultEqual(trial_result_, primary_result_);
	bool trial_success = errors_equal && details_equal;

	if (trial_success) {
	FinishSuccess(kEqual);
	return;
	}

	#if defined(OS_MACOSX)
	if (primary_error_ == ERR_CERT_REVOKED && !config_.enable_rev_checking &&
	!(primary_result_.cert_status & CERT_STATUS_REV_CHECKING_ENABLED) &&
	!(trial_result_.cert_status &
	(CERT_STATUS_REVOKED \| CERT_STATUS_REV_CHECKING_ENABLED))) {
	if (config_changed_) {
	FinishSuccess(kIgnoredConfigurationChanged);
	return;
	}
	// CertVerifyProcMac does some revocation checking even if we didn't want
	// it. Try verifying with the trial verifier with revocation checking
	// enabled, see if it then returns REVOKED.

	int rv = cert_verifier_->revocation_trial_verifier()->Verify(
	params_, &reverification_result_,
	base::BindOnce(
	&TrialVerificationJob::OnMacRevcheckingReverificationJobCompleted,
	base::Unretained(this)),
	&reverification_request_, net_log_);
	if (rv != ERR_IO_PENDING)
	OnMacRevcheckingReverificationJobCompleted(rv);
	return;
	}
	#endif

	const bool chains_equal =
	primary_result_.verified_cert->EqualsIncludingChain(
	trial_result_.verified_cert.get());

	if (!chains_equal && (trial_error_ == OK \|\| primary_error_ != OK)) {
	if (config_changed_) {
	FinishSuccess(kIgnoredConfigurationChanged);
	return;
	}
	// Chains were different, reverify the trial_result_.verified_cert chain
	// using the platform verifier and compare results again.
	RequestParams reverification_params(trial_result_.verified_cert,
	params_.hostname(), params_.flags(),
	params_.ocsp_response());

	int rv = cert_verifier_->primary_reverifier()->Verify(
	reverification_params, &reverification_result_,
	base::BindOnce(&TrialVerificationJob::
	OnPrimaryReverifiyWithSecondaryChainCompleted,
	base::Unretained(this)),
	&reverification_request_, net_log_);
	if (rv != ERR_IO_PENDING)
	OnPrimaryReverifiyWithSecondaryChainCompleted(rv);
	return;
	}

	TrialComparisonResult ignorable_difference =
	IsSynchronouslyIgnorableDifference(primary_error_, primary_result_,
	trial_error_, trial_result_);
	if (ignorable_difference != kInvalid) {
	FinishSuccess(ignorable_difference);
	return;
	}

	FinishWithError();
	}

	// Check if the differences between the primary and trial verifiers can be
	// ignored. This only handles differences that can be checked synchronously.
	// If the difference is ignorable, returns the relevant TrialComparisonResult,
	// otherwise returns kInvalid.
	static TrialComparisonResult IsSynchronouslyIgnorableDifference(
	int primary_error,
	const CertVerifyResult& primary_result,
	int trial_error,
	const CertVerifyResult& trial_result) {
	DCHECK(primary_result.verified_cert);
	DCHECK(trial_result.verified_cert);

	if (primary_error == OK &&
	primary_result.verified_cert->intermediate_buffers().empty()) {
	// Platform may support trusting a leaf certificate directly. Builtin
	// verifier does not. See https://crbug.com/814994.
	return kIgnoredLocallyTrustedLeaf;
	}

	const bool chains_equal =
	primary_result.verified_cert->EqualsIncludingChain(
	trial_result.verified_cert.get());

	if (chains_equal && (trial_result.cert_status & CERT_STATUS_IS_EV) &&
	!(primary_result.cert_status & CERT_STATUS_IS_EV) &&
	(primary_error == trial_error)) {
	// The platform CertVerifyProc impls only check a single potential EV
	// policy from the leaf. If the leaf had multiple policies, builtin
	// verifier may verify it as EV when the platform verifier did not.
	if (CertHasMultipleEVPoliciesAndOneMatchesRoot(
	trial_result.verified_cert.get())) {
	return kIgnoredMultipleEVPoliciesAndOneMatchesRoot;
	}
	}
	return kInvalid;
	}

	#if defined(OS_MACOSX)
	void OnMacRevcheckingReverificationJobCompleted(int reverification_error) {
	if (reverification_error == ERR_CERT_REVOKED) {
	FinishSuccess(kIgnoredMacUndesiredRevocationChecking);
	return;
	}
	FinishWithError();
	}
	#endif

	void OnPrimaryReverifiyWithSecondaryChainCompleted(int reverification_error) {
	if (reverification_error == trial_error_ &&
	CertVerifyResultEqual(reverification_result_, trial_result_)) {
	// The new result matches the builtin verifier, so this was just
	// a difference in the platform's path-building ability.
	// Ignore the difference.
	FinishSuccess(kIgnoredDifferentPathReVerifiesEquivalent);
	return;
	}

	if (IsSynchronouslyIgnorableDifference(reverification_error,
	reverification_result_, trial_error_,
	trial_result_) != kInvalid) {
	// The new result matches if ignoring differences. Still use the
	// \|kIgnoredDifferentPathReVerifiesEquivalent\| code rather than the
	// result of IsSynchronouslyIgnorableDifference, since it's the higher
	// level description of what the difference is in this case.
	FinishSuccess(kIgnoredDifferentPathReVerifiesEquivalent);
	return;
	}

	FinishWithError();
	}

	private:
	const CertVerifier::Config config_;
	bool config_changed_;
	const CertVerifier::RequestParams params_;
	const NetLogWithSource net_log_;
	TrialComparisonCertVerifier* cert_verifier_; // Non-owned.

	// Results from the trial verification.
	int trial_error_;
	CertVerifyResult trial_result_;
	std::unique_ptr<CertVerifier::Request> trial_request_;

	// Saved results of the primary verification.
	int primary_error_;
	const CertVerifyResult primary_result_;

	// Results from re-verification attempt.
	CertVerifyResult reverification_result_;
	std::unique_ptr<CertVerifier::Request> reverification_request_;

	DISALLOW_COPY_AND_ASSIGN(TrialVerificationJob);
	};

	TrialComparisonCertVerifier::TrialComparisonCertVerifier(
	bool initial_allowed,
	scoped_refptr<CertVerifyProc> primary_verify_proc,
	scoped_refptr<CertVerifyProc> trial_verify_proc,
	ReportCallback report_callback)
	: allowed_(initial_allowed),
	report_callback_(report_callback),
	primary_verifier_(
	MultiThreadedCertVerifier::CreateForDualVerificationTrial(
	primary_verify_proc,
	// Unretained is safe since the callback won't be called after
	// \|primary_verifier_\| is destroyed.
	base::BindRepeating(
	&TrialComparisonCertVerifier::OnPrimaryVerifierComplete,
	base::Unretained(this)),
	true /* should_record_histograms */)),
	primary_reverifier_(
	std::make_unique<MultiThreadedCertVerifier>(primary_verify_proc)),
	trial_verifier_(MultiThreadedCertVerifier::CreateForDualVerificationTrial(
	trial_verify_proc,
	// Unretained is safe since the callback won't be called after
	// \|trial_verifier_\| is destroyed.
	base::BindRepeating(
	&TrialComparisonCertVerifier::OnTrialVerifierComplete,
	base::Unretained(this)),
	false /* should_record_histograms */)),
	revocation_trial_verifier_(
	MultiThreadedCertVerifier::CreateForDualVerificationTrial(
	trial_verify_proc,
	// Unretained is safe since the callback won't be called after
	// \|trial_verifier_\| is destroyed.
	base::BindRepeating(
	&TrialComparisonCertVerifier::OnTrialVerifierComplete,
	base::Unretained(this)),
	false /* should_record_histograms */)) {
	CertVerifier::Config config;
	config.enable_rev_checking = true;
	revocation_trial_verifier_->SetConfig(config);
	}

	TrialComparisonCertVerifier::~TrialComparisonCertVerifier() = default;

	int TrialComparisonCertVerifier::Verify(const RequestParams& params,
	CertVerifyResult* verify_result,
	CompletionOnceCallback callback,
	std::unique_ptr<Request>* out_req,
	const NetLogWithSource& net_log) {
	DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);

	return primary_verifier_->Verify(params, verify_result, std::move(callback),
	out_req, net_log);
	}

	void TrialComparisonCertVerifier::SetConfig(const Config& config) {
	config_ = config;

	primary_verifier_->SetConfig(config);
	primary_reverifier_->SetConfig(config);
	trial_verifier_->SetConfig(config);

	// Always enable revocation checking for the revocation trial verifier.
	CertVerifier::Config config_with_revocation = config;
	config_with_revocation.enable_rev_checking = true;
	revocation_trial_verifier_->SetConfig(config_with_revocation);

	// Notify all in-process jobs that the underlying configuration has changed.
	for (auto& job : jobs_) {
	job->OnConfigChanged();
	}
	}

	void TrialComparisonCertVerifier::OnPrimaryVerifierComplete(
	const RequestParams& params,
	const NetLogWithSource& net_log,
	int primary_error,
	const CertVerifyResult& primary_result,
	base::TimeDelta primary_latency,
	bool is_first_job) {
	DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);

	if (!trial_allowed())
	return;

	// Only record the TrialPrimary histograms for the same set of requests
	// that TrialSecondary histograms will be recorded for, in order to get a
	// direct comparison.
	UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency_TrialPrimary",
	primary_latency,
	base::TimeDelta::FromMilliseconds(1),
	base::TimeDelta::FromMinutes(10), 100);
	if (is_first_job) {
	UMA_HISTOGRAM_CUSTOM_TIMES(
	"Net.CertVerifier_First_Job_Latency_TrialPrimary", primary_latency,
	base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
	100);
	}

	std::unique_ptr<TrialVerificationJob> job =
	std::make_unique<TrialVerificationJob>(config_, params, net_log, this,
	primary_error, primary_result);
	TrialVerificationJob* job_ptr = job.get();
	jobs_.insert(std::move(job));
	job_ptr->Start();
	}

	void TrialComparisonCertVerifier::OnTrialVerifierComplete(
	const RequestParams& params,
	const NetLogWithSource& net_log,
	int trial_error,
	const CertVerifyResult& trial_result,
	base::TimeDelta latency,
	bool is_first_job) {
	DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);

	UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency_TrialSecondary",
	latency, base::TimeDelta::FromMilliseconds(1),
	base::TimeDelta::FromMinutes(10), 100);
	if (is_first_job) {
	UMA_HISTOGRAM_CUSTOM_TIMES(
	"Net.CertVerifier_First_Job_Latency_TrialSecondary", latency,
	base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
	100);
	}
	}

	void TrialComparisonCertVerifier::RemoveJob(TrialVerificationJob* job_ptr) {
	DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
	auto it = jobs_.find(job_ptr);
	DCHECK(it != jobs_.end());
	jobs_.erase(it);
	}

	} // namespace net