| // Copyright 2016 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "components/certificate_transparency/single_tree_tracker.h" |
| |
| #include <utility> |
| |
| #include "base/metrics/histogram_macros.h" |
| #include "net/cert/ct_log_verifier.h" |
| #include "net/cert/signed_certificate_timestamp.h" |
| #include "net/cert/x509_certificate.h" |
| |
| using net::ct::SignedTreeHead; |
| |
| namespace { |
| |
| // Enum indicating whether an SCT can be checked for inclusion and if not, |
| // the reason it cannot. |
| // |
| // Note: The numeric values are used within a histogram and should not change |
| // or be re-assigned. |
| enum SCTCanBeCheckedForInclusion { |
| // If the SingleTreeTracker does not have a valid STH, then a valid STH is |
| // first required to evaluate whether the SCT can be checked for inclusion |
| // or not. |
| VALID_STH_REQUIRED = 0, |
| // If the STH does not cover the SCT (the timestamp in the SCT is greater than |
| // MMD + timestamp in the STH), then a newer STH is needed. |
| NEWER_STH_REQUIRED = 1, |
| // When an SCT is observed, if the SingleTreeTracker instance has a valid STH |
| // and the STH covers the SCT (the timestamp in the SCT is less than MMD + |
| // timestamp in the STH), then it can be checked for inclusion. |
| CAN_BE_CHECKED = 2, |
| SCT_CAN_BE_CHECKED_MAX |
| }; |
| |
| // Measure how often clients encounter very new SCTs, by measuring whether an |
| // SCT can be checked for inclusion upon first observation. |
| void LogCanBeCheckedForInclusionToUMA( |
| SCTCanBeCheckedForInclusion can_be_checked) { |
| UMA_HISTOGRAM_ENUMERATION("Net.CertificateTransparency.CanInclusionCheckSCT", |
| can_be_checked, SCT_CAN_BE_CHECKED_MAX); |
| } |
| |
| } // namespace |
| |
| namespace certificate_transparency { |
| |
| SingleTreeTracker::SingleTreeTracker( |
| scoped_refptr<const net::CTLogVerifier> ct_log) |
| : ct_log_(std::move(ct_log)) {} |
| |
| SingleTreeTracker::~SingleTreeTracker() {} |
| |
| void SingleTreeTracker::OnSCTVerified( |
| net::X509Certificate* cert, |
| const net::ct::SignedCertificateTimestamp* sct) { |
| DCHECK_EQ(ct_log_->key_id(), sct->log_id); |
| |
| // SCT was previously observed, so its status should not be changed. |
| if (entries_status_.find(sct->timestamp) != entries_status_.end()) |
| return; |
| |
| // If there isn't a valid STH or the STH is not fresh enough to check |
| // inclusion against, store the SCT for future checking and return. |
| if (verified_sth_.timestamp.is_null() || |
| (verified_sth_.timestamp < |
| (sct->timestamp + base::TimeDelta::FromHours(24)))) { |
| entries_status_.insert( |
| std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH)); |
| |
| if (!verified_sth_.timestamp.is_null()) { |
| LogCanBeCheckedForInclusionToUMA(NEWER_STH_REQUIRED); |
| } else { |
| LogCanBeCheckedForInclusionToUMA(VALID_STH_REQUIRED); |
| } |
| |
| return; |
| } |
| |
| LogCanBeCheckedForInclusionToUMA(CAN_BE_CHECKED); |
| // TODO(eranm): Check inclusion here. |
| entries_status_.insert( |
| std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK)); |
| } |
| |
| void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) { |
| DCHECK_EQ(ct_log_->key_id(), sth.log_id); |
| |
| if (!ct_log_->VerifySignedTreeHead(sth)) { |
| // Sanity check the STH; the caller should have done this |
| // already, but being paranoid here. |
| // NOTE(eranm): Right now there's no way to get rid of this check here |
| // as this is the first object in the chain that has an instance of |
| // a CTLogVerifier to verify the STH. |
| return; |
| } |
| |
| // In order to avoid updating |verified_sth_| to an older STH in case |
| // an older STH is observed, check that either the observed STH is for |
| // a larger tree size or that it is for the same tree size but has |
| // a newer timestamp. |
| const bool sths_for_same_tree = verified_sth_.tree_size == sth.tree_size; |
| const bool received_sth_is_for_larger_tree = |
| (verified_sth_.tree_size > sth.tree_size); |
| const bool received_sth_is_newer = (sth.timestamp > verified_sth_.timestamp); |
| |
| if (verified_sth_.timestamp.is_null() || received_sth_is_for_larger_tree || |
| (sths_for_same_tree && received_sth_is_newer)) { |
| verified_sth_ = sth; |
| } |
| |
| // Find out which SCTs can now be checked for inclusion. |
| // TODO(eranm): Keep two maps of MerkleTreeLeaf instances, one for leaves |
| // pending inclusion checks and one for leaves pending a new STH. |
| // The comparison function between MerkleTreeLeaf instances should use the |
| // timestamp to determine sorting order, so that bulk moving from one |
| // map to the other can happen. |
| auto entry = entries_status_.begin(); |
| while (entry != entries_status_.end() && |
| entry->first < verified_sth_.timestamp) { |
| entry->second = SCT_PENDING_INCLUSION_CHECK; |
| ++entry; |
| // TODO(eranm): Check inclusion here. |
| } |
| } |
| |
| SingleTreeTracker::SCTInclusionStatus |
| SingleTreeTracker::GetLogEntryInclusionStatus( |
| net::X509Certificate* cert, |
| const net::ct::SignedCertificateTimestamp* sct) { |
| auto it = entries_status_.find(sct->timestamp); |
| |
| return it == entries_status_.end() ? SCT_NOT_OBSERVED : it->second; |
| } |
| |
| } // namespace certificate_transparency |
