search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Disable view source for Developer Tools.
[chromium-blink-merge.git] / chrome / browser / net / sqlite_server_bound_cert_store.cc
blobfbac4c36d72405ba4183f7446f913c31cc91ff69
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/net/sqlite_server_bound_cert_store.h"
6
7 #include <list>
8 #include <set>
9
10 #include "base/basictypes.h"
11 #include "base/bind.h"
12 #include "base/file_util.h"
13 #include "base/files/file_path.h"
14 #include "base/logging.h"
15 #include "base/memory/scoped_ptr.h"
16 #include "base/metrics/histogram.h"
17 #include "base/strings/string_util.h"
18 #include "base/threading/thread.h"
19 #include "base/threading/thread_restrictions.h"
20 #include "net/cert/x509_certificate.h"
21 #include "net/cookies/cookie_util.h"
22 #include "net/ssl/ssl_client_cert_type.h"
23 #include "sql/error_delegate_util.h"
24 #include "sql/meta_table.h"
25 #include "sql/statement.h"
26 #include "sql/transaction.h"
27 #include "third_party/sqlite/sqlite3.h"
28 #include "url/gurl.h"
29 #include "webkit/browser/quota/special_storage_policy.h"
30
31 // This class is designed to be shared between any calling threads and the
32 // background task runner. It batches operations and commits them on a timer.
33 class SQLiteServerBoundCertStore::Backend
34 : public base::RefCountedThreadSafe<SQLiteServerBoundCertStore::Backend> {
35 public:
36 Backend(
37 const base::FilePath& path,
38 const scoped_refptr<base::SequencedTaskRunner>& background_task_runner,
39 quota::SpecialStoragePolicy* special_storage_policy)
40 : path_(path),
41 num_pending_(0),
42 force_keep_session_state_(false),
43 background_task_runner_(background_task_runner),
44 special_storage_policy_(special_storage_policy),
45 corruption_detected_(false) {}
46
47 // Creates or loads the SQLite database.
48 void Load(const LoadedCallback& loaded_callback);
49
50 // Batch a server bound cert addition.
51 void AddServerBoundCert(
52 const net::DefaultServerBoundCertStore::ServerBoundCert& cert);
53
54 // Batch a server bound cert deletion.
55 void DeleteServerBoundCert(
56 const net::DefaultServerBoundCertStore::ServerBoundCert& cert);
57
58 // Commit any pending operations and close the database. This must be called
59 // before the object is destructed.
60 void Close();
61
62 void SetForceKeepSessionState();
63
64 private:
65 void LoadOnDBThread(
66 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert>* certs);
67
68 friend class base::RefCountedThreadSafe<SQLiteServerBoundCertStore::Backend>;
69
70 // You should call Close() before destructing this object.
71 ~Backend() {
72 DCHECK(!db_.get()) << "Close should have already been called.";
73 DCHECK(num_pending_ == 0 && pending_.empty());
74 }
75
76 // Database upgrade statements.
77 bool EnsureDatabaseVersion();
78
79 class PendingOperation {
80 public:
81 typedef enum {
82 CERT_ADD,
83 CERT_DELETE
84 } OperationType;
85
86 PendingOperation(
87 OperationType op,
88 const net::DefaultServerBoundCertStore::ServerBoundCert& cert)
89 : op_(op), cert_(cert) {}
90
91 OperationType op() const { return op_; }
92 const net::DefaultServerBoundCertStore::ServerBoundCert& cert() const {
93 return cert_;
94 }
95
96 private:
97 OperationType op_;
98 net::DefaultServerBoundCertStore::ServerBoundCert cert_;
99 };
100
101 private:
102 // Batch a server bound cert operation (add or delete).
103 void BatchOperation(
104 PendingOperation::OperationType op,
105 const net::DefaultServerBoundCertStore::ServerBoundCert& cert);
106 // Commit our pending operations to the database.
107 void Commit();
108 // Close() executed on the background thread.
109 void InternalBackgroundClose();
110
111 void DeleteCertificatesOnShutdown();
112
113 void DatabaseErrorCallback(int error, sql::Statement* stmt);
114 void KillDatabase();
115
116 base::FilePath path_;
117 scoped_ptr<sql::Connection> db_;
118 sql::MetaTable meta_table_;
119
120 typedef std::list<PendingOperation*> PendingOperationsList;
121 PendingOperationsList pending_;
122 PendingOperationsList::size_type num_pending_;
123 // True if the persistent store should skip clear on exit rules.
124 bool force_keep_session_state_;
125 // Guard |pending_|, |num_pending_| and |force_keep_session_state_|.
126 base::Lock lock_;
127
128 // Cache of origins we have certificates stored for.
129 std::set<std::string> cert_origins_;
130
131 scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
132
133 scoped_refptr<quota::SpecialStoragePolicy> special_storage_policy_;
134
135 // Indicates if the kill-database callback has been scheduled.
136 bool corruption_detected_;
137
138 DISALLOW_COPY_AND_ASSIGN(Backend);
139 };
140
141 // Version number of the database.
142 static const int kCurrentVersionNumber = 4;
143 static const int kCompatibleVersionNumber = 1;
144
145 namespace {
146
147 // Initializes the certs table, returning true on success.
148 bool InitTable(sql::Connection* db) {
149 // The table is named "origin_bound_certs" for backwards compatability before
150 // we renamed this class to SQLiteServerBoundCertStore. Likewise, the primary
151 // key is "origin", but now can be other things like a plain domain.
152 if (!db->DoesTableExist("origin_bound_certs")) {
153 if (!db->Execute("CREATE TABLE origin_bound_certs ("
154 "origin TEXT NOT NULL UNIQUE PRIMARY KEY,"
155 "private_key BLOB NOT NULL,"
156 "cert BLOB NOT NULL,"
157 "cert_type INTEGER,"
158 "expiration_time INTEGER,"
159 "creation_time INTEGER)"))
160 return false;
161 }
162
163 return true;
164 }
165
166 } // namespace
167
168 void SQLiteServerBoundCertStore::Backend::Load(
169 const LoadedCallback& loaded_callback) {
170 // This function should be called only once per instance.
171 DCHECK(!db_.get());
172 scoped_ptr<ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> >
173 certs(new ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert>(
174 ));
175 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert>* certs_ptr =
176 certs.get();
177
178 background_task_runner_->PostTaskAndReply(
179 FROM_HERE,
180 base::Bind(&Backend::LoadOnDBThread, this, certs_ptr),
181 base::Bind(loaded_callback, base::Passed(&certs)));
182 }
183
184 void SQLiteServerBoundCertStore::Backend::LoadOnDBThread(
185 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert>* certs) {
186 DCHECK(background_task_runner_->RunsTasksOnCurrentThread());
187
188 // This method should be called only once per instance.
189 DCHECK(!db_.get());
190
191 base::TimeTicks start = base::TimeTicks::Now();
192
193 // Ensure the parent directory for storing certs is created before reading
194 // from it.
195 const base::FilePath dir = path_.DirName();
196 if (!base::PathExists(dir) && !base::CreateDirectory(dir))
197 return;
198
199 int64 db_size = 0;
200 if (base::GetFileSize(path_, &db_size))
201 UMA_HISTOGRAM_COUNTS("DomainBoundCerts.DBSizeInKB", db_size / 1024 );
202
203 db_.reset(new sql::Connection);
204 db_->set_histogram_tag("DomainBoundCerts");
205
206 // Unretained to avoid a ref loop with db_.
207 db_->set_error_callback(
208 base::Bind(&SQLiteServerBoundCertStore::Backend::DatabaseErrorCallback,
209 base::Unretained(this)));
210
211 if (!db_->Open(path_)) {
212 NOTREACHED() << "Unable to open cert DB.";
213 if (corruption_detected_)
214 KillDatabase();
215 db_.reset();
216 return;
217 }
218
219 if (!EnsureDatabaseVersion() || !InitTable(db_.get())) {
220 NOTREACHED() << "Unable to open cert DB.";
221 if (corruption_detected_)
222 KillDatabase();
223 meta_table_.Reset();
224 db_.reset();
225 return;
226 }
227
228 db_->Preload();
229
230 // Slurp all the certs into the out-vector.
231 sql::Statement smt(db_->GetUniqueStatement(
232 "SELECT origin, private_key, cert, cert_type, expiration_time, "
233 "creation_time FROM origin_bound_certs"));
234 if (!smt.is_valid()) {
235 if (corruption_detected_)
236 KillDatabase();
237 meta_table_.Reset();
238 db_.reset();
239 return;
240 }
241
242 while (smt.Step()) {
243 net::SSLClientCertType type =
244 static_cast<net::SSLClientCertType>(smt.ColumnInt(3));
245 if (type != net::CLIENT_CERT_ECDSA_SIGN)
246 continue;
247 std::string private_key_from_db, cert_from_db;
248 smt.ColumnBlobAsString(1, &private_key_from_db);
249 smt.ColumnBlobAsString(2, &cert_from_db);
250 scoped_ptr<net::DefaultServerBoundCertStore::ServerBoundCert> cert(
251 new net::DefaultServerBoundCertStore::ServerBoundCert(
252 smt.ColumnString(0), // origin
253 base::Time::FromInternalValue(smt.ColumnInt64(5)),
254 base::Time::FromInternalValue(smt.ColumnInt64(4)),
255 private_key_from_db,
256 cert_from_db));
257 cert_origins_.insert(cert->server_identifier());
258 certs->push_back(cert.release());
259 }
260
261 UMA_HISTOGRAM_COUNTS_10000("DomainBoundCerts.DBLoadedCount", certs->size());
262 base::TimeDelta load_time = base::TimeTicks::Now() - start;
263 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.DBLoadTime",
264 load_time,
265 base::TimeDelta::FromMilliseconds(1),
266 base::TimeDelta::FromMinutes(1),
267 50);
268 DVLOG(1) << "loaded " << certs->size() << " in " << load_time.InMilliseconds()
269 << " ms";
270 }
271
272 bool SQLiteServerBoundCertStore::Backend::EnsureDatabaseVersion() {
273 // Version check.
274 if (!meta_table_.Init(
275 db_.get(), kCurrentVersionNumber, kCompatibleVersionNumber)) {
276 return false;
277 }
278
279 if (meta_table_.GetCompatibleVersionNumber() > kCurrentVersionNumber) {
280 LOG(WARNING) << "Server bound cert database is too new.";
281 return false;
282 }
283
284 int cur_version = meta_table_.GetVersionNumber();
285 if (cur_version == 1) {
286 sql::Transaction transaction(db_.get());
287 if (!transaction.Begin())
288 return false;
289 if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN cert_type "
290 "INTEGER")) {
291 LOG(WARNING) << "Unable to update server bound cert database to "
292 << "version 2.";
293 return false;
294 }
295 // All certs in version 1 database are rsa_sign, which are unsupported.
296 // Just discard them all.
297 if (!db_->Execute("DELETE from origin_bound_certs")) {
298 LOG(WARNING) << "Unable to update server bound cert database to "
299 << "version 2.";
300 return false;
301 }
302 ++cur_version;
303 meta_table_.SetVersionNumber(cur_version);
304 meta_table_.SetCompatibleVersionNumber(
305 std::min(cur_version, kCompatibleVersionNumber));
306 transaction.Commit();
307 }
308
309 if (cur_version <= 3) {
310 sql::Transaction transaction(db_.get());
311 if (!transaction.Begin())
312 return false;
313
314 if (cur_version == 2) {
315 if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN "
316 "expiration_time INTEGER")) {
317 LOG(WARNING) << "Unable to update server bound cert database to "
318 << "version 4.";
319 return false;
320 }
321 }
322
323 if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN "
324 "creation_time INTEGER")) {
325 LOG(WARNING) << "Unable to update server bound cert database to "
326 << "version 4.";
327 return false;
328 }
329
330 sql::Statement smt(db_->GetUniqueStatement(
331 "SELECT origin, cert FROM origin_bound_certs"));
332 sql::Statement update_expires_smt(db_->GetUniqueStatement(
333 "UPDATE origin_bound_certs SET expiration_time = ? WHERE origin = ?"));
334 sql::Statement update_creation_smt(db_->GetUniqueStatement(
335 "UPDATE origin_bound_certs SET creation_time = ? WHERE origin = ?"));
336 if (!smt.is_valid() ||
337 !update_expires_smt.is_valid() ||
338 !update_creation_smt.is_valid()) {
339 LOG(WARNING) << "Unable to update server bound cert database to "
340 << "version 4.";
341 return false;
342 }
343
344 while (smt.Step()) {
345 std::string origin = smt.ColumnString(0);
346 std::string cert_from_db;
347 smt.ColumnBlobAsString(1, &cert_from_db);
348 // Parse the cert and extract the real value and then update the DB.
349 scoped_refptr<net::X509Certificate> cert(
350 net::X509Certificate::CreateFromBytes(
351 cert_from_db.data(), cert_from_db.size()));
352 if (cert.get()) {
353 if (cur_version == 2) {
354 update_expires_smt.Reset(true);
355 update_expires_smt.BindInt64(0,
356 cert->valid_expiry().ToInternalValue());
357 update_expires_smt.BindString(1, origin);
358 if (!update_expires_smt.Run()) {
359 LOG(WARNING) << "Unable to update server bound cert database to "
360 << "version 4.";
361 return false;
362 }
363 }
364
365 update_creation_smt.Reset(true);
366 update_creation_smt.BindInt64(0, cert->valid_start().ToInternalValue());
367 update_creation_smt.BindString(1, origin);
368 if (!update_creation_smt.Run()) {
369 LOG(WARNING) << "Unable to update server bound cert database to "
370 << "version 4.";
371 return false;
372 }
373 } else {
374 // If there's a cert we can't parse, just leave it. It'll get replaced
375 // with a new one if we ever try to use it.
376 LOG(WARNING) << "Error parsing cert for database upgrade for origin "
377 << smt.ColumnString(0);
378 }
379 }
380
381 cur_version = 4;
382 meta_table_.SetVersionNumber(cur_version);
383 meta_table_.SetCompatibleVersionNumber(
384 std::min(cur_version, kCompatibleVersionNumber));
385 transaction.Commit();
386 }
387
388 // Put future migration cases here.
389
390 // When the version is too old, we just try to continue anyway, there should
391 // not be a released product that makes a database too old for us to handle.
392 LOG_IF(WARNING, cur_version < kCurrentVersionNumber) <<
393 "Server bound cert database version " << cur_version <<
394 " is too old to handle.";
395
396 return true;
397 }
398
399 void SQLiteServerBoundCertStore::Backend::DatabaseErrorCallback(
400 int error,
401 sql::Statement* stmt) {
402 DCHECK(background_task_runner_->RunsTasksOnCurrentThread());
403
404 if (!sql::IsErrorCatastrophic(error))
405 return;
406
407 // TODO(shess): Running KillDatabase() multiple times should be
408 // safe.
409 if (corruption_detected_)
410 return;
411
412 corruption_detected_ = true;
413
414 // TODO(shess): Consider just calling RazeAndClose() immediately.
415 // db_ may not be safe to reset at this point, but RazeAndClose()
416 // would cause the stack to unwind safely with errors.
417 background_task_runner_->PostTask(FROM_HERE,
418 base::Bind(&Backend::KillDatabase, this));
419 }
420
421 void SQLiteServerBoundCertStore::Backend::KillDatabase() {
422 DCHECK(background_task_runner_->RunsTasksOnCurrentThread());
423
424 if (db_) {
425 // This Backend will now be in-memory only. In a future run the database
426 // will be recreated. Hopefully things go better then!
427 bool success = db_->RazeAndClose();
428 UMA_HISTOGRAM_BOOLEAN("DomainBoundCerts.KillDatabaseResult", success);
429 meta_table_.Reset();
430 db_.reset();
431 }
432 }
433
434 void SQLiteServerBoundCertStore::Backend::AddServerBoundCert(
435 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) {
436 BatchOperation(PendingOperation::CERT_ADD, cert);
437 }
438
439 void SQLiteServerBoundCertStore::Backend::DeleteServerBoundCert(
440 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) {
441 BatchOperation(PendingOperation::CERT_DELETE, cert);
442 }
443
444 void SQLiteServerBoundCertStore::Backend::BatchOperation(
445 PendingOperation::OperationType op,
446 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) {
447 // Commit every 30 seconds.
448 static const int kCommitIntervalMs = 30 * 1000;
449 // Commit right away if we have more than 512 outstanding operations.
450 static const size_t kCommitAfterBatchSize = 512;
451
452 // We do a full copy of the cert here, and hopefully just here.
453 scoped_ptr<PendingOperation> po(new PendingOperation(op, cert));
454
455 PendingOperationsList::size_type num_pending;
456 {
457 base::AutoLock locked(lock_);
458 pending_.push_back(po.release());
459 num_pending = ++num_pending_;
460 }
461
462 if (num_pending == 1) {
463 // We've gotten our first entry for this batch, fire off the timer.
464 background_task_runner_->PostDelayedTask(
465 FROM_HERE,
466 base::Bind(&Backend::Commit, this),
467 base::TimeDelta::FromMilliseconds(kCommitIntervalMs));
468 } else if (num_pending == kCommitAfterBatchSize) {
469 // We've reached a big enough batch, fire off a commit now.
470 background_task_runner_->PostTask(FROM_HERE,
471 base::Bind(&Backend::Commit, this));
472 }
473 }
474
475 void SQLiteServerBoundCertStore::Backend::Commit() {
476 DCHECK(background_task_runner_->RunsTasksOnCurrentThread());
477
478 PendingOperationsList ops;
479 {
480 base::AutoLock locked(lock_);
481 pending_.swap(ops);
482 num_pending_ = 0;
483 }
484
485 // Maybe an old timer fired or we are already Close()'ed.
486 if (!db_.get() || ops.empty())
487 return;
488
489 sql::Statement add_smt(db_->GetCachedStatement(SQL_FROM_HERE,
490 "INSERT INTO origin_bound_certs (origin, private_key, cert, cert_type, "
491 "expiration_time, creation_time) VALUES (?,?,?,?,?,?)"));
492 if (!add_smt.is_valid())
493 return;
494
495 sql::Statement del_smt(db_->GetCachedStatement(SQL_FROM_HERE,
496 "DELETE FROM origin_bound_certs WHERE origin=?"));
497 if (!del_smt.is_valid())
498 return;
499
500 sql::Transaction transaction(db_.get());
501 if (!transaction.Begin())
502 return;
503
504 for (PendingOperationsList::iterator it = ops.begin();
505 it != ops.end(); ++it) {
506 // Free the certs as we commit them to the database.
507 scoped_ptr<PendingOperation> po(*it);
508 switch (po->op()) {
509 case PendingOperation::CERT_ADD: {
510 cert_origins_.insert(po->cert().server_identifier());
511 add_smt.Reset(true);
512 add_smt.BindString(0, po->cert().server_identifier());
513 const std::string& private_key = po->cert().private_key();
514 add_smt.BindBlob(1, private_key.data(), private_key.size());
515 const std::string& cert = po->cert().cert();
516 add_smt.BindBlob(2, cert.data(), cert.size());
517 add_smt.BindInt(3, net::CLIENT_CERT_ECDSA_SIGN);
518 add_smt.BindInt64(4, po->cert().expiration_time().ToInternalValue());
519 add_smt.BindInt64(5, po->cert().creation_time().ToInternalValue());
520 if (!add_smt.Run())
521 NOTREACHED() << "Could not add a server bound cert to the DB.";
522 break;
523 }
524 case PendingOperation::CERT_DELETE:
525 cert_origins_.erase(po->cert().server_identifier());
526 del_smt.Reset(true);
527 del_smt.BindString(0, po->cert().server_identifier());
528 if (!del_smt.Run())
529 NOTREACHED() << "Could not delete a server bound cert from the DB.";
530 break;
531
532 default:
533 NOTREACHED();
534 break;
535 }
536 }
537 transaction.Commit();
538 }
539
540 // Fire off a close message to the background thread. We could still have a
541 // pending commit timer that will be holding a reference on us, but if/when
542 // this fires we will already have been cleaned up and it will be ignored.
543 void SQLiteServerBoundCertStore::Backend::Close() {
544 // Must close the backend on the background thread.
545 background_task_runner_->PostTask(
546 FROM_HERE, base::Bind(&Backend::InternalBackgroundClose, this));
547 }
548
549 void SQLiteServerBoundCertStore::Backend::InternalBackgroundClose() {
550 DCHECK(background_task_runner_->RunsTasksOnCurrentThread());
551 // Commit any pending operations
552 Commit();
553
554 if (!force_keep_session_state_ &&
555 special_storage_policy_.get() &&
556 special_storage_policy_->HasSessionOnlyOrigins()) {
557 DeleteCertificatesOnShutdown();
558 }
559
560 db_.reset();
561 }
562
563 void SQLiteServerBoundCertStore::Backend::DeleteCertificatesOnShutdown() {
564 DCHECK(background_task_runner_->RunsTasksOnCurrentThread());
565
566 if (!db_.get())
567 return;
568
569 if (cert_origins_.empty())
570 return;
571
572 if (!special_storage_policy_.get())
573 return;
574
575 sql::Statement del_smt(db_->GetCachedStatement(
576 SQL_FROM_HERE, "DELETE FROM origin_bound_certs WHERE origin=?"));
577 if (!del_smt.is_valid()) {
578 LOG(WARNING) << "Unable to delete certificates on shutdown.";
579 return;
580 }
581
582 sql::Transaction transaction(db_.get());
583 if (!transaction.Begin()) {
584 LOG(WARNING) << "Unable to delete certificates on shutdown.";
585 return;
586 }
587
588 for (std::set<std::string>::iterator it = cert_origins_.begin();
589 it != cert_origins_.end(); ++it) {
590 const GURL url(net::cookie_util::CookieOriginToURL(*it, true));
591 if (!url.is_valid() || !special_storage_policy_->IsStorageSessionOnly(url))
592 continue;
593 del_smt.Reset(true);
594 del_smt.BindString(0, *it);
595 if (!del_smt.Run())
596 NOTREACHED() << "Could not delete a certificate from the DB.";
597 }
598
599 if (!transaction.Commit())
600 LOG(WARNING) << "Unable to delete certificates on shutdown.";
601 }
602
603 void SQLiteServerBoundCertStore::Backend::SetForceKeepSessionState() {
604 base::AutoLock locked(lock_);
605 force_keep_session_state_ = true;
606 }
607
608 SQLiteServerBoundCertStore::SQLiteServerBoundCertStore(
609 const base::FilePath& path,
610 const scoped_refptr<base::SequencedTaskRunner>& background_task_runner,
611 quota::SpecialStoragePolicy* special_storage_policy)
612 : backend_(new Backend(path,
613 background_task_runner,
614 special_storage_policy)) {}
615
616 void SQLiteServerBoundCertStore::Load(
617 const LoadedCallback& loaded_callback) {
618 backend_->Load(loaded_callback);
619 }
620
621 void SQLiteServerBoundCertStore::AddServerBoundCert(
622 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) {
623 backend_->AddServerBoundCert(cert);
624 }
625
626 void SQLiteServerBoundCertStore::DeleteServerBoundCert(
627 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) {
628 backend_->DeleteServerBoundCert(cert);
629 }
630
631 void SQLiteServerBoundCertStore::SetForceKeepSessionState() {
632 backend_->SetForceKeepSessionState();
633 }
634
635 SQLiteServerBoundCertStore::~SQLiteServerBoundCertStore() {
636 backend_->Close();
637 // We release our reference to the Backend, though it will probably still have
638 // a reference if the background thread has not run Close() yet.
639 }