1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chrome/browser/net/sqlite_server_bound_cert_store.h" 6 7 #include <list> 8 #include <set> 9 10 #include "base/basictypes.h" 11 #include "base/bind.h" 12 #include "base/file_util.h" 13 #include "base/files/file_path.h" 14 #include "base/logging.h" 15 #include "base/memory/scoped_ptr.h" 16 #include "base/metrics/histogram.h" 17 #include "base/strings/string_util.h" 18 #include "base/threading/thread.h" 19 #include "base/threading/thread_restrictions.h" 20 #include "net/cert/x509_certificate.h" 21 #include "net/cookies/cookie_util.h" 22 #include "net/ssl/ssl_client_cert_type.h" 23 #include "sql/error_delegate_util.h" 24 #include "sql/meta_table.h" 25 #include "sql/statement.h" 26 #include "sql/transaction.h" 27 #include "third_party/sqlite/sqlite3.h" 28 #include "url/gurl.h" 29 #include "webkit/browser/quota/special_storage_policy.h" 30 31 // This class is designed to be shared between any calling threads and the 32 // background task runner. It batches operations and commits them on a timer. 33 class SQLiteServerBoundCertStore::Backend 34 : public base::RefCountedThreadSafe<SQLiteServerBoundCertStore::Backend> { 35 public: 36 Backend( 37 const base::FilePath& path, 38 const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, 39 quota::SpecialStoragePolicy* special_storage_policy) 40 : path_(path), 41 num_pending_(0), 42 force_keep_session_state_(false), 43 background_task_runner_(background_task_runner), 44 special_storage_policy_(special_storage_policy), 45 corruption_detected_(false) {} 46 47 // Creates or loads the SQLite database. 48 void Load(const LoadedCallback& loaded_callback); 49 50 // Batch a server bound cert addition. 51 void AddServerBoundCert( 52 const net::DefaultServerBoundCertStore::ServerBoundCert& cert); 53 54 // Batch a server bound cert deletion. 55 void DeleteServerBoundCert( 56 const net::DefaultServerBoundCertStore::ServerBoundCert& cert); 57 58 // Commit any pending operations and close the database. This must be called 59 // before the object is destructed. 60 void Close(); 61 62 void SetForceKeepSessionState(); 63 64 private: 65 void LoadOnDBThread( 66 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert>* certs); 67 68 friend class base::RefCountedThreadSafe<SQLiteServerBoundCertStore::Backend>; 69 70 // You should call Close() before destructing this object. 71 ~Backend() { 72 DCHECK(!db_.get()) << "Close should have already been called."; 73 DCHECK(num_pending_ == 0 && pending_.empty()); 74 } 75 76 // Database upgrade statements. 77 bool EnsureDatabaseVersion(); 78 79 class PendingOperation { 80 public: 81 typedef enum { 82 CERT_ADD, 83 CERT_DELETE 84 } OperationType; 85 86 PendingOperation( 87 OperationType op, 88 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) 89 : op_(op), cert_(cert) {} 90 91 OperationType op() const { return op_; } 92 const net::DefaultServerBoundCertStore::ServerBoundCert& cert() const { 93 return cert_; 94 } 95 96 private: 97 OperationType op_; 98 net::DefaultServerBoundCertStore::ServerBoundCert cert_; 99 }; 100 101 private: 102 // Batch a server bound cert operation (add or delete). 103 void BatchOperation( 104 PendingOperation::OperationType op, 105 const net::DefaultServerBoundCertStore::ServerBoundCert& cert); 106 // Commit our pending operations to the database. 107 void Commit(); 108 // Close() executed on the background thread. 109 void InternalBackgroundClose(); 110 111 void DeleteCertificatesOnShutdown(); 112 113 void DatabaseErrorCallback(int error, sql::Statement* stmt); 114 void KillDatabase(); 115 116 base::FilePath path_; 117 scoped_ptr<sql::Connection> db_; 118 sql::MetaTable meta_table_; 119 120 typedef std::list<PendingOperation*> PendingOperationsList; 121 PendingOperationsList pending_; 122 PendingOperationsList::size_type num_pending_; 123 // True if the persistent store should skip clear on exit rules. 124 bool force_keep_session_state_; 125 // Guard |pending_|, |num_pending_| and |force_keep_session_state_|. 126 base::Lock lock_; 127 128 // Cache of origins we have certificates stored for. 129 std::set<std::string> cert_origins_; 130 131 scoped_refptr<base::SequencedTaskRunner> background_task_runner_; 132 133 scoped_refptr<quota::SpecialStoragePolicy> special_storage_policy_; 134 135 // Indicates if the kill-database callback has been scheduled. 136 bool corruption_detected_; 137 138 DISALLOW_COPY_AND_ASSIGN(Backend); 139 }; 140 141 // Version number of the database. 142 static const int kCurrentVersionNumber = 4; 143 static const int kCompatibleVersionNumber = 1; 144 145 namespace { 146 147 // Initializes the certs table, returning true on success. 148 bool InitTable(sql::Connection* db) { 149 // The table is named "origin_bound_certs" for backwards compatability before 150 // we renamed this class to SQLiteServerBoundCertStore. Likewise, the primary 151 // key is "origin", but now can be other things like a plain domain. 152 if (!db->DoesTableExist("origin_bound_certs")) { 153 if (!db->Execute("CREATE TABLE origin_bound_certs (" 154 "origin TEXT NOT NULL UNIQUE PRIMARY KEY," 155 "private_key BLOB NOT NULL," 156 "cert BLOB NOT NULL," 157 "cert_type INTEGER," 158 "expiration_time INTEGER," 159 "creation_time INTEGER)")) 160 return false; 161 } 162 163 return true; 164 } 165 166 } // namespace 167 168 void SQLiteServerBoundCertStore::Backend::Load( 169 const LoadedCallback& loaded_callback) { 170 // This function should be called only once per instance. 171 DCHECK(!db_.get()); 172 scoped_ptr<ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> > 173 certs(new ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert>( 174 )); 175 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert>* certs_ptr = 176 certs.get(); 177 178 background_task_runner_->PostTaskAndReply( 179 FROM_HERE, 180 base::Bind(&Backend::LoadOnDBThread, this, certs_ptr), 181 base::Bind(loaded_callback, base::Passed(&certs))); 182 } 183 184 void SQLiteServerBoundCertStore::Backend::LoadOnDBThread( 185 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert>* certs) { 186 DCHECK(background_task_runner_->RunsTasksOnCurrentThread()); 187 188 // This method should be called only once per instance. 189 DCHECK(!db_.get()); 190 191 base::TimeTicks start = base::TimeTicks::Now(); 192 193 // Ensure the parent directory for storing certs is created before reading 194 // from it. 195 const base::FilePath dir = path_.DirName(); 196 if (!base::PathExists(dir) && !base::CreateDirectory(dir)) 197 return; 198 199 int64 db_size = 0; 200 if (base::GetFileSize(path_, &db_size)) 201 UMA_HISTOGRAM_COUNTS("DomainBoundCerts.DBSizeInKB", db_size / 1024 ); 202 203 db_.reset(new sql::Connection); 204 db_->set_histogram_tag("DomainBoundCerts"); 205 206 // Unretained to avoid a ref loop with db_. 207 db_->set_error_callback( 208 base::Bind(&SQLiteServerBoundCertStore::Backend::DatabaseErrorCallback, 209 base::Unretained(this))); 210 211 if (!db_->Open(path_)) { 212 NOTREACHED() << "Unable to open cert DB."; 213 if (corruption_detected_) 214 KillDatabase(); 215 db_.reset(); 216 return; 217 } 218 219 if (!EnsureDatabaseVersion() || !InitTable(db_.get())) { 220 NOTREACHED() << "Unable to open cert DB."; 221 if (corruption_detected_) 222 KillDatabase(); 223 meta_table_.Reset(); 224 db_.reset(); 225 return; 226 } 227 228 db_->Preload(); 229 230 // Slurp all the certs into the out-vector. 231 sql::Statement smt(db_->GetUniqueStatement( 232 "SELECT origin, private_key, cert, cert_type, expiration_time, " 233 "creation_time FROM origin_bound_certs")); 234 if (!smt.is_valid()) { 235 if (corruption_detected_) 236 KillDatabase(); 237 meta_table_.Reset(); 238 db_.reset(); 239 return; 240 } 241 242 while (smt.Step()) { 243 net::SSLClientCertType type = 244 static_cast<net::SSLClientCertType>(smt.ColumnInt(3)); 245 if (type != net::CLIENT_CERT_ECDSA_SIGN) 246 continue; 247 std::string private_key_from_db, cert_from_db; 248 smt.ColumnBlobAsString(1, &private_key_from_db); 249 smt.ColumnBlobAsString(2, &cert_from_db); 250 scoped_ptr<net::DefaultServerBoundCertStore::ServerBoundCert> cert( 251 new net::DefaultServerBoundCertStore::ServerBoundCert( 252 smt.ColumnString(0), // origin 253 base::Time::FromInternalValue(smt.ColumnInt64(5)), 254 base::Time::FromInternalValue(smt.ColumnInt64(4)), 255 private_key_from_db, 256 cert_from_db)); 257 cert_origins_.insert(cert->server_identifier()); 258 certs->push_back(cert.release()); 259 } 260 261 UMA_HISTOGRAM_COUNTS_10000("DomainBoundCerts.DBLoadedCount", certs->size()); 262 base::TimeDelta load_time = base::TimeTicks::Now() - start; 263 UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.DBLoadTime", 264 load_time, 265 base::TimeDelta::FromMilliseconds(1), 266 base::TimeDelta::FromMinutes(1), 267 50); 268 DVLOG(1) << "loaded " << certs->size() << " in " << load_time.InMilliseconds() 269 << " ms"; 270 } 271 272 bool SQLiteServerBoundCertStore::Backend::EnsureDatabaseVersion() { 273 // Version check. 274 if (!meta_table_.Init( 275 db_.get(), kCurrentVersionNumber, kCompatibleVersionNumber)) { 276 return false; 277 } 278 279 if (meta_table_.GetCompatibleVersionNumber() > kCurrentVersionNumber) { 280 LOG(WARNING) << "Server bound cert database is too new."; 281 return false; 282 } 283 284 int cur_version = meta_table_.GetVersionNumber(); 285 if (cur_version == 1) { 286 sql::Transaction transaction(db_.get()); 287 if (!transaction.Begin()) 288 return false; 289 if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN cert_type " 290 "INTEGER")) { 291 LOG(WARNING) << "Unable to update server bound cert database to " 292 << "version 2."; 293 return false; 294 } 295 // All certs in version 1 database are rsa_sign, which are unsupported. 296 // Just discard them all. 297 if (!db_->Execute("DELETE from origin_bound_certs")) { 298 LOG(WARNING) << "Unable to update server bound cert database to " 299 << "version 2."; 300 return false; 301 } 302 ++cur_version; 303 meta_table_.SetVersionNumber(cur_version); 304 meta_table_.SetCompatibleVersionNumber( 305 std::min(cur_version, kCompatibleVersionNumber)); 306 transaction.Commit(); 307 } 308 309 if (cur_version <= 3) { 310 sql::Transaction transaction(db_.get()); 311 if (!transaction.Begin()) 312 return false; 313 314 if (cur_version == 2) { 315 if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN " 316 "expiration_time INTEGER")) { 317 LOG(WARNING) << "Unable to update server bound cert database to " 318 << "version 4."; 319 return false; 320 } 321 } 322 323 if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN " 324 "creation_time INTEGER")) { 325 LOG(WARNING) << "Unable to update server bound cert database to " 326 << "version 4."; 327 return false; 328 } 329 330 sql::Statement smt(db_->GetUniqueStatement( 331 "SELECT origin, cert FROM origin_bound_certs")); 332 sql::Statement update_expires_smt(db_->GetUniqueStatement( 333 "UPDATE origin_bound_certs SET expiration_time = ? WHERE origin = ?")); 334 sql::Statement update_creation_smt(db_->GetUniqueStatement( 335 "UPDATE origin_bound_certs SET creation_time = ? WHERE origin = ?")); 336 if (!smt.is_valid() || 337 !update_expires_smt.is_valid() || 338 !update_creation_smt.is_valid()) { 339 LOG(WARNING) << "Unable to update server bound cert database to " 340 << "version 4."; 341 return false; 342 } 343 344 while (smt.Step()) { 345 std::string origin = smt.ColumnString(0); 346 std::string cert_from_db; 347 smt.ColumnBlobAsString(1, &cert_from_db); 348 // Parse the cert and extract the real value and then update the DB. 349 scoped_refptr<net::X509Certificate> cert( 350 net::X509Certificate::CreateFromBytes( 351 cert_from_db.data(), cert_from_db.size())); 352 if (cert.get()) { 353 if (cur_version == 2) { 354 update_expires_smt.Reset(true); 355 update_expires_smt.BindInt64(0, 356 cert->valid_expiry().ToInternalValue()); 357 update_expires_smt.BindString(1, origin); 358 if (!update_expires_smt.Run()) { 359 LOG(WARNING) << "Unable to update server bound cert database to " 360 << "version 4."; 361 return false; 362 } 363 } 364 365 update_creation_smt.Reset(true); 366 update_creation_smt.BindInt64(0, cert->valid_start().ToInternalValue()); 367 update_creation_smt.BindString(1, origin); 368 if (!update_creation_smt.Run()) { 369 LOG(WARNING) << "Unable to update server bound cert database to " 370 << "version 4."; 371 return false; 372 } 373 } else { 374 // If there's a cert we can't parse, just leave it. It'll get replaced 375 // with a new one if we ever try to use it. 376 LOG(WARNING) << "Error parsing cert for database upgrade for origin " 377 << smt.ColumnString(0); 378 } 379 } 380 381 cur_version = 4; 382 meta_table_.SetVersionNumber(cur_version); 383 meta_table_.SetCompatibleVersionNumber( 384 std::min(cur_version, kCompatibleVersionNumber)); 385 transaction.Commit(); 386 } 387 388 // Put future migration cases here. 389 390 // When the version is too old, we just try to continue anyway, there should 391 // not be a released product that makes a database too old for us to handle. 392 LOG_IF(WARNING, cur_version < kCurrentVersionNumber) << 393 "Server bound cert database version " << cur_version << 394 " is too old to handle."; 395 396 return true; 397 } 398 399 void SQLiteServerBoundCertStore::Backend::DatabaseErrorCallback( 400 int error, 401 sql::Statement* stmt) { 402 DCHECK(background_task_runner_->RunsTasksOnCurrentThread()); 403 404 if (!sql::IsErrorCatastrophic(error)) 405 return; 406 407 // TODO(shess): Running KillDatabase() multiple times should be 408 // safe. 409 if (corruption_detected_) 410 return; 411 412 corruption_detected_ = true; 413 414 // TODO(shess): Consider just calling RazeAndClose() immediately. 415 // db_ may not be safe to reset at this point, but RazeAndClose() 416 // would cause the stack to unwind safely with errors. 417 background_task_runner_->PostTask(FROM_HERE, 418 base::Bind(&Backend::KillDatabase, this)); 419 } 420 421 void SQLiteServerBoundCertStore::Backend::KillDatabase() { 422 DCHECK(background_task_runner_->RunsTasksOnCurrentThread()); 423 424 if (db_) { 425 // This Backend will now be in-memory only. In a future run the database 426 // will be recreated. Hopefully things go better then! 427 bool success = db_->RazeAndClose(); 428 UMA_HISTOGRAM_BOOLEAN("DomainBoundCerts.KillDatabaseResult", success); 429 meta_table_.Reset(); 430 db_.reset(); 431 } 432 } 433 434 void SQLiteServerBoundCertStore::Backend::AddServerBoundCert( 435 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { 436 BatchOperation(PendingOperation::CERT_ADD, cert); 437 } 438 439 void SQLiteServerBoundCertStore::Backend::DeleteServerBoundCert( 440 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { 441 BatchOperation(PendingOperation::CERT_DELETE, cert); 442 } 443 444 void SQLiteServerBoundCertStore::Backend::BatchOperation( 445 PendingOperation::OperationType op, 446 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { 447 // Commit every 30 seconds. 448 static const int kCommitIntervalMs = 30 * 1000; 449 // Commit right away if we have more than 512 outstanding operations. 450 static const size_t kCommitAfterBatchSize = 512; 451 452 // We do a full copy of the cert here, and hopefully just here. 453 scoped_ptr<PendingOperation> po(new PendingOperation(op, cert)); 454 455 PendingOperationsList::size_type num_pending; 456 { 457 base::AutoLock locked(lock_); 458 pending_.push_back(po.release()); 459 num_pending = ++num_pending_; 460 } 461 462 if (num_pending == 1) { 463 // We've gotten our first entry for this batch, fire off the timer. 464 background_task_runner_->PostDelayedTask( 465 FROM_HERE, 466 base::Bind(&Backend::Commit, this), 467 base::TimeDelta::FromMilliseconds(kCommitIntervalMs)); 468 } else if (num_pending == kCommitAfterBatchSize) { 469 // We've reached a big enough batch, fire off a commit now. 470 background_task_runner_->PostTask(FROM_HERE, 471 base::Bind(&Backend::Commit, this)); 472 } 473 } 474 475 void SQLiteServerBoundCertStore::Backend::Commit() { 476 DCHECK(background_task_runner_->RunsTasksOnCurrentThread()); 477 478 PendingOperationsList ops; 479 { 480 base::AutoLock locked(lock_); 481 pending_.swap(ops); 482 num_pending_ = 0; 483 } 484 485 // Maybe an old timer fired or we are already Close()'ed. 486 if (!db_.get() || ops.empty()) 487 return; 488 489 sql::Statement add_smt(db_->GetCachedStatement(SQL_FROM_HERE, 490 "INSERT INTO origin_bound_certs (origin, private_key, cert, cert_type, " 491 "expiration_time, creation_time) VALUES (?,?,?,?,?,?)")); 492 if (!add_smt.is_valid()) 493 return; 494 495 sql::Statement del_smt(db_->GetCachedStatement(SQL_FROM_HERE, 496 "DELETE FROM origin_bound_certs WHERE origin=?")); 497 if (!del_smt.is_valid()) 498 return; 499 500 sql::Transaction transaction(db_.get()); 501 if (!transaction.Begin()) 502 return; 503 504 for (PendingOperationsList::iterator it = ops.begin(); 505 it != ops.end(); ++it) { 506 // Free the certs as we commit them to the database. 507 scoped_ptr<PendingOperation> po(*it); 508 switch (po->op()) { 509 case PendingOperation::CERT_ADD: { 510 cert_origins_.insert(po->cert().server_identifier()); 511 add_smt.Reset(true); 512 add_smt.BindString(0, po->cert().server_identifier()); 513 const std::string& private_key = po->cert().private_key(); 514 add_smt.BindBlob(1, private_key.data(), private_key.size()); 515 const std::string& cert = po->cert().cert(); 516 add_smt.BindBlob(2, cert.data(), cert.size()); 517 add_smt.BindInt(3, net::CLIENT_CERT_ECDSA_SIGN); 518 add_smt.BindInt64(4, po->cert().expiration_time().ToInternalValue()); 519 add_smt.BindInt64(5, po->cert().creation_time().ToInternalValue()); 520 if (!add_smt.Run()) 521 NOTREACHED() << "Could not add a server bound cert to the DB."; 522 break; 523 } 524 case PendingOperation::CERT_DELETE: 525 cert_origins_.erase(po->cert().server_identifier()); 526 del_smt.Reset(true); 527 del_smt.BindString(0, po->cert().server_identifier()); 528 if (!del_smt.Run()) 529 NOTREACHED() << "Could not delete a server bound cert from the DB."; 530 break; 531 532 default: 533 NOTREACHED(); 534 break; 535 } 536 } 537 transaction.Commit(); 538 } 539 540 // Fire off a close message to the background thread. We could still have a 541 // pending commit timer that will be holding a reference on us, but if/when 542 // this fires we will already have been cleaned up and it will be ignored. 543 void SQLiteServerBoundCertStore::Backend::Close() { 544 // Must close the backend on the background thread. 545 background_task_runner_->PostTask( 546 FROM_HERE, base::Bind(&Backend::InternalBackgroundClose, this)); 547 } 548 549 void SQLiteServerBoundCertStore::Backend::InternalBackgroundClose() { 550 DCHECK(background_task_runner_->RunsTasksOnCurrentThread()); 551 // Commit any pending operations 552 Commit(); 553 554 if (!force_keep_session_state_ && 555 special_storage_policy_.get() && 556 special_storage_policy_->HasSessionOnlyOrigins()) { 557 DeleteCertificatesOnShutdown(); 558 } 559 560 db_.reset(); 561 } 562 563 void SQLiteServerBoundCertStore::Backend::DeleteCertificatesOnShutdown() { 564 DCHECK(background_task_runner_->RunsTasksOnCurrentThread()); 565 566 if (!db_.get()) 567 return; 568 569 if (cert_origins_.empty()) 570 return; 571 572 if (!special_storage_policy_.get()) 573 return; 574 575 sql::Statement del_smt(db_->GetCachedStatement( 576 SQL_FROM_HERE, "DELETE FROM origin_bound_certs WHERE origin=?")); 577 if (!del_smt.is_valid()) { 578 LOG(WARNING) << "Unable to delete certificates on shutdown."; 579 return; 580 } 581 582 sql::Transaction transaction(db_.get()); 583 if (!transaction.Begin()) { 584 LOG(WARNING) << "Unable to delete certificates on shutdown."; 585 return; 586 } 587 588 for (std::set<std::string>::iterator it = cert_origins_.begin(); 589 it != cert_origins_.end(); ++it) { 590 const GURL url(net::cookie_util::CookieOriginToURL(*it, true)); 591 if (!url.is_valid() || !special_storage_policy_->IsStorageSessionOnly(url)) 592 continue; 593 del_smt.Reset(true); 594 del_smt.BindString(0, *it); 595 if (!del_smt.Run()) 596 NOTREACHED() << "Could not delete a certificate from the DB."; 597 } 598 599 if (!transaction.Commit()) 600 LOG(WARNING) << "Unable to delete certificates on shutdown."; 601 } 602 603 void SQLiteServerBoundCertStore::Backend::SetForceKeepSessionState() { 604 base::AutoLock locked(lock_); 605 force_keep_session_state_ = true; 606 } 607 608 SQLiteServerBoundCertStore::SQLiteServerBoundCertStore( 609 const base::FilePath& path, 610 const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, 611 quota::SpecialStoragePolicy* special_storage_policy) 612 : backend_(new Backend(path, 613 background_task_runner, 614 special_storage_policy)) {} 615 616 void SQLiteServerBoundCertStore::Load( 617 const LoadedCallback& loaded_callback) { 618 backend_->Load(loaded_callback); 619 } 620 621 void SQLiteServerBoundCertStore::AddServerBoundCert( 622 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { 623 backend_->AddServerBoundCert(cert); 624 } 625 626 void SQLiteServerBoundCertStore::DeleteServerBoundCert( 627 const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { 628 backend_->DeleteServerBoundCert(cert); 629 } 630 631 void SQLiteServerBoundCertStore::SetForceKeepSessionState() { 632 backend_->SetForceKeepSessionState(); 633 } 634 635 SQLiteServerBoundCertStore::~SQLiteServerBoundCertStore() { 636 backend_->Close(); 637 // We release our reference to the Backend, though it will probably still have 638 // a reference if the background thread has not run Close() yet. 639 } 640
