Certificate Transparency DNS log client

components/certificate_transparency/log_dns_client.h

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_LOG_DNS_CLIENT_H_
+#define COMPONENTS_CERTIFICATE_TRANSPARENCY_LOG_DNS_CLIENT_H_
+
+#include <stdint.h>
+
+#include <list>
+#include <string>
+
+#include "base/callback.h"
+#include "base/macros.h"
+#include "base/strings/string_piece.h"
+#include "base/time/clock.h"
+#include "net/log/net_log.h"
+
+namespace net {
+class DnsClient;
+class DnsResponse;
+class DnsTransaction;
+namespace ct {
+struct MerkleAuditProof;
+}  // namespace ct
+}  // namespace net
+
+namespace certificate_transparency {
+
+// Queries Certificate Transparency (CT) log servers via DNS.
+// All queries are performed asynchronously.
+// For more information, see
+// https://github.com/google/certificate-transparency-rfcs/blob/master/dns/draft-ct-over-dns.md.
+class LogDnsClient {
+ public:
+  // Invoked when a leaf index query completes.
+  // If an error occured, |net_error| will be a net::Error code, otherwise it
+  // will be net::OK and |leaf_index| will be the leaf index that was received.
+  using LeafIndexCallback =
+      base::Callback<void(int net_error, uint64_t leaf_index)>;
+  // Invoked when an audit proof query completes.
+  // If an error occurred, |net_error| will be a net::Error code, otherwise it
+  // will be net::OK and |proof| will be the audit proof that was received.
+  // The log ID of |proof| will not be set, as that is not known by this class,
+  // but the leaf index will be set.
+  using AuditProofCallback =
+      base::Callback<void(int net_error,
+                          std::unique_ptr<net::ct::MerkleAuditProof> proof)>;
+
+  // Creates a log client that will take ownership of |dns_client| and use it
+  // to perform DNS queries. Queries will be logged to |net_log|.
+  // The |clock| is required for parsing DNS responses. Ownership of |clock|
+  // remains with the caller and it must outlive the LogDnsClient instance.
+  LogDnsClient(std::unique_ptr<net::DnsClient> dns_client,
+               const net::BoundNetLog& net_log,
+               base::Clock* clock);
+  virtual ~LogDnsClient();
+
+  // Queries a CT log to discover the index of the leaf with |leaf_hash|.
+  // The log is identified by |domain_for_log|, which is the DNS name used as a
+  // suffix for all queries.
+  // The |leaf_hash| is the SHA-256 hash of a Merkle tree leaf in that log.
+  // The |callback| is invoked when the query is complete, or an error occurs.
+  void QueryLeafIndex(base::StringPiece domain_for_log,
+                      base::StringPiece leaf_hash,
+                      const LeafIndexCallback& callback);
+
+  // Queries a CT log to retrieve an audit proof for the leaf at |leaf_index|.
+  // The size of the CT log tree must be provided in |tree_size|.
+  // The log is identified by |domain_for_log|, which is the DNS name used as a
+  // suffix for all queries.
+  // The |callback| is invoked when the query is complete, or an error occurs.
+  void QueryAuditProof(base::StringPiece domain_for_log,
+                       uint64_t leaf_index,
+                       uint64_t tree_size,
+                       const AuditProofCallback& callback);
+
+ private:
+  void QueryLeafIndexComplete(net::DnsTransaction* transaction,
+                              int neterror,
+                              const net::DnsResponse* response);
+
+  // Queries a CT log to retrieve part of an audit proof for the leaf at
+  // |leaf_index|. The |node_index| indicates which node of the audit proof
+  // should be requested. The CT log may return up to 7 nodes, starting from
+  // |node_index| (this is the maximum that will fit in a DNS UDP packet).
+  // The nodes will be appended to |proof->nodes|.
+  void QueryAuditProofNodes(std::unique_ptr<net::ct::MerkleAuditProof> proof,
+                            base::StringPiece domain_for_log,
+                            uint64_t leaf_index,
+                            uint64_t tree_size,
+                            uint64_t node_index,
+                            const AuditProofCallback& callback);
+
+  void QueryAuditProofNodesComplete(
+      std::unique_ptr<net::ct::MerkleAuditProof> proof,
+      base::StringPiece domain_for_log,
+      uint64_t leaf_index,
+      uint64_t tree_size,
+      net::DnsTransaction* transaction,
+      int net_error,
+      const net::DnsResponse* response);
+
+  bool ParseTxtResponse(const net::DnsResponse& response, std::string* txt);
+
+  bool ParseLeafIndex(const net::DnsResponse& response, uint64_t* index);
+
+  bool ParseAuditPath(const net::DnsResponse& response,
+                      net::ct::MerkleAuditProof* proof);
+
+  // A DNS query that is in flight.
+  template <typename CallbackType>
+  struct Query {
+    std::unique_ptr<net::DnsTransaction> transaction;
+    CallbackType callback;
+  };
+
+  // Used to perform DNS queries.
+  std::unique_ptr<net::DnsClient> dns_client_;
+  // Passed to the DNS client for logging.
+  net::BoundNetLog net_log_;
+  // The current time is needed for parsing DNS records.
+  base::Clock* clock_;
+  // Leaf index queries that haven't completed yet.
+  std::list<Query<LeafIndexCallback>> leaf_index_queries_;
+  // Audit proof queries that haven't completed yet.
+  std::list<Query<AuditProofCallback>> audit_proof_queries_;
+  // Creates weak_ptrs to this, for callback purposes.
+  base::WeakPtrFactory<LogDnsClient> weak_ptr_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(LogDnsClient);
+};
+
+}  // namespace certificate_transparency
+#endif  // COMPONENTS_CERTIFICATE_TRANSPARENCY_LOG_DNS_CLIENT_H_