Add Expect CT policy that gets checked on all certs

net/cert/ct_policy_enforcer.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_policy_enforcer.h"
 
 #include <algorithm>
 #include <utility>
 
 #include "base/bind.h"
@@ skipping 116 matching lines @@
 // operated by Google and at least one log that is not operated by Google. This
 // is required for SCTs after July 1st, 2015, as documented at
 // http://dev.chromium.org/Home/chromium-security/root-ca-policy/EVCTPlanMay2015edition.pdf
 bool HasEnoughDiverseSCTs(const ct::SCTList& verified_scts) {
   size_t num_google_issued_scts = base::checked_cast<size_t>(std::count_if(
       verified_scts.begin(), verified_scts.end(), IsGoogleIssuedSCT));
   return (num_google_issued_scts > 0) &&
          (verified_scts.size() != num_google_issued_scts);
 }
 
-enum CTComplianceStatus {
-  CT_NOT_COMPLIANT = 0,
-  CT_IN_WHITELIST = 1,
-  CT_ENOUGH_SCTS = 2,
-  CT_NOT_ENOUGH_DIVERSE_SCTS = 3,
-  CT_COMPLIANCE_MAX,
+enum EVPolicyStatus {
+  EV_POLICY_STATUS_NOT_COMPLIANT = 0,
+  EV_POLICY_STATUS_IN_WHITELIST = 1,
+  EV_POLICY_STATUS_COMPLIANT = 2,
+  EV_POLICY_STATUS_MAX,
 };
 
-const char* ComplianceStatusToString(CTComplianceStatus status) {
+const char* EVPolicyStatusToString(EVPolicyStatus status) {
   switch (status) {
-    case CT_NOT_COMPLIANT:
+    case EV_POLICY_STATUS_NOT_COMPLIANT:
       return "NOT_COMPLIANT";
       break;
-    case CT_IN_WHITELIST:
+    case EV_POLICY_STATUS_IN_WHITELIST:
       return "WHITELISTED";
       break;
-    case CT_ENOUGH_SCTS:
-      return "ENOUGH_SCTS";
+    case EV_POLICY_STATUS_COMPLIANT:
+      return "COMPLIANT";
       break;
-    case CT_NOT_ENOUGH_DIVERSE_SCTS:
-      return "NOT_ENOUGH_DIVERSE_SCTS";
-      break;
-    case CT_COMPLIANCE_MAX:
+    case EV_POLICY_STATUS_MAX:
       break;
   }
 
   return "unknown";
 }
 
 enum EVWhitelistStatus {
   EV_WHITELIST_NOT_PRESENT = 0,
   EV_WHITELIST_INVALID = 1,
   EV_WHITELIST_VALID = 2,
   EV_WHITELIST_MAX,
 };
 
-void LogCTComplianceStatusToUMA(CTComplianceStatus status,
-                                const ct::EVCertsWhitelist* ev_whitelist) {
-  UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status,
-                            CT_COMPLIANCE_MAX);
-  if (status == CT_NOT_COMPLIANT) {
+void LogEVPolicyStatusToUMA(EVPolicyStatus status,
+                            const ct::EVCertsWhitelist* ev_whitelist) {
+  UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCTPolicyStatus", status,
+                            EV_POLICY_STATUS_MAX);
+  if (status == EV_POLICY_STATUS_NOT_COMPLIANT) {
     EVWhitelistStatus ev_whitelist_status = EV_WHITELIST_NOT_PRESENT;
     if (ev_whitelist != NULL) {
       if (ev_whitelist->IsValid())
         ev_whitelist_status = EV_WHITELIST_VALID;
       else
         ev_whitelist_status = EV_WHITELIST_INVALID;
     }
 
     UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVWhitelistValidityForNonCompliantCert",
                               ev_whitelist_status, EV_WHITELIST_MAX);
   }
 }
 
-struct ComplianceDetails {
-  ComplianceDetails()
-      : ct_presence_required(false),
-        build_timely(false),
-        status(CT_NOT_COMPLIANT) {}
+struct EVComplianceDetails {
+  EVComplianceDetails()
+      : build_timely(false), status(EV_POLICY_STATUS_NOT_COMPLIANT) {}
 
-  // Whether enforcement of the policy was required or not.
-  bool ct_presence_required;
-  // Whether the build is not older than 10 weeks. The value is meaningful only
-  // if |ct_presence_required| is true.
+  // True if the build is not older than 10 weeks.
   bool build_timely;
-  // Compliance status - meaningful only if |ct_presence_required| and
-  // |build_timely| are true.
-  CTComplianceStatus status;
-  // EV whitelist version.
+  // Compliance status. Cannot be EV_POLICY_STATUS_IS_WHITELISTED if
+  // |build_timely| is false.
+  EVPolicyStatus status;
+  // EV whitelist version. Only set if |build_timely| is true.
   base::Version whitelist_version;
 };
 
 scoped_ptr<base::Value> NetLogComplianceCheckResultCallback(
     X509Certificate* cert,
-    ComplianceDetails* details,
+    EVComplianceDetails* details,
     NetLogCaptureMode capture_mode) {
   scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
   dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode));
-  dict->SetBoolean("policy_enforcement_required",
-                   details->ct_presence_required);
-  if (details->ct_presence_required) {
-    dict->SetBoolean("build_timely", details->build_timely);
-    if (details->build_timely) {
-      dict->SetString("ct_compliance_status",
-                      ComplianceStatusToString(details->status));
-      if (details->whitelist_version.IsValid())
-        dict->SetString("ev_whitelist_version",
-                        details->whitelist_version.GetString());
-    }
+  dict->SetBoolean("policy_enforcement_required", true);
+  dict->SetBoolean("build_timely", details->build_timely);
+  dict->SetString("ct_compliance_status",
+                  EVPolicyStatusToString(details->status));
+  if (details->whitelist_version.IsValid()) {
+    dict->SetString("ev_whitelist_version",
+                    details->whitelist_version.GetString());
   }
   return std::move(dict);
 }
 
 // Returns true if all SCTs in |verified_scts| were issued on, or after, the
 // date specified in kDiverseSCTRequirementStartDate
 bool AllSCTsPastDistinctSCTRequirementEnforcementDate(
     const ct::SCTList& verified_scts) {
   // The date when diverse SCTs requirement is effective from.
   // 2015-07-01 00:00:00 UTC.
@@ skipping 18 matching lines @@
     std::string truncated_fp =
         std::string(reinterpret_cast<const char*>(fingerprint.data), 8);
     cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp);
 
     UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist",
                           cert_in_ev_whitelist);
   }
   return cert_in_ev_whitelist;
 }
 
-void CheckCTEVPolicyCompliance(X509Certificate* cert,
-                               const ct::EVCertsWhitelist* ev_whitelist,
-                               const ct::CTVerifyResult& ct_result,
-                               ComplianceDetails* result) {
-  result->ct_presence_required = true;
-
-  if (!IsBuildTimely())
-    return;
-  result->build_timely = true;
-
-  if (ev_whitelist && ev_whitelist->IsValid())
-    result->whitelist_version = ev_whitelist->Version();
-
-  if (IsCertificateInWhitelist(*cert, ev_whitelist)) {
-    result->status = CT_IN_WHITELIST;
-    return;
-  }
-
-  if (!HasRequiredNumberOfSCTs(*cert, ct_result)) {
-    result->status = CT_NOT_COMPLIANT;
-    return;
-  }
+bool CheckCertPolicyCompliance(X509Certificate* cert,
+                               const ct::CTVerifyResult& ct_result) {
+  if (!HasRequiredNumberOfSCTs(*cert, ct_result))
+    return false;
 
   if (AllSCTsPastDistinctSCTRequirementEnforcementDate(
           ct_result.verified_scts) &&
       !HasEnoughDiverseSCTs(ct_result.verified_scts)) {
-    result->status = CT_NOT_ENOUGH_DIVERSE_SCTS;
-    return;
+    return false;
   }
 
-  result->status = CT_ENOUGH_SCTS;
+  return true;
+}
+
+void CheckEVPolicyCompliance(X509Certificate* cert,
+                             const ct::CTVerifyResult& ct_result,
+                             const ct::EVCertsWhitelist* ev_whitelist,
+                             EVComplianceDetails* result) {
+  result->status = EV_POLICY_STATUS_NOT_COMPLIANT;
+  if (CheckCertPolicyCompliance(cert, ct_result))
+    result->status = EV_POLICY_STATUS_COMPLIANT;
+  if (ev_whitelist && ev_whitelist->IsValid())
+    result->whitelist_version = ev_whitelist->Version();
+
+  if (result->status != EV_POLICY_STATUS_COMPLIANT &&
+      IsCertificateInWhitelist(*cert, ev_whitelist)) {
+    result->status = EV_POLICY_STATUS_IN_WHITELIST;
+  }
 }
 
 }  // namespace
 
-bool CTPolicyEnforcer::DoesConformToCTEVPolicy(
+bool CTPolicyEnforcer::DoesConformToCertPolicy(
     X509Certificate* cert,
+    const ct::CTVerifyResult& ct_result) {
+  if (!IsBuildTimely())

[Ryan Sleevi, 2016/01/23 02:08:10]

Perhaps it's worth documenting why we check build timeliness (here and 297)

Also, why wouldn't we want to NetLog these checks as well? Will that come
seperately? Not at all? Seems very useful for Expect-CT debugging, and
consistent with being introduced in this CL.

[estark, 2016/01/30 17:01:56]

Done.
Done.

+    return false;
+  return CheckCertPolicyCompliance(cert, ct_result);
+}
+
+bool CTPolicyEnforcer::DoesConformToEVPolicy(
+    X509Certificate* cert,
+    const ct::CTVerifyResult& ct_result,
     const ct::EVCertsWhitelist* ev_whitelist,
-    const ct::CTVerifyResult& ct_result,
     const BoundNetLog& net_log) {
-  ComplianceDetails details;
-
-  CheckCTEVPolicyCompliance(cert, ev_whitelist, ct_result, &details);
+  EVComplianceDetails details;
+  details.build_timely = IsBuildTimely();
+  if (details.build_timely)
+    CheckEVPolicyCompliance(cert, ct_result, ev_whitelist, &details);
+  else
+    details.status = EV_POLICY_STATUS_NOT_COMPLIANT;
 
   NetLog::ParametersCallback net_log_callback =
       base::Bind(&NetLogComplianceCheckResultCallback, base::Unretained(cert),
                  base::Unretained(&details));
 
   net_log.AddEvent(NetLog::TYPE_EV_CERT_CT_COMPLIANCE_CHECKED,
                    net_log_callback);
 
-  if (!details.ct_presence_required)
-    return true;
+  LogEVPolicyStatusToUMA(details.status, ev_whitelist);
 
-  if (!details.build_timely)
-    return false;
-
-  LogCTComplianceStatusToUMA(details.status, ev_whitelist);
-
-  if (details.status == CT_IN_WHITELIST || details.status == CT_ENOUGH_SCTS)
-    return true;
-
-  return false;
+  return (details.status == EV_POLICY_STATUS_IN_WHITELIST ||
+          details.status == EV_POLICY_STATUS_COMPLIANT);
 }
 
 }  // namespace net