Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(95)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/ct_policy_enforcer.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: update some comments Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/ct_policy_enforcer.h ('k') | net/cert/ct_policy_enforcer_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/ct_policy_enforcer.h" 5 #include "net/cert/ct_policy_enforcer.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <utility> 8 #include <utility>
9 9
10 #include "base/bind.h" 10 #include "base/bind.h"
(...skipping 243 matching lines...) Expand 10 before | Expand all | Expand 10 after
254 std::string truncated_fp = 254 std::string truncated_fp =
255 std::string(reinterpret_cast<const char*>(fingerprint.data), 8); 255 std::string(reinterpret_cast<const char*>(fingerprint.data), 8);
256 cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp); 256 cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp);
257 257
258 UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist", 258 UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist",
259 cert_in_ev_whitelist); 259 cert_in_ev_whitelist);
260 } 260 }
261 return cert_in_ev_whitelist; 261 return cert_in_ev_whitelist;
262 } 262 }
263 263
264 void CheckCTEVPolicyCompliance(X509Certificate* cert, 264 void CheckCTPolicyCompliance(X509Certificate* cert,
Ryan Sleevi 2016/01/12 21:24:56 git cl format
265 const ct::EVCertsWhitelist* ev_whitelist, 265 const ct::EVCertsWhitelist* ev_whitelist,
266 const ct::CTVerifyResult& ct_result, 266 const ct::CTVerifyResult& ct_result,
267 ComplianceDetails* result) { 267 ComplianceDetails* result) {
268 result->ct_presence_required = true; 268 result->ct_presence_required = true;
269 269
270 if (!IsBuildTimely()) 270 if (!IsBuildTimely())
271 return; 271 return;
272 result->build_timely = true; 272 result->build_timely = true;
273 273
274 if (ev_whitelist && ev_whitelist->IsValid()) 274 if (ev_whitelist && ev_whitelist->IsValid())
(...skipping 14 matching lines...) Expand all
289 !HasEnoughDiverseSCTs(ct_result.verified_scts)) { 289 !HasEnoughDiverseSCTs(ct_result.verified_scts)) {
290 result->status = CT_NOT_ENOUGH_DIVERSE_SCTS; 290 result->status = CT_NOT_ENOUGH_DIVERSE_SCTS;
291 return; 291 return;
292 } 292 }
293 293
294 result->status = CT_ENOUGH_SCTS; 294 result->status = CT_ENOUGH_SCTS;
295 } 295 }
296 296
297 } // namespace 297 } // namespace
298 298
299 bool CTPolicyEnforcer::DoesConformToCTEVPolicy( 299 bool CTPolicyEnforcer::DoesConformToCTPolicy(
300 X509Certificate* cert, 300 X509Certificate* cert,
301 const ct::EVCertsWhitelist* ev_whitelist, 301 const ct::EVCertsWhitelist* ev_whitelist,
302 const ct::CTVerifyResult& ct_result, 302 const ct::CTVerifyResult& ct_result,
303 const BoundNetLog& net_log) { 303 const BoundNetLog& net_log) {
304 ComplianceDetails details; 304 ComplianceDetails details;
305 305
306 CheckCTEVPolicyCompliance(cert, ev_whitelist, ct_result, &details); 306 CheckCTPolicyCompliance(cert, ev_whitelist, ct_result, &details);
307 307
308 NetLog::ParametersCallback net_log_callback = 308 NetLog::ParametersCallback net_log_callback =
309 base::Bind(&NetLogComplianceCheckResultCallback, base::Unretained(cert), 309 base::Bind(&NetLogComplianceCheckResultCallback, base::Unretained(cert),
310 base::Unretained(&details)); 310 base::Unretained(&details));
311 311
312 net_log.AddEvent(NetLog::TYPE_EV_CERT_CT_COMPLIANCE_CHECKED, 312 net_log.AddEvent(NetLog::TYPE_EV_CERT_CT_COMPLIANCE_CHECKED,
313 net_log_callback); 313 net_log_callback);
314 314
315 if (!details.ct_presence_required) 315 if (!details.ct_presence_required)
316 return true; 316 return true;
317 317
318 if (!details.build_timely) 318 if (!details.build_timely)
319 return false; 319 return false;
320 320
321 LogCTComplianceStatusToUMA(details.status, ev_whitelist); 321 LogCTComplianceStatusToUMA(details.status, ev_whitelist);
322 322
323 if (details.status == CT_IN_WHITELIST || details.status == CT_ENOUGH_SCTS) 323 if (details.status == CT_IN_WHITELIST || details.status == CT_ENOUGH_SCTS)
324 return true; 324 return true;
325 325
326 return false; 326 return false;
327 } 327 }
328 328
329 } // namespace net 329 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/ct_policy_enforcer.h ('k') | net/cert/ct_policy_enforcer_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698