Add information to SSLInfo about CT EV policy compliance

net/cert/ct_policy_enforcer.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_policy_enforcer.h"
 
 #include <algorithm>
 #include <utility>
 
 #include "base/bind.h"
 #include "base/build_time.h"
 #include "base/callback_helpers.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/time/time.h"
 #include "base/values.h"
 #include "base/version.h"
 #include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_known_logs.h"
+#include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/log/net_log.h"
 
 namespace net {
 
 namespace {
 
@@ skipping 43 matching lines @@
                         (exploded_expiry.month - exploded_start.month);
   if (exploded_expiry.day_of_month < exploded_start.day_of_month)
     --month_diff;
   else if (exploded_expiry.day_of_month == exploded_start.day_of_month)
     *has_partial_month = false;
 
   *rounded_months_difference = month_diff;
 }
 
 bool HasRequiredNumberOfSCTs(const X509Certificate& cert,
-                             const ct::CTVerifyResult& ct_result) {
-  size_t num_valid_scts = ct_result.verified_scts.size();
+                             const ct::SCTList& verified_scts) {
+  size_t num_valid_scts = verified_scts.size();
   size_t num_embedded_scts = base::checked_cast<size_t>(
-      std::count_if(ct_result.verified_scts.begin(),
-                    ct_result.verified_scts.end(), IsEmbeddedSCT));
+      std::count_if(verified_scts.begin(), verified_scts.end(), IsEmbeddedSCT));
 
   size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts;
   // If at least two valid SCTs were delivered by means other than embedding
   // (i.e. in a TLS extension or OCSP), then the certificate conforms to bullet
   // number 3 of the "Qualifying Certificate" section of the CT/EV policy.
   if (num_non_embedded_scts >= 2)
     return true;
 
   if (cert.valid_start().is_null() || cert.valid_expiry().is_null() ||
       cert.valid_start().is_max() || cert.valid_expiry().is_max()) {
@@ skipping 63 matching lines @@
   return "unknown";
 }
 
 enum EVWhitelistStatus {
   EV_WHITELIST_NOT_PRESENT = 0,
   EV_WHITELIST_INVALID = 1,
   EV_WHITELIST_VALID = 2,
   EV_WHITELIST_MAX,
 };
 
-void LogCTComplianceStatusToUMA(CTComplianceStatus status,
-                                const ct::EVCertsWhitelist* ev_whitelist) {
+void LogCTEVComplianceStatusToUMA(CTComplianceStatus status,
+                                  const ct::EVCertsWhitelist* ev_whitelist) {
   UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status,
                             CT_COMPLIANCE_MAX);
   if (status == CT_NOT_COMPLIANT) {
     EVWhitelistStatus ev_whitelist_status = EV_WHITELIST_NOT_PRESENT;
     if (ev_whitelist != NULL) {
       if (ev_whitelist->IsValid())
         ev_whitelist_status = EV_WHITELIST_VALID;
       else
         ev_whitelist_status = EV_WHITELIST_INVALID;
     }
 
     UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVWhitelistValidityForNonCompliantCert",
                               ev_whitelist_status, EV_WHITELIST_MAX);
   }
 }
 
 struct ComplianceDetails {
-  ComplianceDetails()
-      : ct_presence_required(false),
-        build_timely(false),
-        status(CT_NOT_COMPLIANT) {}
+  ComplianceDetails() : build_timely(false), status(CT_NOT_COMPLIANT) {}
 
-  // Whether enforcement of the policy was required or not.
-  bool ct_presence_required;
-  // Whether the build is not older than 10 weeks. The value is meaningful only
-  // if |ct_presence_required| is true.
+  // Whether the build is not older than 10 weeks.
   bool build_timely;
-  // Compliance status - meaningful only if |ct_presence_required| and
-  // |build_timely| are true.
+  // Compliance status - meaningful only if |build_timely| is true.
   CTComplianceStatus status;
   // EV whitelist version.
   base::Version whitelist_version;
 };
 
 scoped_ptr<base::Value> NetLogComplianceCheckResultCallback(
     X509Certificate* cert,
     ComplianceDetails* details,
     NetLogCaptureMode capture_mode) {
   scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
   dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode));
-  dict->SetBoolean("policy_enforcement_required",
-                   details->ct_presence_required);
-  if (details->ct_presence_required) {
-    dict->SetBoolean("build_timely", details->build_timely);
-    if (details->build_timely) {
-      dict->SetString("ct_compliance_status",
-                      ComplianceStatusToString(details->status));
-      if (details->whitelist_version.IsValid())
-        dict->SetString("ev_whitelist_version",
-                        details->whitelist_version.GetString());
-    }
+  dict->SetBoolean("policy_enforcement_required", true);
+  dict->SetBoolean("build_timely", details->build_timely);
+  if (details->build_timely) {
+    dict->SetString("ct_compliance_status",
+                    ComplianceStatusToString(details->status));
+    if (details->whitelist_version.IsValid())
+      dict->SetString("ev_whitelist_version",
+                      details->whitelist_version.GetString());
   }
   return std::move(dict);
 }
 
 // Returns true if all SCTs in |verified_scts| were issued on, or after, the
 // date specified in kDiverseSCTRequirementStartDate
 bool AllSCTsPastDistinctSCTRequirementEnforcementDate(
     const ct::SCTList& verified_scts) {
   // The date when diverse SCTs requirement is effective from.
   // 2015-07-01 00:00:00 UTC.
@@ skipping 20 matching lines @@
     cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp);
 
     UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist",
                           cert_in_ev_whitelist);
   }
   return cert_in_ev_whitelist;
 }
 
 void CheckCTEVPolicyCompliance(X509Certificate* cert,
                                const ct::EVCertsWhitelist* ev_whitelist,
-                               const ct::CTVerifyResult& ct_result,
+                               const ct::SCTList& verified_scts,
                                ComplianceDetails* result) {
-  result->ct_presence_required = true;
-
   if (!IsBuildTimely())
     return;
   result->build_timely = true;
 
   if (ev_whitelist && ev_whitelist->IsValid())
     result->whitelist_version = ev_whitelist->Version();
 
   if (IsCertificateInWhitelist(*cert, ev_whitelist)) {
     result->status = CT_IN_WHITELIST;
     return;
   }
 
-  if (!HasRequiredNumberOfSCTs(*cert, ct_result)) {
+  if (!HasRequiredNumberOfSCTs(*cert, verified_scts)) {
     result->status = CT_NOT_COMPLIANT;
     return;
   }
 
-  if (AllSCTsPastDistinctSCTRequirementEnforcementDate(
-          ct_result.verified_scts) &&
-      !HasEnoughDiverseSCTs(ct_result.verified_scts)) {
+  if (AllSCTsPastDistinctSCTRequirementEnforcementDate(verified_scts) &&
+      !HasEnoughDiverseSCTs(verified_scts)) {
     result->status = CT_NOT_ENOUGH_DIVERSE_SCTS;
     return;
   }
 
   result->status = CT_ENOUGH_SCTS;
 }
 
 }  // namespace
 
-bool CTPolicyEnforcer::DoesConformToCTEVPolicy(
+ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
     X509Certificate* cert,
     const ct::EVCertsWhitelist* ev_whitelist,
-    const ct::CTVerifyResult& ct_result,
+    const ct::SCTList& verified_scts,
     const BoundNetLog& net_log) {
   ComplianceDetails details;
 
-  CheckCTEVPolicyCompliance(cert, ev_whitelist, ct_result, &details);
+  CheckCTEVPolicyCompliance(cert, ev_whitelist, verified_scts, &details);
 
   NetLog::ParametersCallback net_log_callback =
       base::Bind(&NetLogComplianceCheckResultCallback, base::Unretained(cert),
                  base::Unretained(&details));
 
   net_log.AddEvent(NetLog::TYPE_EV_CERT_CT_COMPLIANCE_CHECKED,
                    net_log_callback);
 
-  if (!details.ct_presence_required)
-    return true;
+  if (!details.build_timely)
+    return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
 
-  if (!details.build_timely)
-    return false;
+  LogCTEVComplianceStatusToUMA(details.status, ev_whitelist);
 
-  LogCTComplianceStatusToUMA(details.status, ev_whitelist);
+  switch (details.status) {
+    case CT_NOT_COMPLIANT:
+      return ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS;
+    case CT_IN_WHITELIST:
+      return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST;
+    case CT_ENOUGH_SCTS:
+      return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS;
+    case CT_NOT_ENOUGH_DIVERSE_SCTS:
+      return ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS;
+    case CT_COMPLIANCE_MAX:
+      return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
+  }
 
-  if (details.status == CT_IN_WHITELIST || details.status == CT_ENOUGH_SCTS)
-    return true;
-
-  return false;
+  return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
 }
 
 }  // namespace net