Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(402)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/ct_policy_enforcer.cc

Issue 1652603002: Add information to SSLInfo about CT EV policy compliance (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: expand a comment Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/ct_policy_enforcer.h ('K') | « net/cert/ct_policy_enforcer.h ('k') | net/cert/ct_policy_enforcer_unittest.cc » ('j') | net/cert/ct_verify_result.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/ct_policy_enforcer.cc
diff --git a/net/cert/ct_policy_enforcer.cc b/net/cert/ct_policy_enforcer.cc
index d9c92421bf86e0ba4d7d101e07268769ad1dd137..b99d3e8ebc9b18b827e72cf04207a4887d0fe348 100644
--- a/net/cert/ct_policy_enforcer.cc
+++ b/net/cert/ct_policy_enforcer.cc
@@ -82,11 +82,10 @@ void RoundedDownMonthDifference(const base::Time& start,
}
bool HasRequiredNumberOfSCTs(const X509Certificate& cert,
- const ct::CTVerifyResult& ct_result) {
- size_t num_valid_scts = ct_result.verified_scts.size();
+ const ct::SCTList& verified_scts) {
+ size_t num_valid_scts = verified_scts.size();
size_t num_embedded_scts = base::checked_cast<size_t>(
- std::count_if(ct_result.verified_scts.begin(),
- ct_result.verified_scts.end(), IsEmbeddedSCT));
+ std::count_if(verified_scts.begin(), verified_scts.end(), IsEmbeddedSCT));
size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts;
// If at least two valid SCTs were delivered by means other than embedding
@@ -170,8 +169,8 @@ enum EVWhitelistStatus {
EV_WHITELIST_MAX,
};
-void LogCTComplianceStatusToUMA(CTComplianceStatus status,
- const ct::EVCertsWhitelist* ev_whitelist) {
+void LogCTEVComplianceStatusToUMA(CTComplianceStatus status,
+ const ct::EVCertsWhitelist* ev_whitelist) {
UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status,
CT_COMPLIANCE_MAX);
if (status == CT_NOT_COMPLIANT) {
@@ -189,18 +188,11 @@ void LogCTComplianceStatusToUMA(CTComplianceStatus status,
}
struct ComplianceDetails {
- ComplianceDetails()
- : ct_presence_required(false),
- build_timely(false),
- status(CT_NOT_COMPLIANT) {}
-
- // Whether enforcement of the policy was required or not.
- bool ct_presence_required;
- // Whether the build is not older than 10 weeks. The value is meaningful only
- // if |ct_presence_required| is true.
+ ComplianceDetails() : build_timely(false), status(CT_NOT_COMPLIANT) {}
+
+ // Whether the build is not older than 10 weeks.
bool build_timely;
- // Compliance status - meaningful only if |ct_presence_required| and
- // |build_timely| are true.
+ // Compliance status - meaningful only if |build_timely| is true.
CTComplianceStatus status;
// EV whitelist version.
base::Version whitelist_version;
@@ -212,17 +204,14 @@ scoped_ptr<base::Value> NetLogComplianceCheckResultCallback(
NetLogCaptureMode capture_mode) {
scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode));
- dict->SetBoolean("policy_enforcement_required",
- details->ct_presence_required);
- if (details->ct_presence_required) {
- dict->SetBoolean("build_timely", details->build_timely);
- if (details->build_timely) {
- dict->SetString("ct_compliance_status",
- ComplianceStatusToString(details->status));
- if (details->whitelist_version.IsValid())
- dict->SetString("ev_whitelist_version",
- details->whitelist_version.GetString());
- }
+ dict->SetBoolean("policy_enforcement_required", true);
+ dict->SetBoolean("build_timely", details->build_timely);
+ if (details->build_timely) {
+ dict->SetString("ct_compliance_status",
+ ComplianceStatusToString(details->status));
+ if (details->whitelist_version.IsValid())
+ dict->SetString("ev_whitelist_version",
+ details->whitelist_version.GetString());
}
return std::move(dict);
}
@@ -263,10 +252,8 @@ bool IsCertificateInWhitelist(const X509Certificate& cert,
void CheckCTEVPolicyCompliance(X509Certificate* cert,
const ct::EVCertsWhitelist* ev_whitelist,
- const ct::CTVerifyResult& ct_result,
+ const ct::SCTList& verified_scts,
ComplianceDetails* result) {
- result->ct_presence_required = true;
-
if (!IsBuildTimely())
return;
result->build_timely = true;
@@ -279,14 +266,13 @@ void CheckCTEVPolicyCompliance(X509Certificate* cert,
return;
}
- if (!HasRequiredNumberOfSCTs(*cert, ct_result)) {
+ if (!HasRequiredNumberOfSCTs(*cert, verified_scts)) {
result->status = CT_NOT_COMPLIANT;
return;
}
- if (AllSCTsPastDistinctSCTRequirementEnforcementDate(
- ct_result.verified_scts) &&
- !HasEnoughDiverseSCTs(ct_result.verified_scts)) {
+ if (AllSCTsPastDistinctSCTRequirementEnforcementDate(verified_scts) &&
+ !HasEnoughDiverseSCTs(verified_scts)) {
result->status = CT_NOT_ENOUGH_DIVERSE_SCTS;
return;
}
@@ -296,14 +282,14 @@ void CheckCTEVPolicyCompliance(X509Certificate* cert,
} // namespace
-bool CTPolicyEnforcer::DoesConformToCTEVPolicy(
+CTPolicyEnforcer::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
X509Certificate* cert,
const ct::EVCertsWhitelist* ev_whitelist,
- const ct::CTVerifyResult& ct_result,
+ const ct::SCTList& verified_scts,
const BoundNetLog& net_log) {
ComplianceDetails details;
- CheckCTEVPolicyCompliance(cert, ev_whitelist, ct_result, &details);
+ CheckCTEVPolicyCompliance(cert, ev_whitelist, verified_scts, &details);
NetLog::ParametersCallback net_log_callback =
base::Bind(&NetLogComplianceCheckResultCallback, base::Unretained(cert),
@@ -312,18 +298,25 @@ bool CTPolicyEnforcer::DoesConformToCTEVPolicy(
net_log.AddEvent(NetLog::TYPE_EV_CERT_CT_COMPLIANCE_CHECKED,
net_log_callback);
- if (!details.ct_presence_required)
- return true;
-
if (!details.build_timely)
- return false;
+ return EV_POLICY_BUILD_NOT_TIMELY;
- LogCTComplianceStatusToUMA(details.status, ev_whitelist);
+ LogCTEVComplianceStatusToUMA(details.status, ev_whitelist);
- if (details.status == CT_IN_WHITELIST || details.status == CT_ENOUGH_SCTS)
- return true;
+ switch (details.status) {
+ case CT_NOT_COMPLIANT:
+ return EV_POLICY_NOT_ENOUGH_SCTS;
+ case CT_IN_WHITELIST:
+ return EV_POLICY_COMPLIES_VIA_WHITELIST;
+ case CT_ENOUGH_SCTS:
+ return EV_POLICY_COMPLIES_VIA_SCTS;
+ case CT_NOT_ENOUGH_DIVERSE_SCTS:
+ return EV_POLICY_NOT_DIVERSE_SCTS;
+ case CT_COMPLIANCE_MAX:
+ return EV_POLICY_DOES_NOT_APPLY;
+ }
- return false;
+ return EV_POLICY_DOES_NOT_APPLY;
}
} // namespace net
« net/cert/ct_policy_enforcer.h ('K') | « net/cert/ct_policy_enforcer.h ('k') | net/cert/ct_policy_enforcer_unittest.cc » ('j') | net/cert/ct_verify_result.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698