DO NOT REVIEW: CT policy enforcement WIP

net/cert/ct_known_logs_static.h

Index: net/cert/ct_known_logs_static.h
diff --git a/net/cert/ct_known_logs_static.h b/net/cert/ct_known_logs_static.h
index fd31ba9aa78fc45892d583b0af830fe3a41eb6cc..a5b1b8f2a9238bf4ae28a566b3147ad469434ecb 100644
--- a/net/cert/ct_known_logs_static.h
+++ b/net/cert/ct_known_logs_static.h
@@ -6,14 +6,21 @@
 #define NET_CERT_CT_KNOWN_LOGS_STATIC_H_
 
 #include <stddef.h>
+#include <stdint.h>
 
 struct CTLogInfo {
+  // The DER-encoded SubjectPublicKeyInfo for the log.
   const char* const log_key;
+  // The length, in bytes, of |log_key|.
   const size_t log_key_length;
+  // The user-friendly log name. This will not be translated.
   const char* const log_name;
+  // The API endpoint for the log.
+  // Note: Trailing slashes should be included.
   const char* const log_url;
 };
 
+// The set of all presently-qualifying CT logs.
 const CTLogInfo kCTLogList[] = {
     {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86"
      "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3"
@@ -52,15 +59,6 @@ const CTLogInfo kCTLogList[] = {
      "Google 'Rocketeer' log",
      "https://ct.googleapis.com/rocketeer/"},
     {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86"
-     "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61"
-     "\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb"
-     "\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b"
-     "\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c"
-     "\xd0\x4a\xc2\x66\xdb\x48",
-     91,
-     "Certly.IO log",
-     "https://log.certly.io/"},
-    {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86"
      "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50"
      "\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00"
      "\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8"
@@ -109,6 +107,36 @@ const CTLogInfo kCTLogList[] = {
      "Symantec 'Vega' log",
      "https://vega.ws.symantec.com/"}};
 
+// Information related to previously-qualified, but now disqualified, CT
+// logs.
+struct DisqualifiedCTLogInfo {
+  // The ID of the log (which is the SHA-256 hash of |log_info.log_key|.
+  // This is used as a key for efficient lookup.
+  const char log_id[33];
+
+  const CTLogInfo log_info;
+
+  // The internal base::Time() serialization of when the log was
+  // disqualified. SCTs embedded in pre-certificates after this date should
+  // not count towards any uniqueness/freshness requirements.
+  const int64_t disqualification_date;

[Eran Messeri, 2016/04/13 16:15:29]

Can the date be specified in a non-internal way? That will allow us to continue
using the open-source Python script for generating this file (while providing
the disqualification information).

[Ryan Sleevi, 2016/04/13 16:29:33]

Can you explain the concern a bit more? I'm loathe to add the complexity to the
Chromium side, and I'd rather keep the full fidelity here.

As far as I can tell, there's no other internal users of the Python script. It
appears to just be used by Chromium. Realistically, that means we should move
the Python script into Chromium, integrate it into the build scripts, and keep
those in sync - presumably, sourcing from the JSON. That way ensures everything
is kept in sync.

I don't think keeping the generator script outside of Chromium is something
sustainable/desirable.

[Eran Messeri, 2016/05/03 11:05:45]

I agree - seems like the generator should be in the Chromium code base.

+};
+
+// The set of all disqualified logs, sorted by |log_id|.
+const DisqualifiedCTLogInfo kDisqualifiedCTLogList[] = {{
+    "\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e"
+    "\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00",
+    {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86"
+     "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61"
+     "\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb"
+     "\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b"
+     "\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c"
+     "\xd0\x4a\xc2\x66\xdb\x48",
+     91, "Certly.IO log", "https://log.certly.io/"},
+    // 2016-04-15 00:00:00 UTC
+    INT64_C(13105152000000000),
+}};
+
 // The list is sorted.
 const char kGoogleLogIDs[][33] = {
     "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71"