Chromium Code Reviews Chromium Code Reviews
Issue 1941273002:
Mark the Certly.io log as disqualified, as of April 15 2016 (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@log_diversity| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 | 10 |
| (...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 206 return ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; | 206 return ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; |
| 207 } | 207 } |
| 208 | 208 |
| 209 // Scan for the earliest SCT. This is used to determine whether to enforce | 209 // Scan for the earliest SCT. This is used to determine whether to enforce |
| 210 // log diversity requirements, as well as whether to enforce whether or not | 210 // log diversity requirements, as well as whether to enforce whether or not |
| 211 // a log was qualified or pending qualification at time of issuance (in the | 211 // a log was qualified or pending qualification at time of issuance (in the |
| 212 // case of embedded SCTs). It's acceptable to ignore the origin of the SCT, | 212 // case of embedded SCTs). It's acceptable to ignore the origin of the SCT, |
| 213 // because SCTs delivered via OCSP/TLS extension will cover the full | 213 // because SCTs delivered via OCSP/TLS extension will cover the full |
| 214 // certificate, which necessarily will exist only after the precertificate | 214 // certificate, which necessarily will exist only after the precertificate |
| 215 // has been logged and the actual certificate issued. | 215 // has been logged and the actual certificate issued. |
| 216 // Note: Here, issuance date is defined as the earliest of all SCTs, rather | 216 // Note: Here, issuance date is defined as the earliest of all valid SCTs, |
| 217 // than the latest of embedded SCTs, in order to give CAs the benefit of | 217 // rather than the latest of embedded SCTs, in order to give CAs the |
| 218 // the doubt in the event a log is revoked in the midst of processing | 218 // benefit of the doubt in the event a log is revoked in the midst of |
| 219 // a precertificate and issuing the certificate. | 219 // processing a precertificate and issuing the certificate. |
| 220 for (const auto& sct : verified_scts) | 220 for (const auto& sct : verified_scts) { |
| 221 base::Time unused; | |
|
Eran Messeri
2016/05/03 11:24:34
Nit: Why not make the disqualification_date in IsL
Ryan Sleevi
2016/05/04 22:26:45
That's less performant.
| |
| 222 if (ct::IsLogDisqualified(sct->log_id, &unused)) | |
| 223 continue; | |
| 221 issuance_date = std::min(sct->timestamp, issuance_date); | 224 issuance_date = std::min(sct->timestamp, issuance_date); |
| 225 } | |
| 222 | 226 |
| 223 bool has_valid_google_sct = false; | 227 bool has_valid_google_sct = false; |
| 224 bool has_valid_nongoogle_sct = false; | 228 bool has_valid_nongoogle_sct = false; |
| 225 bool has_valid_embedded_sct = false; | 229 bool has_valid_embedded_sct = false; |
| 226 bool has_valid_nonembedded_sct = false; | 230 bool has_valid_nonembedded_sct = false; |
| 227 bool has_embedded_google_sct = false; | 231 bool has_embedded_google_sct = false; |
| 228 bool has_embedded_nongoogle_sct = false; | 232 bool has_embedded_nongoogle_sct = false; |
| 229 std::vector<base::StringPiece> embedded_log_ids; | 233 std::vector<base::StringPiece> embedded_log_ids; |
| 230 for (const auto& sct : verified_scts) { | 234 for (const auto& sct : verified_scts) { |
| 235 base::Time disqualification_date; | |
| 236 bool is_disqualified = | |
| 237 ct::IsLogDisqualified(sct->log_id, &disqualification_date); | |
| 238 if (is_disqualified && | |
| 239 sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) { | |
| 240 // For OCSP and TLS delivered SCTs, only SCTs that are valid at the | |
| 241 // time of check are accepted. | |
| 242 continue; | |
| 243 } | |
| 244 | |
| 231 if (ct::IsLogOperatedByGoogle(sct->log_id)) { | 245 if (ct::IsLogOperatedByGoogle(sct->log_id)) { |
| 232 has_valid_google_sct = true; | 246 has_valid_google_sct = true; |
| 233 if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED) | 247 if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED) |
| 234 has_embedded_google_sct = true; | 248 has_embedded_google_sct = true; |
| 235 } else { | 249 } else { |
| 236 has_valid_nongoogle_sct = true; | 250 has_valid_nongoogle_sct = true; |
| 237 if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED) | 251 if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED) |
| 238 has_embedded_nongoogle_sct = true; | 252 has_embedded_nongoogle_sct = true; |
| 239 } | 253 } |
| 240 if (sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) { | 254 if (sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) { |
| 241 has_valid_nonembedded_sct = true; | 255 has_valid_nonembedded_sct = true; |
| 242 } else { | 256 } else { |
| 243 has_valid_embedded_sct = true; | 257 if (!is_disqualified) |
| 244 embedded_log_ids.push_back(sct->log_id); | 258 has_valid_embedded_sct = true; |
| 259 // If the log is disqualified, it only counts towards quorum if | |
| 260 // the certificate was issued before the log was disqualified, and the | |
| 261 // SCT was obtained before the log was disqualified. | |
| 262 if (!is_disqualified || (issuance_date < disqualification_date && | |
| 263 sct->timestamp < disqualification_date)) { | |
| 264 embedded_log_ids.push_back(sct->log_id); | |
| 265 } | |
| 245 } | 266 } |
| 246 } | 267 } |
| 247 | 268 |
| 248 // Option 1: | 269 // Option 1: |
| 249 // An SCT presented via the TLS extension OR embedded within a stapled OCSP | 270 // An SCT presented via the TLS extension OR embedded within a stapled OCSP |
| 250 // response is from a log qualified at time of check; | 271 // response is from a log qualified at time of check; |
| 251 // AND there is at least one SCT from a Google Log that is qualified at | 272 // AND there is at least one SCT from a Google Log that is qualified at |
| 252 // time of check, presented via any method; | 273 // time of check, presented via any method; |
| 253 // AND there is at least one SCT from a non-Google Log that is qualified | 274 // AND there is at least one SCT from a non-Google Log that is qualified |
| 254 // at the time of check, presented via any method. | 275 // at the time of check, presented via any method. |
| (...skipping 170 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 425 | 446 |
| 426 if (!details.build_timely) | 447 if (!details.build_timely) |
| 427 return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; | 448 return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; |
| 428 | 449 |
| 429 LogEVPolicyComplianceToUMA(details.status, ev_whitelist); | 450 LogEVPolicyComplianceToUMA(details.status, ev_whitelist); |
| 430 | 451 |
| 431 return details.status; | 452 return details.status; |
| 432 } | 453 } |
| 433 | 454 |
| 434 } // namespace net | 455 } // namespace net |
| OLD | NEW |
