Mark the Certly.io log as disqualified, as of April 15 2016

net/cert/ct_policy_enforcer.cc

Index: net/cert/ct_policy_enforcer.cc
diff --git a/net/cert/ct_policy_enforcer.cc b/net/cert/ct_policy_enforcer.cc
index 5d76a0d7915abd984eba0594385006fa08ffaec9..6b82f15007815aeef9774d31d0ac192f211b0153 100644
--- a/net/cert/ct_policy_enforcer.cc
+++ b/net/cert/ct_policy_enforcer.cc
@@ -213,12 +213,16 @@ ct::CertPolicyCompliance CheckCertPolicyCompliance(
   // because SCTs delivered via OCSP/TLS extension will cover the full
   // certificate, which necessarily will exist only after the precertificate
   // has been logged and the actual certificate issued.
-  // Note: Here, issuance date is defined as the earliest of all SCTs, rather
-  // than the latest of embedded SCTs, in order to give CAs the benefit of
-  // the doubt in the event a log is revoked in the midst of processing
-  // a precertificate and issuing the certificate.
-  for (const auto& sct : verified_scts)
+  // Note: Here, issuance date is defined as the earliest of all valid SCTs,
+  // rather than the latest of embedded SCTs, in order to give CAs the
+  // benefit of the doubt in the event a log is revoked in the midst of
+  // processing a precertificate and issuing the certificate.
+  for (const auto& sct : verified_scts) {
+    base::Time unused;

[Eran Messeri, 2016/05/03 11:24:34]

Nit: Why not make the disqualification_date in IsLogDisqualified optional and
pass a nullptr here?

[Ryan Sleevi, 2016/05/04 22:26:45]

That's less performant.

+    if (ct::IsLogDisqualified(sct->log_id, &unused))
+      continue;
     issuance_date = std::min(sct->timestamp, issuance_date);
+  }
 
   bool has_valid_google_sct = false;
   bool has_valid_nongoogle_sct = false;
@@ -228,6 +232,16 @@ ct::CertPolicyCompliance CheckCertPolicyCompliance(
   bool has_embedded_nongoogle_sct = false;
   std::vector<base::StringPiece> embedded_log_ids;
   for (const auto& sct : verified_scts) {
+    base::Time disqualification_date;
+    bool is_disqualified =
+        ct::IsLogDisqualified(sct->log_id, &disqualification_date);
+    if (is_disqualified &&
+        sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) {
+      // For OCSP and TLS delivered SCTs, only SCTs that are valid at the
+      // time of check are accepted.
+      continue;
+    }
+
     if (ct::IsLogOperatedByGoogle(sct->log_id)) {
       has_valid_google_sct = true;
       if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED)
@@ -240,8 +254,15 @@ ct::CertPolicyCompliance CheckCertPolicyCompliance(
     if (sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) {
       has_valid_nonembedded_sct = true;
     } else {
-      has_valid_embedded_sct = true;
-      embedded_log_ids.push_back(sct->log_id);
+      if (!is_disqualified)
+        has_valid_embedded_sct = true;
+      // If the log is disqualified, it only counts towards quorum if
+      // the certificate was issued before the log was disqualified, and the
+      // SCT was obtained before the log was disqualified.
+      if (!is_disqualified || (issuance_date < disqualification_date &&
+                               sct->timestamp < disqualification_date)) {
+        embedded_log_ids.push_back(sct->log_id);
+      }
     }
   }