OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <memory> | 10 #include <memory> |
(...skipping 202 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
213 // a log was qualified or pending qualification at time of issuance (in the | 213 // a log was qualified or pending qualification at time of issuance (in the |
214 // case of embedded SCTs). It's acceptable to ignore the origin of the SCT, | 214 // case of embedded SCTs). It's acceptable to ignore the origin of the SCT, |
215 // because SCTs delivered via OCSP/TLS extension will cover the full | 215 // because SCTs delivered via OCSP/TLS extension will cover the full |
216 // certificate, which necessarily will exist only after the precertificate | 216 // certificate, which necessarily will exist only after the precertificate |
217 // has been logged and the actual certificate issued. | 217 // has been logged and the actual certificate issued. |
218 // Note: Here, issuance date is defined as the earliest of all SCTs, rather | 218 // Note: Here, issuance date is defined as the earliest of all SCTs, rather |
219 // than the latest of embedded SCTs, in order to give CAs the benefit of | 219 // than the latest of embedded SCTs, in order to give CAs the benefit of |
220 // the doubt in the event a log is revoked in the midst of processing | 220 // the doubt in the event a log is revoked in the midst of processing |
221 // a precertificate and issuing the certificate. | 221 // a precertificate and issuing the certificate. |
222 base::Time issuance_date = base::Time::Max(); | 222 base::Time issuance_date = base::Time::Max(); |
223 for (const auto& sct : verified_scts) | 223 for (const auto& sct : verified_scts) { |
| 224 base::Time unused; |
| 225 if (ct::IsLogDisqualified(sct->log_id, &unused)) |
| 226 continue; |
224 issuance_date = std::min(sct->timestamp, issuance_date); | 227 issuance_date = std::min(sct->timestamp, issuance_date); |
| 228 } |
225 | 229 |
226 bool has_valid_google_sct = false; | 230 bool has_valid_google_sct = false; |
227 bool has_valid_nongoogle_sct = false; | 231 bool has_valid_nongoogle_sct = false; |
228 bool has_valid_embedded_sct = false; | 232 bool has_valid_embedded_sct = false; |
229 bool has_valid_nonembedded_sct = false; | 233 bool has_valid_nonembedded_sct = false; |
230 bool has_embedded_google_sct = false; | 234 bool has_embedded_google_sct = false; |
231 bool has_embedded_nongoogle_sct = false; | 235 bool has_embedded_nongoogle_sct = false; |
232 std::vector<base::StringPiece> embedded_log_ids; | 236 std::vector<base::StringPiece> embedded_log_ids; |
233 for (const auto& sct : verified_scts) { | 237 for (const auto& sct : verified_scts) { |
| 238 base::Time disqualification_date; |
| 239 bool is_disqualified = |
| 240 ct::IsLogDisqualified(sct->log_id, &disqualification_date); |
| 241 if (is_disqualified && |
| 242 sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) { |
| 243 // For OCSP and TLS delivered SCTs, only SCTs that are valid at the |
| 244 // time of check are accepted. |
| 245 continue; |
| 246 } |
| 247 |
234 if (ct::IsLogOperatedByGoogle(sct->log_id)) { | 248 if (ct::IsLogOperatedByGoogle(sct->log_id)) { |
235 has_valid_google_sct = true; | 249 has_valid_google_sct |= !is_disqualified; |
236 if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED) | 250 if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED) |
237 has_embedded_google_sct = true; | 251 has_embedded_google_sct = true; |
238 } else { | 252 } else { |
239 has_valid_nongoogle_sct = true; | 253 has_valid_nongoogle_sct |= !is_disqualified; |
240 if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED) | 254 if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED) |
241 has_embedded_nongoogle_sct = true; | 255 has_embedded_nongoogle_sct = true; |
242 } | 256 } |
243 if (sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) { | 257 if (sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) { |
244 has_valid_nonembedded_sct = true; | 258 has_valid_nonembedded_sct = true; |
245 } else { | 259 } else { |
246 has_valid_embedded_sct = true; | 260 has_valid_embedded_sct |= !is_disqualified; |
247 embedded_log_ids.push_back(sct->log_id); | 261 // If the log is disqualified, it only counts towards quorum if |
| 262 // the certificate was issued before the log was disqualified, and the |
| 263 // SCT was obtained before the log was disqualified. |
| 264 if (!is_disqualified || (issuance_date < disqualification_date && |
| 265 sct->timestamp < disqualification_date)) { |
| 266 embedded_log_ids.push_back(sct->log_id); |
| 267 } |
248 } | 268 } |
249 } | 269 } |
250 | 270 |
251 // Option 1: | 271 // Option 1: |
252 // An SCT presented via the TLS extension OR embedded within a stapled OCSP | 272 // An SCT presented via the TLS extension OR embedded within a stapled OCSP |
253 // response is from a log qualified at time of check; | 273 // response is from a log qualified at time of check; |
254 // AND there is at least one SCT from a Google Log that is qualified at | 274 // AND there is at least one SCT from a Google Log that is qualified at |
255 // time of check, presented via any method; | 275 // time of check, presented via any method; |
256 // AND there is at least one SCT from a non-Google Log that is qualified | 276 // AND there is at least one SCT from a non-Google Log that is qualified |
257 // at the time of check, presented via any method. | 277 // at the time of check, presented via any method. |
(...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
429 | 449 |
430 if (!details.build_timely) | 450 if (!details.build_timely) |
431 return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; | 451 return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; |
432 | 452 |
433 LogEVPolicyComplianceToUMA(details.status, ev_whitelist); | 453 LogEVPolicyComplianceToUMA(details.status, ev_whitelist); |
434 | 454 |
435 return details.status; | 455 return details.status; |
436 } | 456 } |
437 | 457 |
438 } // namespace net | 458 } // namespace net |
OLD | NEW |