Reland of Mark the Certly.io log as disqualified, as of April 15 2016

net/cert/ct_policy_enforcer.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_policy_enforcer.h"
 
 #include <stdint.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 202 matching lines @@
   // a log was qualified or pending qualification at time of issuance (in the
   // case of embedded SCTs). It's acceptable to ignore the origin of the SCT,
   // because SCTs delivered via OCSP/TLS extension will cover the full
   // certificate, which necessarily will exist only after the precertificate
   // has been logged and the actual certificate issued.
   // Note: Here, issuance date is defined as the earliest of all SCTs, rather
   // than the latest of embedded SCTs, in order to give CAs the benefit of
   // the doubt in the event a log is revoked in the midst of processing
   // a precertificate and issuing the certificate.
   base::Time issuance_date = base::Time::Max();
-  for (const auto& sct : verified_scts)
+  for (const auto& sct : verified_scts) {
+    base::Time unused;
+    if (ct::IsLogDisqualified(sct->log_id, &unused))
+      continue;
     issuance_date = std::min(sct->timestamp, issuance_date);
+  }
 
   bool has_valid_google_sct = false;
   bool has_valid_nongoogle_sct = false;
   bool has_valid_embedded_sct = false;
   bool has_valid_nonembedded_sct = false;
   bool has_embedded_google_sct = false;
   bool has_embedded_nongoogle_sct = false;
   std::vector<base::StringPiece> embedded_log_ids;
   for (const auto& sct : verified_scts) {
+    base::Time disqualification_date;
+    bool is_disqualified =
+        ct::IsLogDisqualified(sct->log_id, &disqualification_date);
+    if (is_disqualified &&
+        sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) {
+      // For OCSP and TLS delivered SCTs, only SCTs that are valid at the
+      // time of check are accepted.
+      continue;
+    }
+
     if (ct::IsLogOperatedByGoogle(sct->log_id)) {
-      has_valid_google_sct = true;
+      has_valid_google_sct |= !is_disqualified;
       if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED)
         has_embedded_google_sct = true;
     } else {
-      has_valid_nongoogle_sct = true;
+      has_valid_nongoogle_sct |= !is_disqualified;
       if (sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED)
         has_embedded_nongoogle_sct = true;
     }
     if (sct->origin != ct::SignedCertificateTimestamp::SCT_EMBEDDED) {
       has_valid_nonembedded_sct = true;
     } else {
-      has_valid_embedded_sct = true;
-      embedded_log_ids.push_back(sct->log_id);
+      has_valid_embedded_sct |= !is_disqualified;
+      // If the log is disqualified, it only counts towards quorum if
+      // the certificate was issued before the log was disqualified, and the
+      // SCT was obtained before the log was disqualified.
+      if (!is_disqualified || (issuance_date < disqualification_date &&
+                               sct->timestamp < disqualification_date)) {
+        embedded_log_ids.push_back(sct->log_id);
+      }
     }
   }
 
   // Option 1:
   // An SCT presented via the TLS extension OR embedded within a stapled OCSP
   //   response is from a log qualified at time of check;
   // AND there is at least one SCT from a Google Log that is qualified at
   //   time of check, presented via any method;
   // AND there is at least one SCT from a non-Google Log that is qualified
   //   at the time of check, presented via any method.
@@ skipping 171 matching lines @@
 
   if (!details.build_timely)
     return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
 
   LogEVPolicyComplianceToUMA(details.status, ev_whitelist);
 
   return details.status;
 }
 
 }  // namespace net