Require Certificate Transparency for Symantec-operated roots

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 #include <vector>
@@ skipping 17 matching lines @@
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
 #include "net/dns/dns_util.h"
 #include "net/http/http_security_headers.h"
 #include "net/ssl/ssl_info.h"
 
 namespace net {
 
 namespace {
 
+#include "net/http/transport_security_state_ct_policies.inc"
 #include "net/http/transport_security_state_static.h"
 
 const size_t kMaxHPKPReportCacheEntries = 50;
 const int kTimeToRememberHPKPReportsMins = 60;
 const size_t kReportCacheKeyLength = 16;
 
 // Override for ShouldRequireCT() for unit tests. Possible values:
 //  -1: Unless a delegate says otherwise, do not require CT.
 //   0: Use the default implementation (e.g. production)
 //   1: Unless a delegate says otherwise, require CT.
 int g_ct_required_for_testing = 0;
 
+// LessThan comparator for use with std::binary_search() in determining
+// whether a SHA-256 HashValue appears within a sorted array of
+// SHA256HashValues.
+struct SHA256ToHashValueComparator {
+  bool operator()(const SHA256HashValue& lhs, const HashValue& rhs) const {
+    DCHECK(rhs.tag == HASH_VALUE_SHA256);

[eroman, 2016/06/29 23:22:21]

dcheck_eq (and below)

+    return memcmp(lhs.data, rhs.data(), rhs.size()) < 0;
+  }
+
+  bool operator()(const HashValue& lhs, const SHA256HashValue& rhs) const {
+    DCHECK(lhs.tag == HASH_VALUE_SHA256);
+    return memcmp(lhs.data(), rhs.data, lhs.size()) < 0;
+  }
+};
+
 void RecordUMAForHPKPReportFailure(const GURL& report_uri, int net_error) {
   UMA_HISTOGRAM_SPARSE_SLOWLY("Net.PublicKeyPinReportSendingFailure",
                               net_error);
 }
 
 std::string TimeToISO8601(const base::Time& t) {
   base::Time::Exploded exploded;
   t.UTCExplode(&exploded);
   return base::StringPrintf(
       "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month,
@@ skipping 655 matching lines @@
   CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT;
   if (require_ct_delegate_)
     ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname);
   if (ct_required != CTRequirementLevel::DEFAULT)
     return ct_required == CTRequirementLevel::REQUIRED;
 
   // Allow unittests to override the default result.
   if (g_ct_required_for_testing)
     return g_ct_required_for_testing == 1;
 
-  return false;
+  bool default_response = false;
+  const base::Time epoch = base::Time::UnixEpoch();
+  for (const auto& restricted_ca : kCTRequiredPolicies) {
+    if (epoch + restricted_ca.effective_date >
+        validated_certificate_chain->valid_start()) {
+      // The candidate cert is not be subject to the CT policy, because it

[eroman, 2016/06/29 23:22:21]

Is there anything preventing re-issuing the target certificate with an earlier
notBefore to game this?

[Ryan Sleevi, 2016/06/30 00:03:20]

Unfortunately, no, and that's legitimately my biggest concern (and what occupied
a lot of time in handling this). The answer is that we're going to address it in
the CA/Browser Forum, but Symantec's audits presently declare they haven't gamed
the system (in the past year). They totally have before though.

+      // was issued before the effective CT date.
+      continue;
+    }
+
+    for (const auto& hash : public_key_hashes) {
+      if (hash.tag != HASH_VALUE_SHA256)
+        continue;
+
+      // Determine if |hash| is in the set of roots of |restricted_ca|.
+      if (!std::binary_search(restricted_ca.roots,
+                              restricted_ca.roots + restricted_ca.roots_length,
+                              hash, SHA256ToHashValueComparator())) {
+        continue;
+      }
+
+      // Found a match, indicating this certificate is potentially
+      // restricted. Determine if any of the hashes are on the exclusion
+      // list as exempt from the CT requirement.
+      for (const auto& sub_ca_hash : public_key_hashes) {
+        if (sub_ca_hash.tag != HASH_VALUE_SHA256)
+          continue;
+        if (std::binary_search(
+                restricted_ca.exceptions,
+                restricted_ca.exceptions + restricted_ca.exceptions_length,
+                sub_ca_hash, SHA256ToHashValueComparator())) {
+          // Found an excluded sub-CA; CT is not required.
+          return default_response;
+        }
+      }
+
+      // No exception found. This certificate must conform to the CT policy.
+      return true;
+    }
+  }
+
+  return default_response;
 }
 
 void TransportSecurityState::SetDelegate(
     TransportSecurityState::Delegate* delegate) {
   DCHECK(CalledOnValidThread());
   delegate_ = delegate;
 }
 
 void TransportSecurityState::SetReportSender(
     TransportSecurityState::ReportSenderInterface* report_sender) {
@@ skipping 700 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace