| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/callback_helpers.h" | 10 #include "base/callback_helpers.h" |
| 11 #include "base/metrics/histogram_macros.h" | 11 #include "base/metrics/histogram_macros.h" |
| 12 #include "base/values.h" | 12 #include "base/values.h" |
| 13 #include "net/base/net_errors.h" | 13 #include "net/base/net_errors.h" |
| 14 #include "net/cert/ct_log_verifier.h" | 14 #include "net/cert/ct_log_verifier.h" |
| 15 #include "net/cert/ct_objects_extractor.h" | 15 #include "net/cert/ct_objects_extractor.h" |
| 16 #include "net/cert/ct_serialization.h" | 16 #include "net/cert/ct_serialization.h" |
| 17 #include "net/cert/ct_signed_certificate_timestamp_log_param.h" | 17 #include "net/cert/ct_signed_certificate_timestamp_log_param.h" |
| 18 #include "net/cert/ct_verify_result.h" | 18 #include "net/cert/ct_verify_result.h" |
| 19 #include "net/cert/sct_status_flags.h" | 19 #include "net/cert/sct_status_flags.h" |
| 20 #include "net/cert/x509_certificate.h" | 20 #include "net/cert/x509_certificate.h" |
| 21 #include "net/log/net_log.h" | 21 #include "net/log/net_log.h" |
| 22 | 22 |
| 23 namespace net { | 23 namespace net { |
| 24 | 24 |
| 25 namespace { | 25 namespace { |
| 26 | 26 |
| 27 // Record SCT verification status. This metric would help detecting presence | 27 // Record SCT verification status. This metric would help detecting presence |
| 28 // of unknown CT logs as well as bad deployments (invalid SCTs). | 28 // of unknown CT logs as well as bad deployments (invalid SCTs). |
| 29 void LogSCTStatusToUMA(ct::SCTVerifyStatus status) { | 29 void LogSCTStatusToUMA(ct::SCTVerifyStatus status) { |
| 30 UMA_HISTOGRAM_ENUMERATION( | 30 // Note SCT_STATUS_MAX + 1 is passed to the UMA_HISTOGRAM_ENUMERATION as that |
| 31 "Net.CertificateTransparency.SCTStatus", status, ct::SCT_STATUS_MAX); | 31 // macro requires the values to be strictly less than the boundary value, |
| 32 // and SCT_STATUS_MAX is the last valid value of the SCTVerifyStatus enum |
| 33 // (since that enum is used for IPC as well). |
| 34 UMA_HISTOGRAM_ENUMERATION("Net.CertificateTransparency.SCTStatus", status, |
| 35 ct::SCT_STATUS_MAX + 1); |
| 32 } | 36 } |
| 33 | 37 |
| 34 // Record SCT origin enum. This metric measure the popularity | 38 // Record SCT origin enum. This metric measure the popularity |
| 35 // of the various channels of providing SCTs for a certificate. | 39 // of the various channels of providing SCTs for a certificate. |
| 36 void LogSCTOriginToUMA(ct::SignedCertificateTimestamp::Origin origin) { | 40 void LogSCTOriginToUMA(ct::SignedCertificateTimestamp::Origin origin) { |
| 37 UMA_HISTOGRAM_ENUMERATION("Net.CertificateTransparency.SCTOrigin", | 41 UMA_HISTOGRAM_ENUMERATION("Net.CertificateTransparency.SCTOrigin", |
| 38 origin, | 42 origin, |
| 39 ct::SignedCertificateTimestamp::SCT_ORIGIN_MAX); | 43 ct::SignedCertificateTimestamp::SCT_ORIGIN_MAX); |
| 40 } | 44 } |
| 41 | 45 |
| (...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 192 if (it == logs_.end()) { | 196 if (it == logs_.end()) { |
| 193 DVLOG(1) << "SCT does not match any known log."; | 197 DVLOG(1) << "SCT does not match any known log."; |
| 194 AddSCTAndLogStatus(sct, ct::SCT_STATUS_LOG_UNKNOWN, &(result->scts)); | 198 AddSCTAndLogStatus(sct, ct::SCT_STATUS_LOG_UNKNOWN, &(result->scts)); |
| 195 return false; | 199 return false; |
| 196 } | 200 } |
| 197 | 201 |
| 198 sct->log_description = it->second->description(); | 202 sct->log_description = it->second->description(); |
| 199 | 203 |
| 200 if (!it->second->Verify(expected_entry, *sct.get())) { | 204 if (!it->second->Verify(expected_entry, *sct.get())) { |
| 201 DVLOG(1) << "Unable to verify SCT signature."; | 205 DVLOG(1) << "Unable to verify SCT signature."; |
| 202 AddSCTAndLogStatus(sct, ct::SCT_STATUS_INVALID, &(result->scts)); | 206 AddSCTAndLogStatus(sct, ct::SCT_STATUS_INVALID_SIGNATURE, &(result->scts)); |
| 203 return false; | 207 return false; |
| 204 } | 208 } |
| 205 | 209 |
| 206 // SCT verified ok, just make sure the timestamp is legitimate. | 210 // SCT verified ok, just make sure the timestamp is legitimate. |
| 207 if (sct->timestamp > base::Time::Now()) { | 211 if (sct->timestamp > base::Time::Now()) { |
| 208 DVLOG(1) << "SCT is from the future!"; | 212 DVLOG(1) << "SCT is from the future!"; |
| 209 AddSCTAndLogStatus(sct, ct::SCT_STATUS_INVALID, &(result->scts)); | 213 AddSCTAndLogStatus(sct, ct::SCT_STATUS_INVALID_TIMESTAMP, &(result->scts)); |
| 210 return false; | 214 return false; |
| 211 } | 215 } |
| 212 | 216 |
| 213 AddSCTAndLogStatus(sct, ct::SCT_STATUS_OK, &(result->scts)); | 217 AddSCTAndLogStatus(sct, ct::SCT_STATUS_OK, &(result->scts)); |
| 214 if (observer_) | 218 if (observer_) |
| 215 observer_->OnSCTVerified(cert, sct.get()); | 219 observer_->OnSCTVerified(cert, sct.get()); |
| 216 return true; | 220 return true; |
| 217 } | 221 } |
| 218 | 222 |
| 219 } // namespace net | 223 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2241213002:
Distinguish between SCT invalidity reasons in UMA (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master