OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <memory> | 10 #include <memory> |
(...skipping 363 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
374 return ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS; | 374 return ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS; |
375 case ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY: | 375 case ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY: |
376 return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; | 376 return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; |
377 } | 377 } |
378 return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 378 return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
379 } | 379 } |
380 | 380 |
381 void CheckCTEVPolicyCompliance(X509Certificate* cert, | 381 void CheckCTEVPolicyCompliance(X509Certificate* cert, |
382 const ct::EVCertsWhitelist* ev_whitelist, | 382 const ct::EVCertsWhitelist* ev_whitelist, |
383 const ct::SCTList& verified_scts, | 383 const ct::SCTList& verified_scts, |
384 const BoundNetLog& net_log, | 384 const NetLogWithSource& net_log, |
385 EVComplianceDetails* result) { | 385 EVComplianceDetails* result) { |
386 result->status = CertPolicyComplianceToEVPolicyCompliance( | 386 result->status = CertPolicyComplianceToEVPolicyCompliance( |
387 CheckCertPolicyCompliance(*cert, verified_scts)); | 387 CheckCertPolicyCompliance(*cert, verified_scts)); |
388 if (ev_whitelist && ev_whitelist->IsValid()) | 388 if (ev_whitelist && ev_whitelist->IsValid()) |
389 result->whitelist_version = ev_whitelist->Version(); | 389 result->whitelist_version = ev_whitelist->Version(); |
390 | 390 |
391 if (result->status != ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS && | 391 if (result->status != ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS && |
392 IsCertificateInWhitelist(*cert, ev_whitelist)) { | 392 IsCertificateInWhitelist(*cert, ev_whitelist)) { |
393 result->status = ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST; | 393 result->status = ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST; |
394 } | 394 } |
395 } | 395 } |
396 | 396 |
397 } // namespace | 397 } // namespace |
398 | 398 |
399 ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy( | 399 ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy( |
400 X509Certificate* cert, | 400 X509Certificate* cert, |
401 const ct::SCTList& verified_scts, | 401 const ct::SCTList& verified_scts, |
402 const BoundNetLog& net_log) { | 402 const NetLogWithSource& net_log) { |
403 // If the build is not timely, no certificate is considered compliant | 403 // If the build is not timely, no certificate is considered compliant |
404 // with CT policy. The reasoning is that, for example, a log might | 404 // with CT policy. The reasoning is that, for example, a log might |
405 // have been pulled and is no longer considered valid; thus, a client | 405 // have been pulled and is no longer considered valid; thus, a client |
406 // needs up-to-date information about logs to consider certificates to | 406 // needs up-to-date information about logs to consider certificates to |
407 // be compliant with policy. | 407 // be compliant with policy. |
408 bool build_timely = IsBuildTimely(); | 408 bool build_timely = IsBuildTimely(); |
409 ct::CertPolicyCompliance compliance; | 409 ct::CertPolicyCompliance compliance; |
410 if (!build_timely) { | 410 if (!build_timely) { |
411 compliance = ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY; | 411 compliance = ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY; |
412 } else { | 412 } else { |
413 compliance = CheckCertPolicyCompliance(*cert, verified_scts); | 413 compliance = CheckCertPolicyCompliance(*cert, verified_scts); |
414 } | 414 } |
415 | 415 |
416 NetLog::ParametersCallback net_log_callback = | 416 NetLog::ParametersCallback net_log_callback = |
417 base::Bind(&NetLogCertComplianceCheckResultCallback, | 417 base::Bind(&NetLogCertComplianceCheckResultCallback, |
418 base::Unretained(cert), build_timely, compliance); | 418 base::Unretained(cert), build_timely, compliance); |
419 | 419 |
420 net_log.AddEvent(NetLogEventType::CERT_CT_COMPLIANCE_CHECKED, | 420 net_log.AddEvent(NetLogEventType::CERT_CT_COMPLIANCE_CHECKED, |
421 net_log_callback); | 421 net_log_callback); |
422 | 422 |
423 return compliance; | 423 return compliance; |
424 } | 424 } |
425 | 425 |
426 ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy( | 426 ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy( |
427 X509Certificate* cert, | 427 X509Certificate* cert, |
428 const ct::EVCertsWhitelist* ev_whitelist, | 428 const ct::EVCertsWhitelist* ev_whitelist, |
429 const ct::SCTList& verified_scts, | 429 const ct::SCTList& verified_scts, |
430 const BoundNetLog& net_log) { | 430 const NetLogWithSource& net_log) { |
431 EVComplianceDetails details; | 431 EVComplianceDetails details; |
432 // If the build is not timely, no certificate is considered compliant | 432 // If the build is not timely, no certificate is considered compliant |
433 // with EV policy. The reasoning is that, for example, a log might | 433 // with EV policy. The reasoning is that, for example, a log might |
434 // have been pulled and is no longer considered valid; thus, a client | 434 // have been pulled and is no longer considered valid; thus, a client |
435 // needs up-to-date information about logs to consider certificates to | 435 // needs up-to-date information about logs to consider certificates to |
436 // be compliant with policy. | 436 // be compliant with policy. |
437 details.build_timely = IsBuildTimely(); | 437 details.build_timely = IsBuildTimely(); |
438 if (!details.build_timely) { | 438 if (!details.build_timely) { |
439 details.status = ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; | 439 details.status = ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; |
440 } else { | 440 } else { |
(...skipping 10 matching lines...) Expand all Loading... |
451 | 451 |
452 if (!details.build_timely) | 452 if (!details.build_timely) |
453 return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; | 453 return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; |
454 | 454 |
455 LogEVPolicyComplianceToUMA(details.status, ev_whitelist); | 455 LogEVPolicyComplianceToUMA(details.status, ev_whitelist); |
456 | 456 |
457 return details.status; | 457 return details.status; |
458 } | 458 } |
459 | 459 |
460 } // namespace net | 460 } // namespace net |
OLD | NEW |