Remove the EV Certs Whitelist

net/cert/ct_policy_enforcer.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_policy_enforcer.h"
 
 #include <stdint.h>
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 
 #include "base/bind.h"
 #include "base/build_time.h"
 #include "base/callback_helpers.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/time/time.h"
 #include "base/values.h"
 #include "base/version.h"
-#include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_parameters_callback.h"
 #include "net/log/net_log_with_source.h"
@@ skipping 34 matching lines @@
   uint32_t month_diff = (exploded_expiry.year - exploded_start.year) * 12 +
                         (exploded_expiry.month - exploded_start.month);
   if (exploded_expiry.day_of_month < exploded_start.day_of_month)
     --month_diff;
   else if (exploded_expiry.day_of_month == exploded_start.day_of_month)
     *has_partial_month = false;
 
   *rounded_months_difference = month_diff;
 }
 
-const char* EVPolicyComplianceToString(ct::EVPolicyCompliance status) {
-  switch (status) {
-    case ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY:
-      return "POLICY_DOES_NOT_APPLY";
-    case ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST:
-      return "WHITELISTED";
-    case ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS:
-      return "COMPLIES_VIA_SCTS";
-    case ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS:
-      return "NOT_ENOUGH_SCTS";
-    case ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS:
-      return "SCTS_NOT_DIVERSE";
-    case ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY:
-      return "BUILD_NOT_TIMELY";
-    case ct::EVPolicyCompliance::EV_POLICY_MAX:
-      break;
-  }
-
-  return "unknown";
-}
-
 const char* CertPolicyComplianceToString(ct::CertPolicyCompliance status) {
   switch (status) {
     case ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS:
       return "COMPLIES_VIA_SCTS";
     case ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS:
       return "NOT_ENOUGH_SCTS";
     case ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS:
       return "NOT_DIVERSE_SCTS";
     case ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY:
       return "BUILD_NOT_TIMELY";
   }
 
   return "unknown";
 }
 
-enum EVWhitelistStatus {
-  EV_WHITELIST_NOT_PRESENT = 0,
-  EV_WHITELIST_INVALID = 1,
-  EV_WHITELIST_VALID = 2,
-  EV_WHITELIST_MAX,
-};
-
-void LogEVPolicyComplianceToUMA(ct::EVPolicyCompliance status,
-                                const ct::EVCertsWhitelist* ev_whitelist) {
-  UMA_HISTOGRAM_ENUMERATION(
-      "Net.SSL_EVCTCompliance", static_cast<int>(status),
-      static_cast<int>(ct::EVPolicyCompliance::EV_POLICY_MAX));
-  if (status == ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS ||
-      status == ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS) {
-    EVWhitelistStatus ev_whitelist_status = EV_WHITELIST_NOT_PRESENT;
-    if (ev_whitelist != NULL) {
-      if (ev_whitelist->IsValid())
-        ev_whitelist_status = EV_WHITELIST_VALID;
-      else
-        ev_whitelist_status = EV_WHITELIST_INVALID;
-    }
-
-    UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVWhitelistValidityForNonCompliantCert",
-                              ev_whitelist_status, EV_WHITELIST_MAX);
-  }
-}
-
-struct EVComplianceDetails {
-  EVComplianceDetails()
-      : build_timely(false),
-        status(ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY) {}
-
-  // Whether the build is not older than 10 weeks.
-  bool build_timely;
-  // Compliance status - meaningful only if |build_timely| is true.
-  ct::EVPolicyCompliance status;
-  // EV whitelist version.
-  base::Version whitelist_version;
-};
-
-std::unique_ptr<base::Value> NetLogEVComplianceCheckResultCallback(
-    X509Certificate* cert,
-    EVComplianceDetails* details,
-    NetLogCaptureMode capture_mode) {
-  std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
-  dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode));
-  dict->SetBoolean("policy_enforcement_required", true);
-  dict->SetBoolean("build_timely", details->build_timely);
-  if (details->build_timely) {
-    dict->SetString("ct_compliance_status",
-                    EVPolicyComplianceToString(details->status));
-    if (details->whitelist_version.IsValid())
-      dict->SetString("ev_whitelist_version",
-                      details->whitelist_version.GetString());
-  }
-  return std::move(dict);
-}
-
 std::unique_ptr<base::Value> NetLogCertComplianceCheckResultCallback(
     X509Certificate* cert,
     bool build_timely,
     ct::CertPolicyCompliance compliance,
     NetLogCaptureMode capture_mode) {
   std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
   dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode));
   dict->SetBoolean("build_timely", build_timely);
   dict->SetString("ct_compliance_status",
                   CertPolicyComplianceToString(compliance));
   return std::move(dict);
 }
 
-bool IsCertificateInWhitelist(const X509Certificate& cert,
-                              const ct::EVCertsWhitelist* ev_whitelist) {
-  if (!ev_whitelist || !ev_whitelist->IsValid())
-    return false;
-
-  const SHA256HashValue fingerprint(
-      X509Certificate::CalculateFingerprint256(cert.os_cert_handle()));
-
-  std::string truncated_fp =
-      std::string(reinterpret_cast<const char*>(fingerprint.data), 8);
-  bool cert_in_ev_whitelist =
-      ev_whitelist->ContainsCertificateHash(truncated_fp);
-
-  UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist",
-                        cert_in_ev_whitelist);
-  return cert_in_ev_whitelist;
-}
-
 // Evaluates against the policy specified at
 // https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy/EVCTPlanMay2015edition.pdf?attredirects=0
 ct::CertPolicyCompliance CheckCertPolicyCompliance(
     const X509Certificate& cert,
     const ct::SCTList& verified_scts) {
   // Cert is outside the bounds of parsable; reject it.
   if (cert.valid_start().is_null() || cert.valid_expiry().is_null() ||
       cert.valid_start().is_max() || cert.valid_expiry().is_max()) {
     return ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
   }
@@ skipping 145 matching lines @@
     return ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS;
 
   // Under Option 2, there weren't enough SCTs, and potentially under Option
   // 1, there weren't diverse enough SCTs. Try to signal the error that is
   // most easily fixed.
   return has_valid_nonembedded_sct
              ? ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS
              : ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
 }
 
-ct::EVPolicyCompliance CertPolicyComplianceToEVPolicyCompliance(
-    ct::CertPolicyCompliance cert_policy_compliance) {
-  switch (cert_policy_compliance) {
-    case ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS:
-      return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS;
-    case ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS:
-      return ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS;
-    case ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS:
-      return ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS;
-    case ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY:
-      return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
-  }
-  return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
-}
-
-void CheckCTEVPolicyCompliance(X509Certificate* cert,
-                               const ct::EVCertsWhitelist* ev_whitelist,
-                               const ct::SCTList& verified_scts,
-                               const NetLogWithSource& net_log,
-                               EVComplianceDetails* result) {
-  result->status = CertPolicyComplianceToEVPolicyCompliance(
-      CheckCertPolicyCompliance(*cert, verified_scts));
-  if (ev_whitelist && ev_whitelist->IsValid())
-    result->whitelist_version = ev_whitelist->Version();
-
-  if (result->status != ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS &&
-      IsCertificateInWhitelist(*cert, ev_whitelist)) {
-    result->status = ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST;
-  }
-}
-
 }  // namespace
 
 ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy(
     X509Certificate* cert,
     const ct::SCTList& verified_scts,
     const NetLogWithSource& net_log) {
   // If the build is not timely, no certificate is considered compliant
   // with CT policy. The reasoning is that, for example, a log might
   // have been pulled and is no longer considered valid; thus, a client
   // needs up-to-date information about logs to consider certificates to
   // be compliant with policy.
   bool build_timely = IsBuildTimely();
   ct::CertPolicyCompliance compliance;
   if (!build_timely) {
     compliance = ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY;
   } else {
     compliance = CheckCertPolicyCompliance(*cert, verified_scts);
   }
 
   NetLogParametersCallback net_log_callback =
       base::Bind(&NetLogCertComplianceCheckResultCallback,
                  base::Unretained(cert), build_timely, compliance);
 
   net_log.AddEvent(NetLogEventType::CERT_CT_COMPLIANCE_CHECKED,
                    net_log_callback);
 
   return compliance;
 }
 
-ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
-    X509Certificate* cert,
-    const ct::EVCertsWhitelist* ev_whitelist,
-    const ct::SCTList& verified_scts,
-    const NetLogWithSource& net_log) {
-  EVComplianceDetails details;
-  // If the build is not timely, no certificate is considered compliant
-  // with EV policy. The reasoning is that, for example, a log might
-  // have been pulled and is no longer considered valid; thus, a client
-  // needs up-to-date information about logs to consider certificates to
-  // be compliant with policy.
-  details.build_timely = IsBuildTimely();
-  if (!details.build_timely) {
-    details.status = ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
-  } else {
-    CheckCTEVPolicyCompliance(cert, ev_whitelist, verified_scts, net_log,
-                              &details);
-  }
-
-  NetLogParametersCallback net_log_callback =
-      base::Bind(&NetLogEVComplianceCheckResultCallback, base::Unretained(cert),
-                 base::Unretained(&details));
-
-  net_log.AddEvent(NetLogEventType::EV_CERT_CT_COMPLIANCE_CHECKED,
-                   net_log_callback);
-
-  if (!details.build_timely)
-    return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
-
-  LogEVPolicyComplianceToUMA(details.status, ev_whitelist);
-
-  return details.status;
-}
-
 }  // namespace net