Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(164)

Unified Diff: net/cert/ct_policy_enforcer.cc

Issue 2937563002: Remove the EV Certs Whitelist (Closed)
Patch Set: Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/cert/ct_policy_enforcer.cc
diff --git a/net/cert/ct_policy_enforcer.cc b/net/cert/ct_policy_enforcer.cc
index 42f631eaa53db0e4cd05950deee6c6dc509e038f..0dd6a0d6bc0c367e4bbb8eab2a6590ffb59ebac9 100644
--- a/net/cert/ct_policy_enforcer.cc
+++ b/net/cert/ct_policy_enforcer.cc
@@ -20,7 +20,6 @@
#include "base/time/time.h"
#include "base/values.h"
#include "base/version.h"
-#include "net/cert/ct_ev_whitelist.h"
#include "net/cert/ct_known_logs.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/ct_verify_result.h"
@@ -75,27 +74,6 @@ void RoundedDownMonthDifference(const base::Time& start,
*rounded_months_difference = month_diff;
}
-const char* EVPolicyComplianceToString(ct::EVPolicyCompliance status) {
- switch (status) {
- case ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY:
- return "POLICY_DOES_NOT_APPLY";
- case ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST:
- return "WHITELISTED";
- case ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS:
- return "COMPLIES_VIA_SCTS";
- case ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS:
- return "NOT_ENOUGH_SCTS";
- case ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS:
- return "SCTS_NOT_DIVERSE";
- case ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY:
- return "BUILD_NOT_TIMELY";
- case ct::EVPolicyCompliance::EV_POLICY_MAX:
- break;
- }
-
- return "unknown";
-}
-
const char* CertPolicyComplianceToString(ct::CertPolicyCompliance status) {
switch (status) {
case ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS:
@@ -111,64 +89,6 @@ const char* CertPolicyComplianceToString(ct::CertPolicyCompliance status) {
return "unknown";
}
-enum EVWhitelistStatus {
- EV_WHITELIST_NOT_PRESENT = 0,
- EV_WHITELIST_INVALID = 1,
- EV_WHITELIST_VALID = 2,
- EV_WHITELIST_MAX,
-};
-
-void LogEVPolicyComplianceToUMA(ct::EVPolicyCompliance status,
- const ct::EVCertsWhitelist* ev_whitelist) {
- UMA_HISTOGRAM_ENUMERATION(
- "Net.SSL_EVCTCompliance", static_cast<int>(status),
- static_cast<int>(ct::EVPolicyCompliance::EV_POLICY_MAX));
- if (status == ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS ||
- status == ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS) {
- EVWhitelistStatus ev_whitelist_status = EV_WHITELIST_NOT_PRESENT;
- if (ev_whitelist != NULL) {
- if (ev_whitelist->IsValid())
- ev_whitelist_status = EV_WHITELIST_VALID;
- else
- ev_whitelist_status = EV_WHITELIST_INVALID;
- }
-
- UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVWhitelistValidityForNonCompliantCert",
- ev_whitelist_status, EV_WHITELIST_MAX);
- }
-}
-
-struct EVComplianceDetails {
- EVComplianceDetails()
- : build_timely(false),
- status(ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY) {}
-
- // Whether the build is not older than 10 weeks.
- bool build_timely;
- // Compliance status - meaningful only if |build_timely| is true.
- ct::EVPolicyCompliance status;
- // EV whitelist version.
- base::Version whitelist_version;
-};
-
-std::unique_ptr<base::Value> NetLogEVComplianceCheckResultCallback(
- X509Certificate* cert,
- EVComplianceDetails* details,
- NetLogCaptureMode capture_mode) {
- std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
- dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode));
- dict->SetBoolean("policy_enforcement_required", true);
- dict->SetBoolean("build_timely", details->build_timely);
- if (details->build_timely) {
- dict->SetString("ct_compliance_status",
- EVPolicyComplianceToString(details->status));
- if (details->whitelist_version.IsValid())
- dict->SetString("ev_whitelist_version",
- details->whitelist_version.GetString());
- }
- return std::move(dict);
-}
-
std::unique_ptr<base::Value> NetLogCertComplianceCheckResultCallback(
X509Certificate* cert,
bool build_timely,
@@ -182,24 +102,6 @@ std::unique_ptr<base::Value> NetLogCertComplianceCheckResultCallback(
return std::move(dict);
}
-bool IsCertificateInWhitelist(const X509Certificate& cert,
- const ct::EVCertsWhitelist* ev_whitelist) {
- if (!ev_whitelist || !ev_whitelist->IsValid())
- return false;
-
- const SHA256HashValue fingerprint(
- X509Certificate::CalculateFingerprint256(cert.os_cert_handle()));
-
- std::string truncated_fp =
- std::string(reinterpret_cast<const char*>(fingerprint.data), 8);
- bool cert_in_ev_whitelist =
- ev_whitelist->ContainsCertificateHash(truncated_fp);
-
- UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist",
- cert_in_ev_whitelist);
- return cert_in_ev_whitelist;
-}
-
// Evaluates against the policy specified at
// https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy/EVCTPlanMay2015edition.pdf?attredirects=0
ct::CertPolicyCompliance CheckCertPolicyCompliance(
@@ -365,37 +267,6 @@ ct::CertPolicyCompliance CheckCertPolicyCompliance(
: ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
}
-ct::EVPolicyCompliance CertPolicyComplianceToEVPolicyCompliance(
- ct::CertPolicyCompliance cert_policy_compliance) {
- switch (cert_policy_compliance) {
- case ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS:
- return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS;
- case ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS:
- return ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS;
- case ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS:
- return ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS;
- case ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY:
- return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
- }
- return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
-}
-
-void CheckCTEVPolicyCompliance(X509Certificate* cert,
- const ct::EVCertsWhitelist* ev_whitelist,
- const ct::SCTList& verified_scts,
- const NetLogWithSource& net_log,
- EVComplianceDetails* result) {
- result->status = CertPolicyComplianceToEVPolicyCompliance(
- CheckCertPolicyCompliance(*cert, verified_scts));
- if (ev_whitelist && ev_whitelist->IsValid())
- result->whitelist_version = ev_whitelist->Version();
-
- if (result->status != ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS &&
- IsCertificateInWhitelist(*cert, ev_whitelist)) {
- result->status = ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST;
- }
-}
-
} // namespace
ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy(
@@ -425,38 +296,4 @@ ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy(
return compliance;
}
-ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
- X509Certificate* cert,
- const ct::EVCertsWhitelist* ev_whitelist,
- const ct::SCTList& verified_scts,
- const NetLogWithSource& net_log) {
- EVComplianceDetails details;
- // If the build is not timely, no certificate is considered compliant
- // with EV policy. The reasoning is that, for example, a log might
- // have been pulled and is no longer considered valid; thus, a client
- // needs up-to-date information about logs to consider certificates to
- // be compliant with policy.
- details.build_timely = IsBuildTimely();
- if (!details.build_timely) {
- details.status = ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
- } else {
- CheckCTEVPolicyCompliance(cert, ev_whitelist, verified_scts, net_log,
- &details);
- }
-
- NetLogParametersCallback net_log_callback =
- base::Bind(&NetLogEVComplianceCheckResultCallback, base::Unretained(cert),
- base::Unretained(&details));
-
- net_log.AddEvent(NetLogEventType::EV_CERT_CT_COMPLIANCE_CHECKED,
- net_log_callback);
-
- if (!details.build_timely)
- return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
-
- LogEVPolicyComplianceToUMA(details.status, ev_whitelist);
-
- return details.status;
-}
-
} // namespace net

Powered by Google App Engine
This is Rietveld 408576698