Index: net/cert/ct_policy_enforcer.cc |
diff --git a/net/cert/ct_policy_enforcer.cc b/net/cert/ct_policy_enforcer.cc |
index 42f631eaa53db0e4cd05950deee6c6dc509e038f..0dd6a0d6bc0c367e4bbb8eab2a6590ffb59ebac9 100644 |
--- a/net/cert/ct_policy_enforcer.cc |
+++ b/net/cert/ct_policy_enforcer.cc |
@@ -20,7 +20,6 @@ |
#include "base/time/time.h" |
#include "base/values.h" |
#include "base/version.h" |
-#include "net/cert/ct_ev_whitelist.h" |
#include "net/cert/ct_known_logs.h" |
#include "net/cert/ct_policy_status.h" |
#include "net/cert/ct_verify_result.h" |
@@ -75,27 +74,6 @@ void RoundedDownMonthDifference(const base::Time& start, |
*rounded_months_difference = month_diff; |
} |
-const char* EVPolicyComplianceToString(ct::EVPolicyCompliance status) { |
- switch (status) { |
- case ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY: |
- return "POLICY_DOES_NOT_APPLY"; |
- case ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST: |
- return "WHITELISTED"; |
- case ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS: |
- return "COMPLIES_VIA_SCTS"; |
- case ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS: |
- return "NOT_ENOUGH_SCTS"; |
- case ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS: |
- return "SCTS_NOT_DIVERSE"; |
- case ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY: |
- return "BUILD_NOT_TIMELY"; |
- case ct::EVPolicyCompliance::EV_POLICY_MAX: |
- break; |
- } |
- |
- return "unknown"; |
-} |
- |
const char* CertPolicyComplianceToString(ct::CertPolicyCompliance status) { |
switch (status) { |
case ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS: |
@@ -111,64 +89,6 @@ const char* CertPolicyComplianceToString(ct::CertPolicyCompliance status) { |
return "unknown"; |
} |
-enum EVWhitelistStatus { |
- EV_WHITELIST_NOT_PRESENT = 0, |
- EV_WHITELIST_INVALID = 1, |
- EV_WHITELIST_VALID = 2, |
- EV_WHITELIST_MAX, |
-}; |
- |
-void LogEVPolicyComplianceToUMA(ct::EVPolicyCompliance status, |
- const ct::EVCertsWhitelist* ev_whitelist) { |
- UMA_HISTOGRAM_ENUMERATION( |
- "Net.SSL_EVCTCompliance", static_cast<int>(status), |
- static_cast<int>(ct::EVPolicyCompliance::EV_POLICY_MAX)); |
- if (status == ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS || |
- status == ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS) { |
- EVWhitelistStatus ev_whitelist_status = EV_WHITELIST_NOT_PRESENT; |
- if (ev_whitelist != NULL) { |
- if (ev_whitelist->IsValid()) |
- ev_whitelist_status = EV_WHITELIST_VALID; |
- else |
- ev_whitelist_status = EV_WHITELIST_INVALID; |
- } |
- |
- UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVWhitelistValidityForNonCompliantCert", |
- ev_whitelist_status, EV_WHITELIST_MAX); |
- } |
-} |
- |
-struct EVComplianceDetails { |
- EVComplianceDetails() |
- : build_timely(false), |
- status(ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY) {} |
- |
- // Whether the build is not older than 10 weeks. |
- bool build_timely; |
- // Compliance status - meaningful only if |build_timely| is true. |
- ct::EVPolicyCompliance status; |
- // EV whitelist version. |
- base::Version whitelist_version; |
-}; |
- |
-std::unique_ptr<base::Value> NetLogEVComplianceCheckResultCallback( |
- X509Certificate* cert, |
- EVComplianceDetails* details, |
- NetLogCaptureMode capture_mode) { |
- std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue()); |
- dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode)); |
- dict->SetBoolean("policy_enforcement_required", true); |
- dict->SetBoolean("build_timely", details->build_timely); |
- if (details->build_timely) { |
- dict->SetString("ct_compliance_status", |
- EVPolicyComplianceToString(details->status)); |
- if (details->whitelist_version.IsValid()) |
- dict->SetString("ev_whitelist_version", |
- details->whitelist_version.GetString()); |
- } |
- return std::move(dict); |
-} |
- |
std::unique_ptr<base::Value> NetLogCertComplianceCheckResultCallback( |
X509Certificate* cert, |
bool build_timely, |
@@ -182,24 +102,6 @@ std::unique_ptr<base::Value> NetLogCertComplianceCheckResultCallback( |
return std::move(dict); |
} |
-bool IsCertificateInWhitelist(const X509Certificate& cert, |
- const ct::EVCertsWhitelist* ev_whitelist) { |
- if (!ev_whitelist || !ev_whitelist->IsValid()) |
- return false; |
- |
- const SHA256HashValue fingerprint( |
- X509Certificate::CalculateFingerprint256(cert.os_cert_handle())); |
- |
- std::string truncated_fp = |
- std::string(reinterpret_cast<const char*>(fingerprint.data), 8); |
- bool cert_in_ev_whitelist = |
- ev_whitelist->ContainsCertificateHash(truncated_fp); |
- |
- UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist", |
- cert_in_ev_whitelist); |
- return cert_in_ev_whitelist; |
-} |
- |
// Evaluates against the policy specified at |
// https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy/EVCTPlanMay2015edition.pdf?attredirects=0 |
ct::CertPolicyCompliance CheckCertPolicyCompliance( |
@@ -365,37 +267,6 @@ ct::CertPolicyCompliance CheckCertPolicyCompliance( |
: ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; |
} |
-ct::EVPolicyCompliance CertPolicyComplianceToEVPolicyCompliance( |
- ct::CertPolicyCompliance cert_policy_compliance) { |
- switch (cert_policy_compliance) { |
- case ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS: |
- return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS; |
- case ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS: |
- return ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS; |
- case ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS: |
- return ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS; |
- case ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY: |
- return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; |
- } |
- return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
-} |
- |
-void CheckCTEVPolicyCompliance(X509Certificate* cert, |
- const ct::EVCertsWhitelist* ev_whitelist, |
- const ct::SCTList& verified_scts, |
- const NetLogWithSource& net_log, |
- EVComplianceDetails* result) { |
- result->status = CertPolicyComplianceToEVPolicyCompliance( |
- CheckCertPolicyCompliance(*cert, verified_scts)); |
- if (ev_whitelist && ev_whitelist->IsValid()) |
- result->whitelist_version = ev_whitelist->Version(); |
- |
- if (result->status != ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS && |
- IsCertificateInWhitelist(*cert, ev_whitelist)) { |
- result->status = ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST; |
- } |
-} |
- |
} // namespace |
ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy( |
@@ -425,38 +296,4 @@ ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy( |
return compliance; |
} |
-ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy( |
- X509Certificate* cert, |
- const ct::EVCertsWhitelist* ev_whitelist, |
- const ct::SCTList& verified_scts, |
- const NetLogWithSource& net_log) { |
- EVComplianceDetails details; |
- // If the build is not timely, no certificate is considered compliant |
- // with EV policy. The reasoning is that, for example, a log might |
- // have been pulled and is no longer considered valid; thus, a client |
- // needs up-to-date information about logs to consider certificates to |
- // be compliant with policy. |
- details.build_timely = IsBuildTimely(); |
- if (!details.build_timely) { |
- details.status = ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; |
- } else { |
- CheckCTEVPolicyCompliance(cert, ev_whitelist, verified_scts, net_log, |
- &details); |
- } |
- |
- NetLogParametersCallback net_log_callback = |
- base::Bind(&NetLogEVComplianceCheckResultCallback, base::Unretained(cert), |
- base::Unretained(&details)); |
- |
- net_log.AddEvent(NetLogEventType::EV_CERT_CT_COMPLIANCE_CHECKED, |
- net_log_callback); |
- |
- if (!details.build_timely) |
- return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY; |
- |
- LogEVPolicyComplianceToUMA(details.status, ev_whitelist); |
- |
- return details.status; |
-} |
- |
} // namespace net |