| Index: net/cert/ct_policy_enforcer.cc
|
| diff --git a/net/cert/ct_policy_enforcer.cc b/net/cert/ct_policy_enforcer.cc
|
| index 42f631eaa53db0e4cd05950deee6c6dc509e038f..0dd6a0d6bc0c367e4bbb8eab2a6590ffb59ebac9 100644
|
| --- a/net/cert/ct_policy_enforcer.cc
|
| +++ b/net/cert/ct_policy_enforcer.cc
|
| @@ -20,7 +20,6 @@
|
| #include "base/time/time.h"
|
| #include "base/values.h"
|
| #include "base/version.h"
|
| -#include "net/cert/ct_ev_whitelist.h"
|
| #include "net/cert/ct_known_logs.h"
|
| #include "net/cert/ct_policy_status.h"
|
| #include "net/cert/ct_verify_result.h"
|
| @@ -75,27 +74,6 @@ void RoundedDownMonthDifference(const base::Time& start,
|
| *rounded_months_difference = month_diff;
|
| }
|
|
|
| -const char* EVPolicyComplianceToString(ct::EVPolicyCompliance status) {
|
| - switch (status) {
|
| - case ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY:
|
| - return "POLICY_DOES_NOT_APPLY";
|
| - case ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST:
|
| - return "WHITELISTED";
|
| - case ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS:
|
| - return "COMPLIES_VIA_SCTS";
|
| - case ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS:
|
| - return "NOT_ENOUGH_SCTS";
|
| - case ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS:
|
| - return "SCTS_NOT_DIVERSE";
|
| - case ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY:
|
| - return "BUILD_NOT_TIMELY";
|
| - case ct::EVPolicyCompliance::EV_POLICY_MAX:
|
| - break;
|
| - }
|
| -
|
| - return "unknown";
|
| -}
|
| -
|
| const char* CertPolicyComplianceToString(ct::CertPolicyCompliance status) {
|
| switch (status) {
|
| case ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS:
|
| @@ -111,64 +89,6 @@ const char* CertPolicyComplianceToString(ct::CertPolicyCompliance status) {
|
| return "unknown";
|
| }
|
|
|
| -enum EVWhitelistStatus {
|
| - EV_WHITELIST_NOT_PRESENT = 0,
|
| - EV_WHITELIST_INVALID = 1,
|
| - EV_WHITELIST_VALID = 2,
|
| - EV_WHITELIST_MAX,
|
| -};
|
| -
|
| -void LogEVPolicyComplianceToUMA(ct::EVPolicyCompliance status,
|
| - const ct::EVCertsWhitelist* ev_whitelist) {
|
| - UMA_HISTOGRAM_ENUMERATION(
|
| - "Net.SSL_EVCTCompliance", static_cast<int>(status),
|
| - static_cast<int>(ct::EVPolicyCompliance::EV_POLICY_MAX));
|
| - if (status == ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS ||
|
| - status == ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS) {
|
| - EVWhitelistStatus ev_whitelist_status = EV_WHITELIST_NOT_PRESENT;
|
| - if (ev_whitelist != NULL) {
|
| - if (ev_whitelist->IsValid())
|
| - ev_whitelist_status = EV_WHITELIST_VALID;
|
| - else
|
| - ev_whitelist_status = EV_WHITELIST_INVALID;
|
| - }
|
| -
|
| - UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVWhitelistValidityForNonCompliantCert",
|
| - ev_whitelist_status, EV_WHITELIST_MAX);
|
| - }
|
| -}
|
| -
|
| -struct EVComplianceDetails {
|
| - EVComplianceDetails()
|
| - : build_timely(false),
|
| - status(ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY) {}
|
| -
|
| - // Whether the build is not older than 10 weeks.
|
| - bool build_timely;
|
| - // Compliance status - meaningful only if |build_timely| is true.
|
| - ct::EVPolicyCompliance status;
|
| - // EV whitelist version.
|
| - base::Version whitelist_version;
|
| -};
|
| -
|
| -std::unique_ptr<base::Value> NetLogEVComplianceCheckResultCallback(
|
| - X509Certificate* cert,
|
| - EVComplianceDetails* details,
|
| - NetLogCaptureMode capture_mode) {
|
| - std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
|
| - dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode));
|
| - dict->SetBoolean("policy_enforcement_required", true);
|
| - dict->SetBoolean("build_timely", details->build_timely);
|
| - if (details->build_timely) {
|
| - dict->SetString("ct_compliance_status",
|
| - EVPolicyComplianceToString(details->status));
|
| - if (details->whitelist_version.IsValid())
|
| - dict->SetString("ev_whitelist_version",
|
| - details->whitelist_version.GetString());
|
| - }
|
| - return std::move(dict);
|
| -}
|
| -
|
| std::unique_ptr<base::Value> NetLogCertComplianceCheckResultCallback(
|
| X509Certificate* cert,
|
| bool build_timely,
|
| @@ -182,24 +102,6 @@ std::unique_ptr<base::Value> NetLogCertComplianceCheckResultCallback(
|
| return std::move(dict);
|
| }
|
|
|
| -bool IsCertificateInWhitelist(const X509Certificate& cert,
|
| - const ct::EVCertsWhitelist* ev_whitelist) {
|
| - if (!ev_whitelist || !ev_whitelist->IsValid())
|
| - return false;
|
| -
|
| - const SHA256HashValue fingerprint(
|
| - X509Certificate::CalculateFingerprint256(cert.os_cert_handle()));
|
| -
|
| - std::string truncated_fp =
|
| - std::string(reinterpret_cast<const char*>(fingerprint.data), 8);
|
| - bool cert_in_ev_whitelist =
|
| - ev_whitelist->ContainsCertificateHash(truncated_fp);
|
| -
|
| - UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist",
|
| - cert_in_ev_whitelist);
|
| - return cert_in_ev_whitelist;
|
| -}
|
| -
|
| // Evaluates against the policy specified at
|
| // https://sites.google.com/a/chromium.org/dev/Home/chromium-security/root-ca-policy/EVCTPlanMay2015edition.pdf?attredirects=0
|
| ct::CertPolicyCompliance CheckCertPolicyCompliance(
|
| @@ -365,37 +267,6 @@ ct::CertPolicyCompliance CheckCertPolicyCompliance(
|
| : ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
|
| }
|
|
|
| -ct::EVPolicyCompliance CertPolicyComplianceToEVPolicyCompliance(
|
| - ct::CertPolicyCompliance cert_policy_compliance) {
|
| - switch (cert_policy_compliance) {
|
| - case ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS:
|
| - return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS;
|
| - case ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS:
|
| - return ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS;
|
| - case ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS:
|
| - return ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS;
|
| - case ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY:
|
| - return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
|
| - }
|
| - return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
|
| -}
|
| -
|
| -void CheckCTEVPolicyCompliance(X509Certificate* cert,
|
| - const ct::EVCertsWhitelist* ev_whitelist,
|
| - const ct::SCTList& verified_scts,
|
| - const NetLogWithSource& net_log,
|
| - EVComplianceDetails* result) {
|
| - result->status = CertPolicyComplianceToEVPolicyCompliance(
|
| - CheckCertPolicyCompliance(*cert, verified_scts));
|
| - if (ev_whitelist && ev_whitelist->IsValid())
|
| - result->whitelist_version = ev_whitelist->Version();
|
| -
|
| - if (result->status != ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS &&
|
| - IsCertificateInWhitelist(*cert, ev_whitelist)) {
|
| - result->status = ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST;
|
| - }
|
| -}
|
| -
|
| } // namespace
|
|
|
| ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy(
|
| @@ -425,38 +296,4 @@ ct::CertPolicyCompliance CTPolicyEnforcer::DoesConformToCertPolicy(
|
| return compliance;
|
| }
|
|
|
| -ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
|
| - X509Certificate* cert,
|
| - const ct::EVCertsWhitelist* ev_whitelist,
|
| - const ct::SCTList& verified_scts,
|
| - const NetLogWithSource& net_log) {
|
| - EVComplianceDetails details;
|
| - // If the build is not timely, no certificate is considered compliant
|
| - // with EV policy. The reasoning is that, for example, a log might
|
| - // have been pulled and is no longer considered valid; thus, a client
|
| - // needs up-to-date information about logs to consider certificates to
|
| - // be compliant with policy.
|
| - details.build_timely = IsBuildTimely();
|
| - if (!details.build_timely) {
|
| - details.status = ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
|
| - } else {
|
| - CheckCTEVPolicyCompliance(cert, ev_whitelist, verified_scts, net_log,
|
| - &details);
|
| - }
|
| -
|
| - NetLogParametersCallback net_log_callback =
|
| - base::Bind(&NetLogEVComplianceCheckResultCallback, base::Unretained(cert),
|
| - base::Unretained(&details));
|
| -
|
| - net_log.AddEvent(NetLogEventType::EV_CERT_CT_COMPLIANCE_CHECKED,
|
| - net_log_callback);
|
| -
|
| - if (!details.build_timely)
|
| - return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
|
| -
|
| - LogEVPolicyComplianceToUMA(details.status, ev_whitelist);
|
| -
|
| - return details.status;
|
| -}
|
| -
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 2937563002:
Remove the EV Certs Whitelist (Closed)
