Certificate Transparency: Require SCTs for EV certificates.

net/cert/multi_log_ct_verifier.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/multi_log_ct_verifier.h"
 
+#include <algorithm>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/metrics/histogram.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_objects_extractor.h"
 #include "net/cert/ct_serialization.h"
@@ skipping 57 matching lines @@
        log_verifiers.begin(); it != log_verifiers.end(); ++it) {
     linked_ptr<CTLogVerifier> log(*it);
     VLOG(1) << "Adding CT log: " << log->description();
     logs_[log->key_id()] = log;
   }
 
   // Ownership of the pointers in |log_verifiers| is transferred to |logs_|
   log_verifiers.weak_clear();
 }
 
+void MultiLogCTVerifier::SetEnforceCTEVPolicy(bool enforce_policy) {
+  enforce_ct_ev_policy_ = enforce_policy;
+}
+
 int MultiLogCTVerifier::Verify(
     X509Certificate* cert,
     const std::string& stapled_ocsp_response,
     const std::string& sct_list_from_tls_extension,
     ct::CTVerifyResult* result,
     const BoundNetLog& net_log)  {
   DCHECK(cert);
   DCHECK(result);
 
   result->verified_scts.clear();
@@ skipping 132 matching lines @@
     result->invalid_scts.push_back(sct);
     LogSCTStatusToUMA(ct::SCT_STATUS_INVALID);
     return false;
   }
 
   LogSCTStatusToUMA(ct::SCT_STATUS_OK);
   result->verified_scts.push_back(sct);
   return true;
 }
 
-} // namespace net
+bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) {
+  return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED;
+}
+
+bool MultiLogCTVerifier::DoesConformToCTEVPolicy(
+      X509Certificate* cert,
+      const ct::CTVerifyResult& ct_result) {
+  if (!enforce_ct_ev_policy_) {
+    return true;
+  }
+  int num_valid_scts = ct_result.verified_scts.size();

[Ryan Sleevi, 2014/08/05 22:19:10]

1) Wrong integer type (permeates the rest of this file)

[Eran Messeri, 2014/10/20 17:26:30]

Done.

+  int num_embedded_scts = std::count_if(
+      ct_result.verified_scts.begin(),
+      ct_result.verified_scts.end(),
+      IsEmbeddedSCT);
+
+  //TODO(eranm): Count the number of *independent* SCTs once the information
+  //about log operators is available.

[Ryan Sleevi, 2014/08/05 22:19:10]

1) Style: Spaces after //
2) Bugs filed.

[Eran Messeri, 2014/10/20 17:26:30]

Done and done.

+  int num_non_embedded_scts = num_valid_scts - num_embedded_scts;
+  if (num_non_embedded_scts >= 2) {
+    return true;
+  }
+
+  if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) {
+    return true;
+  }
+
+  if (cert->valid_start().is_null() ||
+      cert->valid_expiry().is_null()) {
+    // Will not be able to calculate the certificate's validity period.
+    return false;
+  }
+
+  int min_acceptable_logs = std::max((unsigned long) 2, logs_.size());

[Ryan Sleevi, 2014/08/05 22:19:10]

1) C-cast
2) Wrong type (.size() == size_t)
3) Bad downcast (size_t -> int)

[Eran Messeri, 2014/10/20 17:26:30]

Fixed all (hopefully) by making min_acceptable_logs size_t and using 2ul as the
literal. 

+  base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start();
+  uint32 expiry_in_months_approx = expiry_period.InDays() / 30.14;
+  // At most 5 SCTs are required - for certificate with lifetime of over
+  // 39 months.
+  int num_required_embedded_scts = 5;
+  if (expiry_in_months_approx > 27) {
+    num_required_embedded_scts = 4;
+  } else if (expiry_in_months_approx >= 15) {
+    num_required_embedded_scts = 3;
+  } else {
+    num_required_embedded_scts = 2;
+  }
+
+  return num_embedded_scts >= std::min(num_required_embedded_scts, min_acceptable_logs);
+}
+
+}  // namespace net