OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
6 | 6 |
7 #include <algorithm> | |
7 #include <vector> | 8 #include <vector> |
8 | 9 |
9 #include "base/bind.h" | 10 #include "base/bind.h" |
10 #include "base/callback_helpers.h" | 11 #include "base/callback_helpers.h" |
11 #include "base/metrics/histogram.h" | 12 #include "base/metrics/histogram.h" |
12 #include "net/base/net_errors.h" | 13 #include "net/base/net_errors.h" |
13 #include "net/base/net_log.h" | 14 #include "net/base/net_log.h" |
14 #include "net/cert/ct_log_verifier.h" | 15 #include "net/cert/ct_log_verifier.h" |
15 #include "net/cert/ct_objects_extractor.h" | 16 #include "net/cert/ct_objects_extractor.h" |
16 #include "net/cert/ct_serialization.h" | 17 #include "net/cert/ct_serialization.h" |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
74 log_verifiers.begin(); it != log_verifiers.end(); ++it) { | 75 log_verifiers.begin(); it != log_verifiers.end(); ++it) { |
75 linked_ptr<CTLogVerifier> log(*it); | 76 linked_ptr<CTLogVerifier> log(*it); |
76 VLOG(1) << "Adding CT log: " << log->description(); | 77 VLOG(1) << "Adding CT log: " << log->description(); |
77 logs_[log->key_id()] = log; | 78 logs_[log->key_id()] = log; |
78 } | 79 } |
79 | 80 |
80 // Ownership of the pointers in |log_verifiers| is transferred to |logs_| | 81 // Ownership of the pointers in |log_verifiers| is transferred to |logs_| |
81 log_verifiers.weak_clear(); | 82 log_verifiers.weak_clear(); |
82 } | 83 } |
83 | 84 |
85 void MultiLogCTVerifier::SetEnforceCTEVPolicy(bool enforce_policy) { | |
86 enforce_ct_ev_policy_ = enforce_policy; | |
87 } | |
88 | |
84 int MultiLogCTVerifier::Verify( | 89 int MultiLogCTVerifier::Verify( |
85 X509Certificate* cert, | 90 X509Certificate* cert, |
86 const std::string& stapled_ocsp_response, | 91 const std::string& stapled_ocsp_response, |
87 const std::string& sct_list_from_tls_extension, | 92 const std::string& sct_list_from_tls_extension, |
88 ct::CTVerifyResult* result, | 93 ct::CTVerifyResult* result, |
89 const BoundNetLog& net_log) { | 94 const BoundNetLog& net_log) { |
90 DCHECK(cert); | 95 DCHECK(cert); |
91 DCHECK(result); | 96 DCHECK(result); |
92 | 97 |
93 result->verified_scts.clear(); | 98 result->verified_scts.clear(); |
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
226 result->invalid_scts.push_back(sct); | 231 result->invalid_scts.push_back(sct); |
227 LogSCTStatusToUMA(ct::SCT_STATUS_INVALID); | 232 LogSCTStatusToUMA(ct::SCT_STATUS_INVALID); |
228 return false; | 233 return false; |
229 } | 234 } |
230 | 235 |
231 LogSCTStatusToUMA(ct::SCT_STATUS_OK); | 236 LogSCTStatusToUMA(ct::SCT_STATUS_OK); |
232 result->verified_scts.push_back(sct); | 237 result->verified_scts.push_back(sct); |
233 return true; | 238 return true; |
234 } | 239 } |
235 | 240 |
236 } // namespace net | 241 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { |
242 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; | |
243 } | |
244 | |
245 bool MultiLogCTVerifier::DoesConformToCTEVPolicy( | |
246 X509Certificate* cert, | |
247 const ct::CTVerifyResult& ct_result) { | |
248 if (!enforce_ct_ev_policy_) { | |
249 return true; | |
250 } | |
251 int num_valid_scts = ct_result.verified_scts.size(); | |
Ryan Sleevi
2014/08/05 22:19:10
1) Wrong integer type (permeates the rest of this
Eran Messeri
2014/10/20 17:26:30
Done.
| |
252 int num_embedded_scts = std::count_if( | |
253 ct_result.verified_scts.begin(), | |
254 ct_result.verified_scts.end(), | |
255 IsEmbeddedSCT); | |
256 | |
257 //TODO(eranm): Count the number of *independent* SCTs once the information | |
258 //about log operators is available. | |
Ryan Sleevi
2014/08/05 22:19:10
1) Style: Spaces after //
2) Bugs filed.
Eran Messeri
2014/10/20 17:26:30
Done and done.
| |
259 int num_non_embedded_scts = num_valid_scts - num_embedded_scts; | |
260 if (num_non_embedded_scts >= 2) { | |
261 return true; | |
262 } | |
263 | |
264 if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) { | |
265 return true; | |
266 } | |
267 | |
268 if (cert->valid_start().is_null() || | |
269 cert->valid_expiry().is_null()) { | |
270 // Will not be able to calculate the certificate's validity period. | |
271 return false; | |
272 } | |
273 | |
274 int min_acceptable_logs = std::max((unsigned long) 2, logs_.size()); | |
Ryan Sleevi
2014/08/05 22:19:10
1) C-cast
2) Wrong type (.size() == size_t)
3) Bad
Eran Messeri
2014/10/20 17:26:30
Fixed all (hopefully) by making min_acceptable_log
| |
275 base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start(); | |
276 uint32 expiry_in_months_approx = expiry_period.InDays() / 30.14; | |
277 // At most 5 SCTs are required - for certificate with lifetime of over | |
278 // 39 months. | |
279 int num_required_embedded_scts = 5; | |
280 if (expiry_in_months_approx > 27) { | |
281 num_required_embedded_scts = 4; | |
282 } else if (expiry_in_months_approx >= 15) { | |
283 num_required_embedded_scts = 3; | |
284 } else { | |
285 num_required_embedded_scts = 2; | |
286 } | |
287 | |
288 return num_embedded_scts >= std::min(num_required_embedded_scts, min_acceptabl e_logs); | |
289 } | |
290 | |
291 } // namespace net | |
OLD | NEW |