OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/cert_policy_enforcer.h" | |
6 | |
7 #include <algorithm> | |
8 | |
9 #include "base/metrics/histogram.h" | |
10 #include "base/numerics/safe_conversions.h" | |
11 #include "net/cert/ct_ev_whitelist.h" | |
12 #include "net/cert/ct_verify_result.h" | |
13 #include "net/cert/signed_certificate_timestamp.h" | |
14 #include "net/cert/x509_certificate.h" | |
15 | |
16 namespace net { | |
17 | |
18 namespace { | |
19 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { | |
20 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; | |
21 } | |
22 } | |
23 | |
24 CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, | |
25 bool require_ct_for_ev) | |
26 : num_ct_logs_(num_ct_logs), enforce_ct_requirement_(require_ct_for_ev) { | |
27 } | |
28 | |
29 CertPolicyEnforcer::~CertPolicyEnforcer() { | |
30 } | |
31 | |
32 bool CertPolicyEnforcer::DoesConformToCTEVPolicy( | |
33 X509Certificate* cert, | |
34 const ct::EVCertsWhitelist* ev_whitelist, | |
35 const ct::CTVerifyResult& ct_result) { | |
36 bool cert_in_ev_whitelist = false; | |
37 if (ev_whitelist && ev_whitelist->IsValid()) { | |
38 const SHA256HashValue fingerprint( | |
39 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())); | |
40 | |
41 cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash( | |
42 std::string(reinterpret_cast<const char*>(fingerprint.data), 8)); | |
43 } | |
44 | |
45 UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist", | |
46 cert_in_ev_whitelist); | |
47 | |
48 if (!enforce_ct_requirement_) | |
49 return true; | |
50 | |
Ryan Sleevi
2014/11/06 00:16:43
Note that this code is missing the build date fres
Eran Messeri
2014/11/20 11:49:56
Added (by shamelessly copying it from TransportSec
| |
51 if (cert_in_ev_whitelist) | |
52 return true; | |
53 | |
54 size_t num_valid_scts = ct_result.verified_scts.size(); | |
55 size_t num_embedded_scts = | |
56 std::count_if(ct_result.verified_scts.begin(), | |
57 ct_result.verified_scts.end(), IsEmbeddedSCT); | |
Ryan Sleevi
2014/11/11 02:50:18
So, from the ct-policy discussion, I should have p
Eran Messeri
2014/11/20 11:49:56
See my previous reply - IIUC that's to avoid distr
| |
58 | |
59 // TODO(eranm): Count the number of *independent* SCTs once the information | |
60 // about log operators is available, crbug.com/425174 | |
61 size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts; | |
62 if (num_non_embedded_scts >= 2) { | |
Ryan Sleevi
2014/11/06 00:16:43
net code omits braces for single-line conditionals
Eran Messeri
2014/11/20 11:49:56
Done per your guidelines.
| |
63 return true; | |
64 } | |
65 | |
66 if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) { | |
67 return true; | |
68 } | |
69 | |
70 if (cert->valid_start().is_null() || cert->valid_expiry().is_null()) { | |
71 // Will not be able to calculate the certificate's validity period. | |
72 return false; | |
73 } | |
74 | |
75 base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start(); | |
76 uint32_t expiry_in_months_approx = expiry_period.InDays() / 30.14; | |
Ryan Sleevi
2014/11/06 00:16:43
Does it make more sense to adopt math similar to t
Eran Messeri
2014/11/20 11:49:56
Yes, used similar logic here.
I considered adding
| |
77 // At most 5 SCTs are required - for certificate with lifetime of over | |
78 // 39 months. | |
79 size_t num_required_embedded_scts; | |
80 if (expiry_in_months_approx > 39) { | |
81 num_required_embedded_scts = 5; | |
82 } else if (expiry_in_months_approx > 27) { | |
83 num_required_embedded_scts = 4; | |
84 } else if (expiry_in_months_approx >= 15) { | |
85 num_required_embedded_scts = 3; | |
86 } else { | |
87 num_required_embedded_scts = 2; | |
88 } | |
89 | |
90 size_t min_acceptable_logs = std::max(static_cast<size_t>(2), num_ct_logs_); | |
Ryan Sleevi
2014/11/06 00:16:43
just do 2U and it should be sufficient, right?
Or
Eran Messeri
2014/11/20 11:49:56
Tried both, the compiler was equally unhappy - I h
| |
91 return num_embedded_scts >= | |
92 std::min(num_required_embedded_scts, min_acceptable_logs); | |
93 } | |
94 | |
95 } // namespace net | |
OLD | NEW |