OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/cert_policy_enforcer.h" | |
6 | |
7 #include <algorithm> | |
8 | |
9 #include "base/build_time.h" | |
10 #include "base/metrics/histogram.h" | |
11 #include "base/numerics/safe_conversions.h" | |
12 #include "base/strings/string_number_conversions.h" | |
13 #include "net/cert/ct_ev_whitelist.h" | |
14 #include "net/cert/ct_verify_result.h" | |
15 #include "net/cert/signed_certificate_timestamp.h" | |
16 #include "net/cert/x509_certificate.h" | |
17 | |
18 namespace net { | |
19 | |
20 namespace { | |
21 | |
22 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { | |
23 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; | |
24 } | |
25 | |
26 // Taken from TransportSecurityState::IsBuildTimely | |
Ryan Sleevi
2014/11/28 15:27:44
Don't describe where this is from, describe why it
Eran Messeri
2014/12/01 13:59:02
Done.
| |
27 // TODO(eranm): Move to base or net/base | |
28 bool IsBuildTimely() { | |
29 #if defined(DONT_EMBED_BUILD_METADATA) && !defined(OFFICIAL_BUILD) | |
30 return true; | |
31 #else | |
32 const base::Time build_time = base::GetBuildTime(); | |
33 // We consider built-in information to be timely for 10 weeks. | |
34 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; | |
35 #endif | |
36 } | |
37 | |
38 uint32_t ApproximateMonthDifference(const base::Time& start, | |
39 const base::Time& end) { | |
40 base::Time::Exploded exploded_start; | |
41 base::Time::Exploded exploded_expiry; | |
42 start.UTCExplode(&exploded_start); | |
43 end.UTCExplode(&exploded_expiry); | |
Ryan Sleevi
2014/11/28 15:27:44
There are base::Time values that may not be repres
Eran Messeri
2014/12/01 13:59:02
As discussed offline, added checks for is_max belo
Ryan Sleevi
2014/12/01 15:27:55
Yeah, we'll come back to this as a follow-on (we c
| |
44 uint32_t month_diff = (exploded_expiry.year - exploded_start.year) * 12 + | |
45 (exploded_expiry.month - exploded_start.month); | |
46 | |
47 // Add any remainder as a full month. | |
48 if (exploded_expiry.day_of_month > exploded_start.day_of_month) | |
49 ++month_diff; | |
50 | |
51 return month_diff; | |
52 } | |
53 } | |
54 | |
55 CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, | |
56 bool require_ct_for_ev) | |
57 : num_ct_logs_(num_ct_logs), enforce_ct_requirement_(require_ct_for_ev) { | |
58 } | |
59 | |
60 CertPolicyEnforcer::~CertPolicyEnforcer() { | |
61 } | |
62 | |
63 bool CertPolicyEnforcer::DoesConformToCTEVPolicy( | |
64 X509Certificate* cert, | |
65 const ct::EVCertsWhitelist* ev_whitelist, | |
66 const ct::CTVerifyResult& ct_result) { | |
67 bool cert_in_ev_whitelist = false; | |
68 if (ev_whitelist && ev_whitelist->IsValid()) { | |
69 const SHA256HashValue fingerprint( | |
70 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())); | |
71 | |
72 std::string truncated_fp = | |
73 std::string(reinterpret_cast<const char*>(fingerprint.data), 8); | |
Ryan Sleevi
2014/11/28 15:27:44
Note: If we make ContainsCertificateHash to take a
Eran Messeri
2014/12/01 13:59:02
Acknowledged, since it's changing the interface (w
| |
74 cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp); | |
75 | |
76 VLOG(1) << "Have a valid whitelist. Is cert with fingerprint " | |
77 << base::HexEncode( | |
78 reinterpret_cast<const char*>(truncated_fp.data()), | |
79 truncated_fp.length()) << " in the whitelist? " | |
80 << (cert_in_ev_whitelist ? "true" : "false"); | |
Ryan Sleevi
2014/11/28 15:27:44
I'm not keen on this VLOG. If the intent is to aid
Eran Messeri
2014/12/01 13:59:02
Removed, for now. I'll can NetLog logging in a fol
Ryan Sleevi
2014/12/01 15:27:55
The histograms won't tell us (or the net-internals
| |
81 | |
82 UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist", | |
83 cert_in_ev_whitelist); | |
84 } | |
85 | |
86 if (!enforce_ct_requirement_) | |
87 return true; | |
88 | |
89 if (!IsBuildTimely()) | |
90 return false; | |
91 | |
92 if (cert_in_ev_whitelist) | |
93 return true; | |
94 | |
95 size_t num_valid_scts = ct_result.verified_scts.size(); | |
96 size_t num_embedded_scts = | |
97 std::count_if(ct_result.verified_scts.begin(), | |
98 ct_result.verified_scts.end(), IsEmbeddedSCT); | |
99 | |
100 // TODO(eranm): Count the number of *independent* SCTs once the information | |
101 // about log operators is available, crbug.com/425174 | |
102 size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts; | |
103 if (num_non_embedded_scts >= 2) | |
104 return true; | |
Ryan Sleevi
2014/11/28 15:27:44
I find this conditional hard to reason about (as w
Eran Messeri
2014/12/01 13:59:02
Done.
| |
105 | |
106 if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) | |
107 return true; | |
Ryan Sleevi
2014/11/28 15:27:44
This doesn't seem spelled out in our policy at all
Eran Messeri
2014/12/01 13:59:02
Done.
| |
108 | |
109 if (cert->valid_start().is_null() || cert->valid_expiry().is_null()) { | |
110 // Will not be able to calculate the certificate's validity period. | |
111 return false; | |
112 } | |
113 | |
114 uint32_t expiry_in_months_approx = | |
115 ApproximateMonthDifference(cert->valid_start(), cert->valid_expiry()); | |
116 // At most 5 SCTs are required - for certificate with lifetime of over | |
117 // 39 months. | |
118 size_t num_required_embedded_scts; | |
119 if (expiry_in_months_approx > 39) { | |
120 num_required_embedded_scts = 5; | |
121 } else if (expiry_in_months_approx > 27) { | |
122 num_required_embedded_scts = 4; | |
123 } else if (expiry_in_months_approx >= 15) { | |
124 num_required_embedded_scts = 3; | |
125 } else { | |
126 num_required_embedded_scts = 2; | |
127 } | |
128 | |
129 size_t min_acceptable_logs = std::max(num_ct_logs_, static_cast<size_t>(2u)); | |
130 return num_embedded_scts >= | |
131 std::min(num_required_embedded_scts, min_acceptable_logs); | |
Ryan Sleevi
2014/11/28 15:27:44
BUG/FUTURE: This doesn't consider when we need to
| |
132 } | |
133 | |
134 } // namespace net | |
OLD | NEW |