Chromium Code Reviews Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/cert_policy_enforcer.h" | |
| 6 | |
| 7 #include <algorithm> | |
| 8 | |
| 9 #include "base/build_time.h" | |
| 10 #include "base/metrics/field_trial.h" | |
| 11 #include "base/metrics/histogram.h" | |
| 12 #include "base/numerics/safe_conversions.h" | |
| 13 #include "base/strings/string_number_conversions.h" | |
| 14 #include "net/cert/ct_ev_whitelist.h" | |
| 15 #include "net/cert/ct_verify_result.h" | |
| 16 #include "net/cert/signed_certificate_timestamp.h" | |
| 17 #include "net/cert/x509_certificate.h" | |
| 18 | |
| 19 namespace net { | |
| 20 | |
| 21 namespace { | |
| 22 | |
| 23 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { | |
| 24 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; | |
| 25 } | |
| 26 | |
| 27 // Returns true if the current build is recent enough to ensure that | |
| 28 // built-in security information (e.g. CT Logs) is fresh enough. | |
| 29 // TODO(eranm): Move to base or net/base | |
| 30 bool IsBuildTimely() { | |
| 31 #if defined(DONT_EMBED_BUILD_METADATA) && !defined(OFFICIAL_BUILD) | |
| 32 return true; | |
| 33 #else | |
| 34 const base::Time build_time = base::GetBuildTime(); | |
| 35 // We consider built-in information to be timely for 10 weeks. | |
| 36 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; | |
| 37 #endif | |
| 38 } | |
| 39 | |
| 40 uint32_t ApproximateMonthDifference(const base::Time& start, | |
| 41 const base::Time& end) { | |
| 42 base::Time::Exploded exploded_start; | |
| 43 base::Time::Exploded exploded_expiry; | |
| 44 start.UTCExplode(&exploded_start); | |
| 45 end.UTCExplode(&exploded_expiry); | |
| 46 uint32_t month_diff = (exploded_expiry.year - exploded_start.year) * 12 + | |
| 47 (exploded_expiry.month - exploded_start.month); | |
| 48 | |
| 49 // Add any remainder as a full month. | |
| 50 if (exploded_expiry.day_of_month > exploded_start.day_of_month) | |
| 51 ++month_diff; | |
| 52 | |
| 53 return month_diff; | |
| 54 } | |
| 55 | |
| 56 bool RequireCTForEV() { | |
| 57 return base::FieldTrialList::FindFullName("CTRequiredForEVTrial") == | |
| 58 "ExperimentGroup"; | |
|
Ryan Sleevi
2014/12/01 15:27:55
Unnecessary part of your in-process change?
Eran Messeri
2014/12/01 17:29:54
Done, removed.
| |
| 59 } | |
| 60 | |
| 61 enum CTComplianceStatus { | |
| 62 CT_NOT_COMPLIANT = 0, | |
| 63 CT_IN_WHITELIST = 1, | |
| 64 CT_ENOUGH_SCTS = 2, | |
| 65 CT_COMPLIANCE_MAX, | |
| 66 }; | |
| 67 | |
| 68 void LogCTComplianceStatusToUMA(CTComplianceStatus status) { | |
| 69 UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status, | |
| 70 CT_COMPLIANCE_MAX); | |
| 71 } | |
| 72 } | |
|
Ryan Sleevi
2014/12/01 15:27:55
missed this before, add a newline between the two
Eran Messeri
2014/12/01 17:29:54
Done.
| |
| 73 | |
| 74 CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, | |
| 75 bool require_ct_for_ev) | |
| 76 : num_ct_logs_(num_ct_logs), require_ct_for_ev_(require_ct_for_ev) { | |
| 77 } | |
| 78 | |
| 79 CertPolicyEnforcer::~CertPolicyEnforcer() { | |
| 80 } | |
| 81 | |
| 82 bool CertPolicyEnforcer::DoesConformToCTEVPolicy( | |
| 83 X509Certificate* cert, | |
| 84 const ct::EVCertsWhitelist* ev_whitelist, | |
| 85 const ct::CTVerifyResult& ct_result) { | |
| 86 if (!(RequireCTForEV() || require_ct_for_ev_)) | |
|
Ryan Sleevi
2014/12/01 15:27:55
I generally dislike extra nested
if (!RequireCTFo
Eran Messeri
2014/12/01 17:29:54
Done.
| |
| 87 return true; | |
| 88 | |
| 89 if (!IsBuildTimely()) | |
| 90 return false; | |
| 91 | |
| 92 if (IsCertificateInWhitelist(cert, ev_whitelist)) { | |
| 93 LogCTComplianceStatusToUMA(CT_IN_WHITELIST); | |
| 94 return true; | |
| 95 } | |
| 96 | |
| 97 if (HasRequiredNumberOfSCTs(cert, ct_result)) { | |
| 98 LogCTComplianceStatusToUMA(CT_ENOUGH_SCTS); | |
| 99 return true; | |
| 100 } | |
| 101 | |
| 102 LogCTComplianceStatusToUMA(CT_NOT_COMPLIANT); | |
| 103 return false; | |
| 104 } | |
| 105 | |
| 106 bool CertPolicyEnforcer::IsCertificateInWhitelist( | |
| 107 X509Certificate* cert, | |
| 108 const ct::EVCertsWhitelist* ev_whitelist) { | |
| 109 bool cert_in_ev_whitelist = false; | |
| 110 if (ev_whitelist && ev_whitelist->IsValid()) { | |
| 111 const SHA256HashValue fingerprint( | |
| 112 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())); | |
| 113 | |
| 114 std::string truncated_fp = | |
| 115 std::string(reinterpret_cast<const char*>(fingerprint.data), 8); | |
| 116 cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp); | |
| 117 | |
| 118 UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist", | |
| 119 cert_in_ev_whitelist); | |
| 120 } | |
| 121 return cert_in_ev_whitelist; | |
| 122 } | |
| 123 | |
| 124 bool CertPolicyEnforcer::HasRequiredNumberOfSCTs( | |
| 125 X509Certificate* cert, | |
| 126 const ct::CTVerifyResult& ct_result) { | |
| 127 // TODO(eranm): Count the number of *independent* SCTs once the information | |
| 128 // about log operators is available, crbug.com/425174 | |
| 129 size_t num_valid_scts = ct_result.verified_scts.size(); | |
| 130 size_t num_embedded_scts = | |
| 131 std::count_if(ct_result.verified_scts.begin(), | |
| 132 ct_result.verified_scts.end(), IsEmbeddedSCT); | |
| 133 | |
| 134 size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts; | |
| 135 // If at least two valid SCTs were delivered by means other than embedding | |
| 136 // (i.e. in a TLS extension or OCSP), then the certificate conforms to bullet | |
| 137 // number 3 of the "Qualifying Certificate" section of the CT/EV policy. | |
| 138 if (num_non_embedded_scts >= 2) | |
| 139 return true; | |
| 140 | |
| 141 if (cert->valid_start().is_null() || cert->valid_expiry().is_null() || | |
| 142 cert->valid_start().is_max() || cert->valid_expiry().is_max()) { | |
| 143 // Will not be able to calculate the certificate's validity period. | |
| 144 return false; | |
| 145 } | |
| 146 | |
| 147 uint32_t expiry_in_months_approx = | |
| 148 ApproximateMonthDifference(cert->valid_start(), cert->valid_expiry()); | |
| 149 | |
| 150 // For embedded SCTs, if the certificate has the number of SCTs specified in | |
| 151 // table 1 of the "Qualifying Certificate" section of the CT/EV policy, then | |
| 152 // it qualifies. | |
| 153 size_t num_required_embedded_scts; | |
| 154 if (expiry_in_months_approx > 39) { | |
| 155 num_required_embedded_scts = 5; | |
| 156 } else if (expiry_in_months_approx > 27) { | |
| 157 num_required_embedded_scts = 4; | |
| 158 } else if (expiry_in_months_approx >= 15) { | |
| 159 num_required_embedded_scts = 3; | |
| 160 } else { | |
| 161 num_required_embedded_scts = 2; | |
| 162 } | |
| 163 | |
| 164 size_t min_acceptable_logs = std::max(num_ct_logs_, static_cast<size_t>(2u)); | |
| 165 return num_embedded_scts >= | |
| 166 std::min(num_required_embedded_scts, min_acceptable_logs); | |
| 167 } | |
| 168 | |
| 169 } // namespace net | |
| OLD | NEW |
