OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/cert_policy_enforcer.h" | |
6 | |
7 #include <algorithm> | |
8 | |
9 #include "base/build_time.h" | |
10 #include "base/metrics/field_trial.h" | |
11 #include "base/metrics/histogram.h" | |
12 #include "base/numerics/safe_conversions.h" | |
13 #include "base/strings/string_number_conversions.h" | |
14 #include "net/cert/ct_ev_whitelist.h" | |
15 #include "net/cert/ct_verify_result.h" | |
16 #include "net/cert/signed_certificate_timestamp.h" | |
17 #include "net/cert/x509_certificate.h" | |
18 | |
19 namespace net { | |
20 | |
21 namespace { | |
22 | |
23 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { | |
24 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; | |
25 } | |
26 | |
27 // Returns true if the current build is recent enough to ensure that | |
28 // built-in security information (e.g. CT Logs) is fresh enough. | |
29 // TODO(eranm): Move to base or net/base | |
30 bool IsBuildTimely() { | |
31 #if defined(DONT_EMBED_BUILD_METADATA) && !defined(OFFICIAL_BUILD) | |
32 return true; | |
33 #else | |
34 const base::Time build_time = base::GetBuildTime(); | |
35 // We consider built-in information to be timely for 10 weeks. | |
36 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; | |
37 #endif | |
38 } | |
39 | |
40 uint32_t ApproximateMonthDifference(const base::Time& start, | |
41 const base::Time& end) { | |
42 base::Time::Exploded exploded_start; | |
43 base::Time::Exploded exploded_expiry; | |
44 start.UTCExplode(&exploded_start); | |
45 end.UTCExplode(&exploded_expiry); | |
46 uint32_t month_diff = (exploded_expiry.year - exploded_start.year) * 12 + | |
47 (exploded_expiry.month - exploded_start.month); | |
48 | |
49 // Add any remainder as a full month. | |
50 if (exploded_expiry.day_of_month > exploded_start.day_of_month) | |
51 ++month_diff; | |
52 | |
53 return month_diff; | |
54 } | |
55 | |
56 bool RequireCTForEV() { | |
57 return base::FieldTrialList::FindFullName("CTRequiredForEVTrial") == | |
58 "ExperimentGroup"; | |
Ryan Sleevi
2014/12/01 15:27:55
Unnecessary part of your in-process change?
Eran Messeri
2014/12/01 17:29:54
Done, removed.
| |
59 } | |
60 | |
61 enum CTComplianceStatus { | |
62 CT_NOT_COMPLIANT = 0, | |
63 CT_IN_WHITELIST = 1, | |
64 CT_ENOUGH_SCTS = 2, | |
65 CT_COMPLIANCE_MAX, | |
66 }; | |
67 | |
68 void LogCTComplianceStatusToUMA(CTComplianceStatus status) { | |
69 UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status, | |
70 CT_COMPLIANCE_MAX); | |
71 } | |
72 } | |
Ryan Sleevi
2014/12/01 15:27:55
missed this before, add a newline between the two
Eran Messeri
2014/12/01 17:29:54
Done.
| |
73 | |
74 CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, | |
75 bool require_ct_for_ev) | |
76 : num_ct_logs_(num_ct_logs), require_ct_for_ev_(require_ct_for_ev) { | |
77 } | |
78 | |
79 CertPolicyEnforcer::~CertPolicyEnforcer() { | |
80 } | |
81 | |
82 bool CertPolicyEnforcer::DoesConformToCTEVPolicy( | |
83 X509Certificate* cert, | |
84 const ct::EVCertsWhitelist* ev_whitelist, | |
85 const ct::CTVerifyResult& ct_result) { | |
86 if (!(RequireCTForEV() || require_ct_for_ev_)) | |
Ryan Sleevi
2014/12/01 15:27:55
I generally dislike extra nested
if (!RequireCTFo
Eran Messeri
2014/12/01 17:29:54
Done.
| |
87 return true; | |
88 | |
89 if (!IsBuildTimely()) | |
90 return false; | |
91 | |
92 if (IsCertificateInWhitelist(cert, ev_whitelist)) { | |
93 LogCTComplianceStatusToUMA(CT_IN_WHITELIST); | |
94 return true; | |
95 } | |
96 | |
97 if (HasRequiredNumberOfSCTs(cert, ct_result)) { | |
98 LogCTComplianceStatusToUMA(CT_ENOUGH_SCTS); | |
99 return true; | |
100 } | |
101 | |
102 LogCTComplianceStatusToUMA(CT_NOT_COMPLIANT); | |
103 return false; | |
104 } | |
105 | |
106 bool CertPolicyEnforcer::IsCertificateInWhitelist( | |
107 X509Certificate* cert, | |
108 const ct::EVCertsWhitelist* ev_whitelist) { | |
109 bool cert_in_ev_whitelist = false; | |
110 if (ev_whitelist && ev_whitelist->IsValid()) { | |
111 const SHA256HashValue fingerprint( | |
112 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())); | |
113 | |
114 std::string truncated_fp = | |
115 std::string(reinterpret_cast<const char*>(fingerprint.data), 8); | |
116 cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp); | |
117 | |
118 UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist", | |
119 cert_in_ev_whitelist); | |
120 } | |
121 return cert_in_ev_whitelist; | |
122 } | |
123 | |
124 bool CertPolicyEnforcer::HasRequiredNumberOfSCTs( | |
125 X509Certificate* cert, | |
126 const ct::CTVerifyResult& ct_result) { | |
127 // TODO(eranm): Count the number of *independent* SCTs once the information | |
128 // about log operators is available, crbug.com/425174 | |
129 size_t num_valid_scts = ct_result.verified_scts.size(); | |
130 size_t num_embedded_scts = | |
131 std::count_if(ct_result.verified_scts.begin(), | |
132 ct_result.verified_scts.end(), IsEmbeddedSCT); | |
133 | |
134 size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts; | |
135 // If at least two valid SCTs were delivered by means other than embedding | |
136 // (i.e. in a TLS extension or OCSP), then the certificate conforms to bullet | |
137 // number 3 of the "Qualifying Certificate" section of the CT/EV policy. | |
138 if (num_non_embedded_scts >= 2) | |
139 return true; | |
140 | |
141 if (cert->valid_start().is_null() || cert->valid_expiry().is_null() || | |
142 cert->valid_start().is_max() || cert->valid_expiry().is_max()) { | |
143 // Will not be able to calculate the certificate's validity period. | |
144 return false; | |
145 } | |
146 | |
147 uint32_t expiry_in_months_approx = | |
148 ApproximateMonthDifference(cert->valid_start(), cert->valid_expiry()); | |
149 | |
150 // For embedded SCTs, if the certificate has the number of SCTs specified in | |
151 // table 1 of the "Qualifying Certificate" section of the CT/EV policy, then | |
152 // it qualifies. | |
153 size_t num_required_embedded_scts; | |
154 if (expiry_in_months_approx > 39) { | |
155 num_required_embedded_scts = 5; | |
156 } else if (expiry_in_months_approx > 27) { | |
157 num_required_embedded_scts = 4; | |
158 } else if (expiry_in_months_approx >= 15) { | |
159 num_required_embedded_scts = 3; | |
160 } else { | |
161 num_required_embedded_scts = 2; | |
162 } | |
163 | |
164 size_t min_acceptable_logs = std::max(num_ct_logs_, static_cast<size_t>(2u)); | |
165 return num_embedded_scts >= | |
166 std::min(num_required_embedded_scts, min_acceptable_logs); | |
167 } | |
168 | |
169 } // namespace net | |
OLD | NEW |