| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/cert/cert_policy_enforcer.h" |
| 6 |
| 7 #include <algorithm> |
| 8 |
| 9 #include "base/build_time.h" |
| 10 #include "base/metrics/field_trial.h" |
| 11 #include "base/metrics/histogram.h" |
| 12 #include "base/numerics/safe_conversions.h" |
| 13 #include "base/strings/string_number_conversions.h" |
| 14 #include "net/cert/ct_ev_whitelist.h" |
| 15 #include "net/cert/ct_verify_result.h" |
| 16 #include "net/cert/signed_certificate_timestamp.h" |
| 17 #include "net/cert/x509_certificate.h" |
| 18 |
| 19 namespace net { |
| 20 |
| 21 namespace { |
| 22 |
| 23 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { |
| 24 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; |
| 25 } |
| 26 |
| 27 // Returns true if the current build is recent enough to ensure that |
| 28 // built-in security information (e.g. CT Logs) is fresh enough. |
| 29 // TODO(eranm): Move to base or net/base |
| 30 bool IsBuildTimely() { |
| 31 #if defined(DONT_EMBED_BUILD_METADATA) && !defined(OFFICIAL_BUILD) |
| 32 return true; |
| 33 #else |
| 34 const base::Time build_time = base::GetBuildTime(); |
| 35 // We consider built-in information to be timely for 10 weeks. |
| 36 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; |
| 37 #endif |
| 38 } |
| 39 |
| 40 uint32_t ApproximateMonthDifference(const base::Time& start, |
| 41 const base::Time& end) { |
| 42 base::Time::Exploded exploded_start; |
| 43 base::Time::Exploded exploded_expiry; |
| 44 start.UTCExplode(&exploded_start); |
| 45 end.UTCExplode(&exploded_expiry); |
| 46 uint32_t month_diff = (exploded_expiry.year - exploded_start.year) * 12 + |
| 47 (exploded_expiry.month - exploded_start.month); |
| 48 |
| 49 // Add any remainder as a full month. |
| 50 if (exploded_expiry.day_of_month > exploded_start.day_of_month) |
| 51 ++month_diff; |
| 52 |
| 53 return month_diff; |
| 54 } |
| 55 |
| 56 enum CTComplianceStatus { |
| 57 CT_NOT_COMPLIANT = 0, |
| 58 CT_IN_WHITELIST = 1, |
| 59 CT_ENOUGH_SCTS = 2, |
| 60 CT_COMPLIANCE_MAX, |
| 61 }; |
| 62 |
| 63 void LogCTComplianceStatusToUMA(CTComplianceStatus status) { |
| 64 UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status, |
| 65 CT_COMPLIANCE_MAX); |
| 66 } |
| 67 |
| 68 } // namespace |
| 69 |
| 70 CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, |
| 71 bool require_ct_for_ev) |
| 72 : num_ct_logs_(num_ct_logs), require_ct_for_ev_(require_ct_for_ev) { |
| 73 } |
| 74 |
| 75 CertPolicyEnforcer::~CertPolicyEnforcer() { |
| 76 } |
| 77 |
| 78 bool CertPolicyEnforcer::DoesConformToCTEVPolicy( |
| 79 X509Certificate* cert, |
| 80 const ct::EVCertsWhitelist* ev_whitelist, |
| 81 const ct::CTVerifyResult& ct_result) { |
| 82 if (!require_ct_for_ev_) |
| 83 return true; |
| 84 |
| 85 if (!IsBuildTimely()) |
| 86 return false; |
| 87 |
| 88 if (IsCertificateInWhitelist(cert, ev_whitelist)) { |
| 89 LogCTComplianceStatusToUMA(CT_IN_WHITELIST); |
| 90 return true; |
| 91 } |
| 92 |
| 93 if (HasRequiredNumberOfSCTs(cert, ct_result)) { |
| 94 LogCTComplianceStatusToUMA(CT_ENOUGH_SCTS); |
| 95 return true; |
| 96 } |
| 97 |
| 98 LogCTComplianceStatusToUMA(CT_NOT_COMPLIANT); |
| 99 return false; |
| 100 } |
| 101 |
| 102 bool CertPolicyEnforcer::IsCertificateInWhitelist( |
| 103 X509Certificate* cert, |
| 104 const ct::EVCertsWhitelist* ev_whitelist) { |
| 105 bool cert_in_ev_whitelist = false; |
| 106 if (ev_whitelist && ev_whitelist->IsValid()) { |
| 107 const SHA256HashValue fingerprint( |
| 108 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())); |
| 109 |
| 110 std::string truncated_fp = |
| 111 std::string(reinterpret_cast<const char*>(fingerprint.data), 8); |
| 112 cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp); |
| 113 |
| 114 UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist", |
| 115 cert_in_ev_whitelist); |
| 116 } |
| 117 return cert_in_ev_whitelist; |
| 118 } |
| 119 |
| 120 bool CertPolicyEnforcer::HasRequiredNumberOfSCTs( |
| 121 X509Certificate* cert, |
| 122 const ct::CTVerifyResult& ct_result) { |
| 123 // TODO(eranm): Count the number of *independent* SCTs once the information |
| 124 // about log operators is available, crbug.com/425174 |
| 125 size_t num_valid_scts = ct_result.verified_scts.size(); |
| 126 size_t num_embedded_scts = |
| 127 std::count_if(ct_result.verified_scts.begin(), |
| 128 ct_result.verified_scts.end(), IsEmbeddedSCT); |
| 129 |
| 130 size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts; |
| 131 // If at least two valid SCTs were delivered by means other than embedding |
| 132 // (i.e. in a TLS extension or OCSP), then the certificate conforms to bullet |
| 133 // number 3 of the "Qualifying Certificate" section of the CT/EV policy. |
| 134 if (num_non_embedded_scts >= 2) |
| 135 return true; |
| 136 |
| 137 if (cert->valid_start().is_null() || cert->valid_expiry().is_null() || |
| 138 cert->valid_start().is_max() || cert->valid_expiry().is_max()) { |
| 139 // Will not be able to calculate the certificate's validity period. |
| 140 return false; |
| 141 } |
| 142 |
| 143 uint32_t expiry_in_months_approx = |
| 144 ApproximateMonthDifference(cert->valid_start(), cert->valid_expiry()); |
| 145 |
| 146 // For embedded SCTs, if the certificate has the number of SCTs specified in |
| 147 // table 1 of the "Qualifying Certificate" section of the CT/EV policy, then |
| 148 // it qualifies. |
| 149 size_t num_required_embedded_scts; |
| 150 if (expiry_in_months_approx > 39) { |
| 151 num_required_embedded_scts = 5; |
| 152 } else if (expiry_in_months_approx > 27) { |
| 153 num_required_embedded_scts = 4; |
| 154 } else if (expiry_in_months_approx >= 15) { |
| 155 num_required_embedded_scts = 3; |
| 156 } else { |
| 157 num_required_embedded_scts = 2; |
| 158 } |
| 159 |
| 160 size_t min_acceptable_logs = std::max(num_ct_logs_, static_cast<size_t>(2u)); |
| 161 return num_embedded_scts >= |
| 162 std::min(num_required_embedded_scts, min_acceptable_logs); |
| 163 } |
| 164 |
| 165 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master