OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/cert_policy_enforcer.h" | |
6 | |
7 #include <algorithm> | |
8 | |
9 #include "base/numerics/safe_conversions.h" | |
10 #include "net/cert/ct_verify_result.h" | |
11 #include "net/cert/signed_certificate_timestamp.h" | |
12 #include "net/cert/x509_certificate.h" | |
13 | |
14 namespace net { | |
15 | |
16 namespace { | |
17 bool g_enforce_ct_presence = false; | |
18 | |
19 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { | |
20 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; | |
21 } | |
22 } | |
23 | |
24 CertPolicyEnforcer::CertPolicyEnforcer(uint32_t num_ct_logs) | |
25 : num_ct_logs_(base::saturated_cast<uint8_t>(num_ct_logs)) { | |
26 } | |
27 | |
28 CertPolicyEnforcer::~CertPolicyEnforcer() { | |
29 } | |
30 | |
31 // static | |
32 void CertPolicyEnforcer::SetEnforceCTEVPolicy(bool enforce_policy) { | |
33 g_enforce_ct_presence = enforce_policy; | |
34 } | |
35 | |
36 bool CertPolicyEnforcer::DoesConformToCTEVPolicy( | |
37 X509Certificate* cert, | |
38 const ct::CTVerifyResult& ct_result) { | |
39 if (!g_enforce_ct_presence) { | |
40 return true; | |
41 } | |
Ryan Sleevi
2014/10/22 19:48:35
no braces on single-line if's in //net
Eran Messeri
2014/10/24 12:12:35
Done.
| |
42 uint8_t num_valid_scts = | |
43 base::saturated_cast<uint16_t>(ct_result.verified_scts.size()); | |
Ryan Sleevi
2014/10/22 19:48:35
Casting is wrong here, isn't it? Shouldn't it be u
Eran Messeri
2014/10/24 12:12:35
Switched to size_t throughout, as suggested.
| |
44 uint8_t num_embedded_scts = base::saturated_cast<uint16_t>( | |
45 std::count_if(ct_result.verified_scts.begin(), | |
46 ct_result.verified_scts.end(), | |
47 IsEmbeddedSCT)); | |
48 | |
49 // TODO(eranm): Count the number of *independent* SCTs once the information | |
50 // about log operators is available, crbug.com/425174 | |
51 uint8_t num_non_embedded_scts = num_valid_scts - num_embedded_scts; | |
52 if (num_non_embedded_scts >= 2) { | |
53 return true; | |
54 } | |
55 | |
56 if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) { | |
57 return true; | |
58 } | |
59 | |
60 if (cert->valid_start().is_null() || cert->valid_expiry().is_null()) { | |
61 // Will not be able to calculate the certificate's validity period. | |
Ryan Sleevi
2014/10/22 19:48:35
Shouldn't this be the first check? to avoid iterat
Eran Messeri
2014/10/24 12:12:35
I believe not: The policy (outlined in the CT/EV p
| |
62 return false; | |
63 } | |
64 | |
65 base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start(); | |
66 uint32_t expiry_in_months_approx = expiry_period.InDays() / 30.14; | |
67 // At most 5 SCTs are required - for certificate with lifetime of over | |
68 // 39 months. | |
69 uint8_t num_required_embedded_scts = 5; | |
70 if (expiry_in_months_approx > 27) { | |
71 num_required_embedded_scts = 4; | |
72 } else if (expiry_in_months_approx >= 15) { | |
73 num_required_embedded_scts = 3; | |
74 } else { | |
75 num_required_embedded_scts = 2; | |
76 } | |
77 | |
78 uint8_t min_acceptable_logs = | |
79 std::max(static_cast<uint8_t>(2u), num_ct_logs_); | |
80 return num_embedded_scts >= | |
81 std::min(num_required_embedded_scts, min_acceptable_logs); | |
82 } | |
83 } // namespace net | |
Ryan Sleevi
2014/10/22 19:48:35
newline between 82 & 83
Eran Messeri
2014/10/24 12:12:35
Done.
| |
OLD | NEW |