Certificate Transparency: Require SCTs for EV certificates.

net/cert/multi_log_ct_verifier.cc

Index: net/cert/multi_log_ct_verifier.cc
diff --git a/net/cert/multi_log_ct_verifier.cc b/net/cert/multi_log_ct_verifier.cc
index f3014ad9f5cd92f7f3fcf19bb698a9c0861a99c8..533c2bb205cb5db16e70c4a32135b88d2a3ab335 100644
--- a/net/cert/multi_log_ct_verifier.cc
+++ b/net/cert/multi_log_ct_verifier.cc
@@ -4,6 +4,7 @@
 
 #include "net/cert/multi_log_ct_verifier.h"
 
+#include <algorithm>
 #include <vector>
 
 #include "base/bind.h"
@@ -81,6 +82,10 @@ void MultiLogCTVerifier::AddLogs(
   log_verifiers.weak_clear();
 }
 
+void MultiLogCTVerifier::SetEnforceCTEVPolicy(bool enforce_policy) {
+  enforce_ct_ev_policy_ = enforce_policy;
+}
+
 int MultiLogCTVerifier::Verify(
     X509Certificate* cert,
     const std::string& stapled_ocsp_response,
@@ -233,4 +238,54 @@ bool MultiLogCTVerifier::VerifySingleSCT(
   return true;
 }
 
-} // namespace net
+bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) {
+  return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED;
+}
+
+bool MultiLogCTVerifier::DoesConformToCTEVPolicy(
+      X509Certificate* cert,
+      const ct::CTVerifyResult& ct_result) {
+  if (!enforce_ct_ev_policy_) {
+    return true;
+  }
+  int num_valid_scts = ct_result.verified_scts.size();

[Ryan Sleevi, 2014/08/05 22:19:10]

1) Wrong integer type (permeates the rest of this file)

[Eran Messeri, 2014/10/20 17:26:30]

Done.

+  int num_embedded_scts = std::count_if(
+      ct_result.verified_scts.begin(),
+      ct_result.verified_scts.end(),
+      IsEmbeddedSCT);
+
+  //TODO(eranm): Count the number of *independent* SCTs once the information
+  //about log operators is available.

[Ryan Sleevi, 2014/08/05 22:19:10]

1) Style: Spaces after //
2) Bugs filed.

[Eran Messeri, 2014/10/20 17:26:30]

Done and done.

+  int num_non_embedded_scts = num_valid_scts - num_embedded_scts;
+  if (num_non_embedded_scts >= 2) {
+    return true;
+  }
+
+  if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) {
+    return true;
+  }
+
+  if (cert->valid_start().is_null() ||
+      cert->valid_expiry().is_null()) {
+    // Will not be able to calculate the certificate's validity period.
+    return false;
+  }
+
+  int min_acceptable_logs = std::max((unsigned long) 2, logs_.size());

[Ryan Sleevi, 2014/08/05 22:19:10]

1) C-cast
2) Wrong type (.size() == size_t)
3) Bad downcast (size_t -> int)

[Eran Messeri, 2014/10/20 17:26:30]

Fixed all (hopefully) by making min_acceptable_logs size_t and using 2ul as the
literal. 

+  base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start();
+  uint32 expiry_in_months_approx = expiry_period.InDays() / 30.14;
+  // At most 5 SCTs are required - for certificate with lifetime of over
+  // 39 months.
+  int num_required_embedded_scts = 5;
+  if (expiry_in_months_approx > 27) {
+    num_required_embedded_scts = 4;
+  } else if (expiry_in_months_approx >= 15) {
+    num_required_embedded_scts = 3;
+  } else {
+    num_required_embedded_scts = 2;
+  }
+
+  return num_embedded_scts >= std::min(num_required_embedded_scts, min_acceptable_logs);
+}
+
+}  // namespace net