Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(189)

Unified Diff: net/cert/multi_log_ct_verifier.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Refining policy based on discussion with rsleevi Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/cert/multi_log_ct_verifier.cc
diff --git a/net/cert/multi_log_ct_verifier.cc b/net/cert/multi_log_ct_verifier.cc
index f3014ad9f5cd92f7f3fcf19bb698a9c0861a99c8..533c2bb205cb5db16e70c4a32135b88d2a3ab335 100644
--- a/net/cert/multi_log_ct_verifier.cc
+++ b/net/cert/multi_log_ct_verifier.cc
@@ -4,6 +4,7 @@
#include "net/cert/multi_log_ct_verifier.h"
+#include <algorithm>
#include <vector>
#include "base/bind.h"
@@ -81,6 +82,10 @@ void MultiLogCTVerifier::AddLogs(
log_verifiers.weak_clear();
}
+void MultiLogCTVerifier::SetEnforceCTEVPolicy(bool enforce_policy) {
+ enforce_ct_ev_policy_ = enforce_policy;
+}
+
int MultiLogCTVerifier::Verify(
X509Certificate* cert,
const std::string& stapled_ocsp_response,
@@ -233,4 +238,54 @@ bool MultiLogCTVerifier::VerifySingleSCT(
return true;
}
-} // namespace net
+bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) {
+ return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED;
+}
+
+bool MultiLogCTVerifier::DoesConformToCTEVPolicy(
+ X509Certificate* cert,
+ const ct::CTVerifyResult& ct_result) {
+ if (!enforce_ct_ev_policy_) {
+ return true;
+ }
+ int num_valid_scts = ct_result.verified_scts.size();
Ryan Sleevi 2014/08/05 22:19:10 1) Wrong integer type (permeates the rest of this
Eran Messeri 2014/10/20 17:26:30 Done.
+ int num_embedded_scts = std::count_if(
+ ct_result.verified_scts.begin(),
+ ct_result.verified_scts.end(),
+ IsEmbeddedSCT);
+
+ //TODO(eranm): Count the number of *independent* SCTs once the information
+ //about log operators is available.
Ryan Sleevi 2014/08/05 22:19:10 1) Style: Spaces after // 2) Bugs filed.
Eran Messeri 2014/10/20 17:26:30 Done and done.
+ int num_non_embedded_scts = num_valid_scts - num_embedded_scts;
+ if (num_non_embedded_scts >= 2) {
+ return true;
+ }
+
+ if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) {
+ return true;
+ }
+
+ if (cert->valid_start().is_null() ||
+ cert->valid_expiry().is_null()) {
+ // Will not be able to calculate the certificate's validity period.
+ return false;
+ }
+
+ int min_acceptable_logs = std::max((unsigned long) 2, logs_.size());
Ryan Sleevi 2014/08/05 22:19:10 1) C-cast 2) Wrong type (.size() == size_t) 3) Bad
Eran Messeri 2014/10/20 17:26:30 Fixed all (hopefully) by making min_acceptable_log
+ base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start();
+ uint32 expiry_in_months_approx = expiry_period.InDays() / 30.14;
+ // At most 5 SCTs are required - for certificate with lifetime of over
+ // 39 months.
+ int num_required_embedded_scts = 5;
+ if (expiry_in_months_approx > 27) {
+ num_required_embedded_scts = 4;
+ } else if (expiry_in_months_approx >= 15) {
+ num_required_embedded_scts = 3;
+ } else {
+ num_required_embedded_scts = 2;
+ }
+
+ return num_embedded_scts >= std::min(num_required_embedded_scts, min_acceptable_logs);
+}
+
+} // namespace net

Powered by Google App Engine
This is Rietveld 408576698