Index: net/cert/multi_log_ct_verifier.cc |
diff --git a/net/cert/multi_log_ct_verifier.cc b/net/cert/multi_log_ct_verifier.cc |
index f3014ad9f5cd92f7f3fcf19bb698a9c0861a99c8..533c2bb205cb5db16e70c4a32135b88d2a3ab335 100644 |
--- a/net/cert/multi_log_ct_verifier.cc |
+++ b/net/cert/multi_log_ct_verifier.cc |
@@ -4,6 +4,7 @@ |
#include "net/cert/multi_log_ct_verifier.h" |
+#include <algorithm> |
#include <vector> |
#include "base/bind.h" |
@@ -81,6 +82,10 @@ void MultiLogCTVerifier::AddLogs( |
log_verifiers.weak_clear(); |
} |
+void MultiLogCTVerifier::SetEnforceCTEVPolicy(bool enforce_policy) { |
+ enforce_ct_ev_policy_ = enforce_policy; |
+} |
+ |
int MultiLogCTVerifier::Verify( |
X509Certificate* cert, |
const std::string& stapled_ocsp_response, |
@@ -233,4 +238,54 @@ bool MultiLogCTVerifier::VerifySingleSCT( |
return true; |
} |
-} // namespace net |
+bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { |
+ return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; |
+} |
+ |
+bool MultiLogCTVerifier::DoesConformToCTEVPolicy( |
+ X509Certificate* cert, |
+ const ct::CTVerifyResult& ct_result) { |
+ if (!enforce_ct_ev_policy_) { |
+ return true; |
+ } |
+ int num_valid_scts = ct_result.verified_scts.size(); |
Ryan Sleevi
2014/08/05 22:19:10
1) Wrong integer type (permeates the rest of this
Eran Messeri
2014/10/20 17:26:30
Done.
|
+ int num_embedded_scts = std::count_if( |
+ ct_result.verified_scts.begin(), |
+ ct_result.verified_scts.end(), |
+ IsEmbeddedSCT); |
+ |
+ //TODO(eranm): Count the number of *independent* SCTs once the information |
+ //about log operators is available. |
Ryan Sleevi
2014/08/05 22:19:10
1) Style: Spaces after //
2) Bugs filed.
Eran Messeri
2014/10/20 17:26:30
Done and done.
|
+ int num_non_embedded_scts = num_valid_scts - num_embedded_scts; |
+ if (num_non_embedded_scts >= 2) { |
+ return true; |
+ } |
+ |
+ if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) { |
+ return true; |
+ } |
+ |
+ if (cert->valid_start().is_null() || |
+ cert->valid_expiry().is_null()) { |
+ // Will not be able to calculate the certificate's validity period. |
+ return false; |
+ } |
+ |
+ int min_acceptable_logs = std::max((unsigned long) 2, logs_.size()); |
Ryan Sleevi
2014/08/05 22:19:10
1) C-cast
2) Wrong type (.size() == size_t)
3) Bad
Eran Messeri
2014/10/20 17:26:30
Fixed all (hopefully) by making min_acceptable_log
|
+ base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start(); |
+ uint32 expiry_in_months_approx = expiry_period.InDays() / 30.14; |
+ // At most 5 SCTs are required - for certificate with lifetime of over |
+ // 39 months. |
+ int num_required_embedded_scts = 5; |
+ if (expiry_in_months_approx > 27) { |
+ num_required_embedded_scts = 4; |
+ } else if (expiry_in_months_approx >= 15) { |
+ num_required_embedded_scts = 3; |
+ } else { |
+ num_required_embedded_scts = 2; |
+ } |
+ |
+ return num_embedded_scts >= std::min(num_required_embedded_scts, min_acceptable_logs); |
+} |
+ |
+} // namespace net |