Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(829)

Unified Diff: net/cert/cert_policy_enforcer.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fixing pointer type and tests Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/cert/cert_policy_enforcer.cc
diff --git a/net/cert/cert_policy_enforcer.cc b/net/cert/cert_policy_enforcer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..735bee7c79a887438ef7847ba239965100a1ef9e
--- /dev/null
+++ b/net/cert/cert_policy_enforcer.cc
@@ -0,0 +1,95 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_policy_enforcer.h"
+
+#include <algorithm>
+
+#include "base/metrics/histogram.h"
+#include "base/numerics/safe_conversions.h"
+#include "net/cert/ct_ev_whitelist.h"
+#include "net/cert/ct_verify_result.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/x509_certificate.h"
+
+namespace net {
+
+namespace {
+bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) {
+ return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED;
+}
+}
+
+CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs,
+ bool require_ct_for_ev)
+ : num_ct_logs_(num_ct_logs), enforce_ct_requirement_(require_ct_for_ev) {
+}
+
+CertPolicyEnforcer::~CertPolicyEnforcer() {
+}
+
+bool CertPolicyEnforcer::DoesConformToCTEVPolicy(
+ X509Certificate* cert,
+ const ct::EVCertsWhitelist* ev_whitelist,
+ const ct::CTVerifyResult& ct_result) {
+ bool cert_in_ev_whitelist = false;
+ if (ev_whitelist && ev_whitelist->IsValid()) {
+ const SHA256HashValue fingerprint(
+ X509Certificate::CalculateFingerprint256(cert->os_cert_handle()));
+
+ cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(
+ std::string(reinterpret_cast<const char*>(fingerprint.data), 8));
+ }
+
+ UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist",
+ cert_in_ev_whitelist);
+
+ if (!enforce_ct_requirement_)
+ return true;
+
Ryan Sleevi 2014/11/06 00:16:43 Note that this code is missing the build date fres
Eran Messeri 2014/11/20 11:49:56 Added (by shamelessly copying it from TransportSec
+ if (cert_in_ev_whitelist)
+ return true;
+
+ size_t num_valid_scts = ct_result.verified_scts.size();
+ size_t num_embedded_scts =
+ std::count_if(ct_result.verified_scts.begin(),
+ ct_result.verified_scts.end(), IsEmbeddedSCT);
Ryan Sleevi 2014/11/11 02:50:18 So, from the ct-policy discussion, I should have p
Eran Messeri 2014/11/20 11:49:56 See my previous reply - IIUC that's to avoid distr
+
+ // TODO(eranm): Count the number of *independent* SCTs once the information
+ // about log operators is available, crbug.com/425174
+ size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts;
+ if (num_non_embedded_scts >= 2) {
Ryan Sleevi 2014/11/06 00:16:43 net code omits braces for single-line conditionals
Eran Messeri 2014/11/20 11:49:56 Done per your guidelines.
+ return true;
+ }
+
+ if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) {
+ return true;
+ }
+
+ if (cert->valid_start().is_null() || cert->valid_expiry().is_null()) {
+ // Will not be able to calculate the certificate's validity period.
+ return false;
+ }
+
+ base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start();
+ uint32_t expiry_in_months_approx = expiry_period.InDays() / 30.14;
Ryan Sleevi 2014/11/06 00:16:43 Does it make more sense to adopt math similar to t
Eran Messeri 2014/11/20 11:49:56 Yes, used similar logic here. I considered adding
+ // At most 5 SCTs are required - for certificate with lifetime of over
+ // 39 months.
+ size_t num_required_embedded_scts;
+ if (expiry_in_months_approx > 39) {
+ num_required_embedded_scts = 5;
+ } else if (expiry_in_months_approx > 27) {
+ num_required_embedded_scts = 4;
+ } else if (expiry_in_months_approx >= 15) {
+ num_required_embedded_scts = 3;
+ } else {
+ num_required_embedded_scts = 2;
+ }
+
+ size_t min_acceptable_logs = std::max(static_cast<size_t>(2), num_ct_logs_);
Ryan Sleevi 2014/11/06 00:16:43 just do 2U and it should be sufficient, right? Or
Eran Messeri 2014/11/20 11:49:56 Tried both, the compiler was equally unhappy - I h
+ return num_embedded_scts >=
+ std::min(num_required_embedded_scts, min_acceptable_logs);
+}
+
+} // namespace net

Powered by Google App Engine
This is Rietveld 408576698