Index: net/cert/cert_policy_enforcer.cc |
diff --git a/net/cert/cert_policy_enforcer.cc b/net/cert/cert_policy_enforcer.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..45255e7d2df79bbf04dfee12de084b881114fc6f |
--- /dev/null |
+++ b/net/cert/cert_policy_enforcer.cc |
@@ -0,0 +1,134 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "net/cert/cert_policy_enforcer.h" |
+ |
+#include <algorithm> |
+ |
+#include "base/build_time.h" |
+#include "base/metrics/histogram.h" |
+#include "base/numerics/safe_conversions.h" |
+#include "base/strings/string_number_conversions.h" |
+#include "net/cert/ct_ev_whitelist.h" |
+#include "net/cert/ct_verify_result.h" |
+#include "net/cert/signed_certificate_timestamp.h" |
+#include "net/cert/x509_certificate.h" |
+ |
+namespace net { |
+ |
+namespace { |
+ |
+bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { |
+ return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; |
+} |
+ |
+// Taken from TransportSecurityState::IsBuildTimely |
Ryan Sleevi
2014/11/28 15:27:44
Don't describe where this is from, describe why it
Eran Messeri
2014/12/01 13:59:02
Done.
|
+// TODO(eranm): Move to base or net/base |
+bool IsBuildTimely() { |
+#if defined(DONT_EMBED_BUILD_METADATA) && !defined(OFFICIAL_BUILD) |
+ return true; |
+#else |
+ const base::Time build_time = base::GetBuildTime(); |
+ // We consider built-in information to be timely for 10 weeks. |
+ return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; |
+#endif |
+} |
+ |
+uint32_t ApproximateMonthDifference(const base::Time& start, |
+ const base::Time& end) { |
+ base::Time::Exploded exploded_start; |
+ base::Time::Exploded exploded_expiry; |
+ start.UTCExplode(&exploded_start); |
+ end.UTCExplode(&exploded_expiry); |
Ryan Sleevi
2014/11/28 15:27:44
There are base::Time values that may not be repres
Eran Messeri
2014/12/01 13:59:02
As discussed offline, added checks for is_max belo
Ryan Sleevi
2014/12/01 15:27:55
Yeah, we'll come back to this as a follow-on (we c
|
+ uint32_t month_diff = (exploded_expiry.year - exploded_start.year) * 12 + |
+ (exploded_expiry.month - exploded_start.month); |
+ |
+ // Add any remainder as a full month. |
+ if (exploded_expiry.day_of_month > exploded_start.day_of_month) |
+ ++month_diff; |
+ |
+ return month_diff; |
+} |
+} |
+ |
+CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, |
+ bool require_ct_for_ev) |
+ : num_ct_logs_(num_ct_logs), enforce_ct_requirement_(require_ct_for_ev) { |
+} |
+ |
+CertPolicyEnforcer::~CertPolicyEnforcer() { |
+} |
+ |
+bool CertPolicyEnforcer::DoesConformToCTEVPolicy( |
+ X509Certificate* cert, |
+ const ct::EVCertsWhitelist* ev_whitelist, |
+ const ct::CTVerifyResult& ct_result) { |
+ bool cert_in_ev_whitelist = false; |
+ if (ev_whitelist && ev_whitelist->IsValid()) { |
+ const SHA256HashValue fingerprint( |
+ X509Certificate::CalculateFingerprint256(cert->os_cert_handle())); |
+ |
+ std::string truncated_fp = |
+ std::string(reinterpret_cast<const char*>(fingerprint.data), 8); |
Ryan Sleevi
2014/11/28 15:27:44
Note: If we make ContainsCertificateHash to take a
Eran Messeri
2014/12/01 13:59:02
Acknowledged, since it's changing the interface (w
|
+ cert_in_ev_whitelist = ev_whitelist->ContainsCertificateHash(truncated_fp); |
+ |
+ VLOG(1) << "Have a valid whitelist. Is cert with fingerprint " |
+ << base::HexEncode( |
+ reinterpret_cast<const char*>(truncated_fp.data()), |
+ truncated_fp.length()) << " in the whitelist? " |
+ << (cert_in_ev_whitelist ? "true" : "false"); |
Ryan Sleevi
2014/11/28 15:27:44
I'm not keen on this VLOG. If the intent is to aid
Eran Messeri
2014/12/01 13:59:02
Removed, for now. I'll can NetLog logging in a fol
Ryan Sleevi
2014/12/01 15:27:55
The histograms won't tell us (or the net-internals
|
+ |
+ UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVCertificateInWhitelist", |
+ cert_in_ev_whitelist); |
+ } |
+ |
+ if (!enforce_ct_requirement_) |
+ return true; |
+ |
+ if (!IsBuildTimely()) |
+ return false; |
+ |
+ if (cert_in_ev_whitelist) |
+ return true; |
+ |
+ size_t num_valid_scts = ct_result.verified_scts.size(); |
+ size_t num_embedded_scts = |
+ std::count_if(ct_result.verified_scts.begin(), |
+ ct_result.verified_scts.end(), IsEmbeddedSCT); |
+ |
+ // TODO(eranm): Count the number of *independent* SCTs once the information |
+ // about log operators is available, crbug.com/425174 |
+ size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts; |
+ if (num_non_embedded_scts >= 2) |
+ return true; |
Ryan Sleevi
2014/11/28 15:27:44
I find this conditional hard to reason about (as w
Eran Messeri
2014/12/01 13:59:02
Done.
|
+ |
+ if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) |
+ return true; |
Ryan Sleevi
2014/11/28 15:27:44
This doesn't seem spelled out in our policy at all
Eran Messeri
2014/12/01 13:59:02
Done.
|
+ |
+ if (cert->valid_start().is_null() || cert->valid_expiry().is_null()) { |
+ // Will not be able to calculate the certificate's validity period. |
+ return false; |
+ } |
+ |
+ uint32_t expiry_in_months_approx = |
+ ApproximateMonthDifference(cert->valid_start(), cert->valid_expiry()); |
+ // At most 5 SCTs are required - for certificate with lifetime of over |
+ // 39 months. |
+ size_t num_required_embedded_scts; |
+ if (expiry_in_months_approx > 39) { |
+ num_required_embedded_scts = 5; |
+ } else if (expiry_in_months_approx > 27) { |
+ num_required_embedded_scts = 4; |
+ } else if (expiry_in_months_approx >= 15) { |
+ num_required_embedded_scts = 3; |
+ } else { |
+ num_required_embedded_scts = 2; |
+ } |
+ |
+ size_t min_acceptable_logs = std::max(num_ct_logs_, static_cast<size_t>(2u)); |
+ return num_embedded_scts >= |
+ std::min(num_required_embedded_scts, min_acceptable_logs); |
Ryan Sleevi
2014/11/28 15:27:44
BUG/FUTURE: This doesn't consider when we need to
|
+} |
+ |
+} // namespace net |