Index: net/cert/cert_policy_enforcer.cc |
diff --git a/net/cert/cert_policy_enforcer.cc b/net/cert/cert_policy_enforcer.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..a21c004aae44d90b346ddfbbeda92a4efad63399 |
--- /dev/null |
+++ b/net/cert/cert_policy_enforcer.cc |
@@ -0,0 +1,83 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "net/cert/cert_policy_enforcer.h" |
+ |
+#include <algorithm> |
+ |
+#include "base/numerics/safe_conversions.h" |
+#include "net/cert/ct_verify_result.h" |
+#include "net/cert/signed_certificate_timestamp.h" |
+#include "net/cert/x509_certificate.h" |
+ |
+namespace net { |
+ |
+namespace { |
+bool g_enforce_ct_presence = false; |
+ |
+bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { |
+ return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; |
+} |
+} |
+ |
+CertPolicyEnforcer::CertPolicyEnforcer(uint32_t num_ct_logs) |
+ : num_ct_logs_(base::saturated_cast<uint8_t>(num_ct_logs)) { |
+} |
+ |
+CertPolicyEnforcer::~CertPolicyEnforcer() { |
+} |
+ |
+// static |
+void CertPolicyEnforcer::SetEnforceCTEVPolicy(bool enforce_policy) { |
+ g_enforce_ct_presence = enforce_policy; |
+} |
+ |
+bool CertPolicyEnforcer::DoesConformToCTEVPolicy( |
+ X509Certificate* cert, |
+ const ct::CTVerifyResult& ct_result) { |
+ if (!g_enforce_ct_presence) { |
+ return true; |
+ } |
Ryan Sleevi
2014/10/22 19:48:35
no braces on single-line if's in //net
Eran Messeri
2014/10/24 12:12:35
Done.
|
+ uint8_t num_valid_scts = |
+ base::saturated_cast<uint16_t>(ct_result.verified_scts.size()); |
Ryan Sleevi
2014/10/22 19:48:35
Casting is wrong here, isn't it? Shouldn't it be u
Eran Messeri
2014/10/24 12:12:35
Switched to size_t throughout, as suggested.
|
+ uint8_t num_embedded_scts = base::saturated_cast<uint16_t>( |
+ std::count_if(ct_result.verified_scts.begin(), |
+ ct_result.verified_scts.end(), |
+ IsEmbeddedSCT)); |
+ |
+ // TODO(eranm): Count the number of *independent* SCTs once the information |
+ // about log operators is available, crbug.com/425174 |
+ uint8_t num_non_embedded_scts = num_valid_scts - num_embedded_scts; |
+ if (num_non_embedded_scts >= 2) { |
+ return true; |
+ } |
+ |
+ if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) { |
+ return true; |
+ } |
+ |
+ if (cert->valid_start().is_null() || cert->valid_expiry().is_null()) { |
+ // Will not be able to calculate the certificate's validity period. |
Ryan Sleevi
2014/10/22 19:48:35
Shouldn't this be the first check? to avoid iterat
Eran Messeri
2014/10/24 12:12:35
I believe not: The policy (outlined in the CT/EV p
|
+ return false; |
+ } |
+ |
+ base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start(); |
+ uint32_t expiry_in_months_approx = expiry_period.InDays() / 30.14; |
+ // At most 5 SCTs are required - for certificate with lifetime of over |
+ // 39 months. |
+ uint8_t num_required_embedded_scts = 5; |
+ if (expiry_in_months_approx > 27) { |
+ num_required_embedded_scts = 4; |
+ } else if (expiry_in_months_approx >= 15) { |
+ num_required_embedded_scts = 3; |
+ } else { |
+ num_required_embedded_scts = 2; |
+ } |
+ |
+ uint8_t min_acceptable_logs = |
+ std::max(static_cast<uint8_t>(2u), num_ct_logs_); |
+ return num_embedded_scts >= |
+ std::min(num_required_embedded_scts, min_acceptable_logs); |
+} |
+} // namespace net |
Ryan Sleevi
2014/10/22 19:48:35
newline between 82 & 83
Eran Messeri
2014/10/24 12:12:35
Done.
|