Certificate Transparency: Require SCTs for EV certificates.

net/cert/cert_policy_enforcer.cc

Index: net/cert/cert_policy_enforcer.cc
diff --git a/net/cert/cert_policy_enforcer.cc b/net/cert/cert_policy_enforcer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..a21c004aae44d90b346ddfbbeda92a4efad63399
--- /dev/null
+++ b/net/cert/cert_policy_enforcer.cc
@@ -0,0 +1,83 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_policy_enforcer.h"
+
+#include <algorithm>
+
+#include "base/numerics/safe_conversions.h"
+#include "net/cert/ct_verify_result.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/x509_certificate.h"
+
+namespace net {
+
+namespace {
+bool g_enforce_ct_presence = false;
+
+bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) {
+  return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED;
+}
+}
+
+CertPolicyEnforcer::CertPolicyEnforcer(uint32_t num_ct_logs)
+    : num_ct_logs_(base::saturated_cast<uint8_t>(num_ct_logs)) {
+}
+
+CertPolicyEnforcer::~CertPolicyEnforcer() {
+}
+
+// static
+void CertPolicyEnforcer::SetEnforceCTEVPolicy(bool enforce_policy) {
+  g_enforce_ct_presence = enforce_policy;
+}
+
+bool CertPolicyEnforcer::DoesConformToCTEVPolicy(
+    X509Certificate* cert,
+    const ct::CTVerifyResult& ct_result) {
+  if (!g_enforce_ct_presence) {
+    return true;
+  }

[Ryan Sleevi, 2014/10/22 19:48:35]

no braces on single-line if's in //net

[Eran Messeri, 2014/10/24 12:12:35]

Done.

+  uint8_t num_valid_scts =
+      base::saturated_cast<uint16_t>(ct_result.verified_scts.size());

[Ryan Sleevi, 2014/10/22 19:48:35]

Casting is wrong here, isn't it? Shouldn't it be uint8_t?

But the size_t remarks will address this.

[Eran Messeri, 2014/10/24 12:12:35]

Switched to size_t throughout, as suggested.

+  uint8_t num_embedded_scts = base::saturated_cast<uint16_t>(
+      std::count_if(ct_result.verified_scts.begin(),
+                    ct_result.verified_scts.end(),
+                    IsEmbeddedSCT));
+
+  // TODO(eranm): Count the number of *independent* SCTs once the information
+  // about log operators is available, crbug.com/425174
+  uint8_t num_non_embedded_scts = num_valid_scts - num_embedded_scts;
+  if (num_non_embedded_scts >= 2) {
+    return true;
+  }
+
+  if ((num_non_embedded_scts == 1) && (num_embedded_scts > 0)) {
+    return true;
+  }
+
+  if (cert->valid_start().is_null() || cert->valid_expiry().is_null()) {
+    // Will not be able to calculate the certificate's validity period.

[Ryan Sleevi, 2014/10/22 19:48:35]

Shouldn't this be the first check? to avoid iterating the number of SCTs if the
information is unusuable?

[Eran Messeri, 2014/10/24 12:12:35]

I believe not: The policy (outlined in the CT/EV plan) only cares about the
validity period if there aren't enough non-embedded SCTs. This code tries to
accurately implement the policy so as long as there are enough non-embedded SCTs
I don't care if it has a valid start/expiry dates.

+    return false;
+  }
+
+  base::TimeDelta expiry_period = cert->valid_expiry() - cert->valid_start();
+  uint32_t expiry_in_months_approx = expiry_period.InDays() / 30.14;
+  // At most 5 SCTs are required - for certificate with lifetime of over
+  // 39 months.
+  uint8_t num_required_embedded_scts = 5;
+  if (expiry_in_months_approx > 27) {
+    num_required_embedded_scts = 4;
+  } else if (expiry_in_months_approx >= 15) {
+    num_required_embedded_scts = 3;
+  } else {
+    num_required_embedded_scts = 2;
+  }
+
+  uint8_t min_acceptable_logs =
+      std::max(static_cast<uint8_t>(2u), num_ct_logs_);
+  return num_embedded_scts >=
+         std::min(num_required_embedded_scts, min_acceptable_logs);
+}
+}  // namespace net

[Ryan Sleevi, 2014/10/22 19:48:35]

newline between 82 & 83

[Eran Messeri, 2014/10/24 12:12:35]

Done.