Chromium Code Reviews Chromium Code Reviews
Issue 782333002:
Certificate Transparency: Adding finch and NetLog logging for EV certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_policy_enforcer.h" | 5 #include "net/cert/cert_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 | 8 |
| 9 #include "base/bind.h" | |
| 9 #include "base/build_time.h" | 10 #include "base/build_time.h" |
| 11 #include "base/callback_helpers.h" | |
| 10 #include "base/metrics/field_trial.h" | 12 #include "base/metrics/field_trial.h" |
| 11 #include "base/metrics/histogram.h" | 13 #include "base/metrics/histogram.h" |
| 12 #include "base/numerics/safe_conversions.h" | 14 #include "base/numerics/safe_conversions.h" |
| 13 #include "base/strings/string_number_conversions.h" | 15 #include "base/strings/string_number_conversions.h" |
| 16 #include "base/values.h" | |
| 17 #include "net/base/net_log.h" | |
| 14 #include "net/cert/ct_ev_whitelist.h" | 18 #include "net/cert/ct_ev_whitelist.h" |
| 15 #include "net/cert/ct_verify_result.h" | 19 #include "net/cert/ct_verify_result.h" |
| 16 #include "net/cert/signed_certificate_timestamp.h" | 20 #include "net/cert/signed_certificate_timestamp.h" |
| 17 #include "net/cert/x509_certificate.h" | 21 #include "net/cert/x509_certificate.h" |
| 22 #include "net/cert/x509_certificate_net_log_param.h" | |
| 18 | 23 |
| 19 namespace net { | 24 namespace net { |
| 20 | 25 |
| 21 namespace { | 26 namespace { |
| 22 | 27 |
| 23 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { | 28 bool IsEmbeddedSCT(const scoped_refptr<ct::SignedCertificateTimestamp>& sct) { |
| 24 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; | 29 return sct->origin == ct::SignedCertificateTimestamp::SCT_EMBEDDED; |
| 25 } | 30 } |
| 26 | 31 |
| 27 // Returns true if the current build is recent enough to ensure that | 32 // Returns true if the current build is recent enough to ensure that |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 53 return month_diff; | 58 return month_diff; |
| 54 } | 59 } |
| 55 | 60 |
| 56 enum CTComplianceStatus { | 61 enum CTComplianceStatus { |
| 57 CT_NOT_COMPLIANT = 0, | 62 CT_NOT_COMPLIANT = 0, |
| 58 CT_IN_WHITELIST = 1, | 63 CT_IN_WHITELIST = 1, |
| 59 CT_ENOUGH_SCTS = 2, | 64 CT_ENOUGH_SCTS = 2, |
| 60 CT_COMPLIANCE_MAX, | 65 CT_COMPLIANCE_MAX, |
| 61 }; | 66 }; |
| 62 | 67 |
| 68 const char* ComplianceStatusToString(CTComplianceStatus status) { | |
| 69 switch (status) { | |
| 70 case CT_NOT_COMPLIANT: | |
| 71 return "NOT_COMPLIANT"; | |
| 72 break; | |
| 73 case CT_IN_WHITELIST: | |
| 74 return "WHITELISTED"; | |
| 75 break; | |
| 76 case CT_ENOUGH_SCTS: | |
| 77 return "ENOUGH_SCTS"; | |
| 78 break; | |
| 79 case CT_COMPLIANCE_MAX: | |
| 80 break; | |
| 81 } | |
| 82 | |
| 83 return "unknown"; | |
| 84 } | |
| 85 | |
| 63 void LogCTComplianceStatusToUMA(CTComplianceStatus status) { | 86 void LogCTComplianceStatusToUMA(CTComplianceStatus status) { |
| 64 UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status, | 87 UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status, |
| 65 CT_COMPLIANCE_MAX); | 88 CT_COMPLIANCE_MAX); |
| 66 } | 89 } |
| 67 | 90 |
| 91 struct PolicyComplianceResult { | |
| 92 PolicyComplianceResult() { Reset(); } | |
| 93 | |
| 94 void Reset() { | |
|
mmenke
2014/12/10 20:36:39
Not needed. Can just do all this in the construct
Eran Messeri
2014/12/12 12:44:56
Done.
| |
| 95 ct_presence_required = false; | |
| 96 build_timely = false; | |
| 97 result = CT_NOT_COMPLIANT; | |
| 98 } | |
| 99 | |
| 100 bool ct_presence_required; | |
| 101 bool build_timely; | |
| 102 CTComplianceStatus result; | |
|
mmenke
2014/12/10 20:36:39
May want to document these (Disclaimer: I know no
mmenke
2014/12/10 20:36:40
result->result is a bit ugly.
Eran Messeri
2014/12/12 12:44:56
Done.
Eran Messeri
2014/12/12 12:44:56
Done, changed.
| |
| 103 }; | |
| 104 | |
| 105 base::Value* NetLogComplianceCheckResultCallback(X509Certificate* cert, | |
| 106 PolicyComplianceResult* result, | |
| 107 NetLog::LogLevel log_level) { | |
| 108 base::DictionaryValue* dict = new base::DictionaryValue(); | |
| 109 dict->Set("certificate", NetLogX509CertificateCallback(cert, log_level)); | |
| 110 dict->SetBoolean("policy_enforcement_required", result->ct_presence_required); | |
| 111 dict->SetBoolean("build_timely", result->build_timely); | |
| 112 dict->SetString("ct_compliance_status", | |
| 113 ComplianceStatusToString(result->result)); | |
|
mmenke
2014/12/10 20:36:40
Logging this when one of the others is false seems
Eran Messeri
2014/12/12 12:44:56
Acknowledged - it indeed does not make sense to lo
| |
| 114 return dict; | |
| 115 } | |
| 116 | |
| 68 } // namespace | 117 } // namespace |
| 69 | 118 |
| 70 CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, | 119 CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, |
| 71 bool require_ct_for_ev) | 120 bool require_ct_for_ev) |
| 72 : num_ct_logs_(num_ct_logs), require_ct_for_ev_(require_ct_for_ev) { | 121 : num_ct_logs_(num_ct_logs), require_ct_for_ev_(require_ct_for_ev) { |
| 73 } | 122 } |
| 74 | 123 |
| 75 CertPolicyEnforcer::~CertPolicyEnforcer() { | 124 CertPolicyEnforcer::~CertPolicyEnforcer() { |
| 76 } | 125 } |
| 77 | 126 |
| 78 bool CertPolicyEnforcer::DoesConformToCTEVPolicy( | 127 bool CertPolicyEnforcer::DoesConformToCTEVPolicy( |
| 79 X509Certificate* cert, | 128 X509Certificate* cert, |
| 80 const ct::EVCertsWhitelist* ev_whitelist, | 129 const ct::EVCertsWhitelist* ev_whitelist, |
| 81 const ct::CTVerifyResult& ct_result) { | 130 const ct::CTVerifyResult& ct_result, |
| 82 if (!require_ct_for_ev_) | 131 const BoundNetLog& net_log) { |
| 132 PolicyComplianceResult result; | |
| 133 CheckCTEVPolicyCompliance(cert, ev_whitelist, ct_result, &result); | |
| 134 | |
| 135 NetLog::ParametersCallback net_log_callback = | |
| 136 base::Bind(&NetLogComplianceCheckResultCallback, base::Unretained(cert), | |
| 137 base::Unretained(&result)); | |
|
Ryan Sleevi
2014/12/10 20:09:26
You don't log anything about the ev_whitelist, suc
Eran Messeri
2014/12/10 20:37:03
Good point, I'll add logging of the EV whitelist v
| |
| 138 | |
| 139 net_log.AddEvent(NetLog::TYPE_EV_CERT_CT_COMPLIANCE_CHECKED, | |
| 140 net_log_callback); | |
| 141 | |
| 142 if (!result.ct_presence_required) | |
| 83 return true; | 143 return true; |
| 84 | 144 |
| 85 if (!IsBuildTimely()) | 145 if (!result.build_timely) |
| 86 return false; | 146 return false; |
| 87 | 147 |
| 88 if (IsCertificateInWhitelist(cert, ev_whitelist)) { | 148 LogCTComplianceStatusToUMA(result.result); |
| 89 LogCTComplianceStatusToUMA(CT_IN_WHITELIST); | 149 |
| 150 if (result.result == CT_IN_WHITELIST || result.result == CT_ENOUGH_SCTS) | |
| 90 return true; | 151 return true; |
| 91 } | |
| 92 | 152 |
| 93 if (HasRequiredNumberOfSCTs(cert, ct_result)) { | |
| 94 LogCTComplianceStatusToUMA(CT_ENOUGH_SCTS); | |
| 95 return true; | |
| 96 } | |
| 97 | |
| 98 LogCTComplianceStatusToUMA(CT_NOT_COMPLIANT); | |
| 99 return false; | 153 return false; |
| 100 } | 154 } |
| 101 | 155 |
| 102 bool CertPolicyEnforcer::IsCertificateInWhitelist( | 156 bool CertPolicyEnforcer::IsCertificateInWhitelist( |
| 103 X509Certificate* cert, | 157 X509Certificate* cert, |
| 104 const ct::EVCertsWhitelist* ev_whitelist) { | 158 const ct::EVCertsWhitelist* ev_whitelist) { |
| 105 bool cert_in_ev_whitelist = false; | 159 bool cert_in_ev_whitelist = false; |
| 106 if (ev_whitelist && ev_whitelist->IsValid()) { | 160 if (ev_whitelist && ev_whitelist->IsValid()) { |
| 107 const SHA256HashValue fingerprint( | 161 const SHA256HashValue fingerprint( |
| 108 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())); | 162 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())); |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 155 num_required_embedded_scts = 3; | 209 num_required_embedded_scts = 3; |
| 156 } else { | 210 } else { |
| 157 num_required_embedded_scts = 2; | 211 num_required_embedded_scts = 2; |
| 158 } | 212 } |
| 159 | 213 |
| 160 size_t min_acceptable_logs = std::max(num_ct_logs_, static_cast<size_t>(2u)); | 214 size_t min_acceptable_logs = std::max(num_ct_logs_, static_cast<size_t>(2u)); |
| 161 return num_embedded_scts >= | 215 return num_embedded_scts >= |
| 162 std::min(num_required_embedded_scts, min_acceptable_logs); | 216 std::min(num_required_embedded_scts, min_acceptable_logs); |
| 163 } | 217 } |
| 164 | 218 |
| 219 void CertPolicyEnforcer::CheckCTEVPolicyCompliance( | |
|
mmenke
2014/12/10 20:36:40
This doesn't seem to need to be a member of CertPo
Eran Messeri
2014/12/12 12:44:56
Done, although that led to a behaviour change as i
| |
| 220 X509Certificate* cert, | |
| 221 const ct::EVCertsWhitelist* ev_whitelist, | |
| 222 const ct::CTVerifyResult& ct_result, | |
| 223 PolicyComplianceResult* check_result) { | |
| 224 check_result->Reset(); | |
| 225 if (!require_ct_for_ev_) | |
| 226 return; | |
| 227 check_result->ct_presence_required = true; | |
| 228 | |
| 229 if (!IsBuildTimely()) | |
| 230 return; | |
| 231 check_result->build_timely = true; | |
| 232 | |
| 233 if (IsCertificateInWhitelist(cert, ev_whitelist)) { | |
| 234 check_result->result = CT_IN_WHITELIST; | |
| 235 return; | |
| 236 } | |
| 237 | |
| 238 if (HasRequiredNumberOfSCTs(cert, ct_result)) { | |
| 239 check_result->result = CT_ENOUGH_SCTS; | |
| 240 return; | |
| 241 } | |
| 242 | |
| 243 check_result->result = CT_NOT_COMPLIANT; | |
| 244 } | |
| 245 | |
| 165 } // namespace net | 246 } // namespace net |
| OLD | NEW |
