Google Git
Sign in
chromium / chromium / src / 205191a32c9db91062c5342e901b2da2d67a49e5 / . / components / certificate_transparency / chrome_ct_policy_enforcer.cc
blob: e1b84dc3fbb6a1bba6e724c5f69bf3b9ef08bf16 [file] [log] [blame]
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
#include <stdint.h>
#include <algorithm>
#include <memory>
#include <utility>
#include "base/feature_list.h"
#include "base/functional/bind.h"
#include "base/functional/callback_helpers.h"
#include "base/metrics/field_trial.h"
#include "base/metrics/histogram_macros.h"
#include "base/numerics/safe_conversions.h"
#include "base/strings/string_number_conversions.h"
#include "base/time/default_clock.h"
#include "base/time/time.h"
#include "base/values.h"
#include "base/version.h"
#include "components/certificate_transparency/ct_known_logs.h"
#include "crypto/sha2.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/signed_certificate_timestamp.h"
#include "net/cert/x509_certificate.h"
#include "net/log/net_log_capture_mode.h"
#include "net/log/net_log_event_type.h"
#include "net/log/net_log_values.h"
#include "net/log/net_log_with_source.h"
#include "third_party/boringssl/src/include/openssl/bytestring.h"
using net::ct::CTPolicyCompliance;
namespace certificate_transparency {
namespace {
// Type of a leaf index extension in an SCT from a Static CT API log.
const uint8_t kExtensionTypeLeafIndex = 0;
base::Value::Dict NetLogCertComplianceCheckResultParams(
net::X509Certificate* cert,
bool build_timely,
base::Time log_list_timestamp,
CTPolicyCompliance compliance) {
base::Value::Dict dict;
dict.Set("build_timely", build_timely);
dict.Set("log_list_timestamp",
net::NetLogNumberValue(
log_list_timestamp.InMillisecondsSinceUnixEpoch()));
dict.Set("ct_compliance_status", CTPolicyComplianceToString(compliance));
return dict;
}
// Returns true if the extension is a leaf index extension from a Static CT API
// log. See
// https://github.com/C2SP/C2SP/blob/main/static-ct-api.md#sct-extension
bool IsValidLeafIndexExtension(CBS* in) {
uint8_t bytes[5];
if (!CBS_copy_bytes(in, bytes, 5)) {
return false;
}
// Any value is a valid leaf index.
return true;
}
// Returns true if the SCT has only one valid leaf index extension.
bool HasValidLeafIndex(
const scoped_refptr<net::ct::SignedCertificateTimestamp> sct) {
CBS extension_cbs;
CBS_init(&extension_cbs, reinterpret_cast<uint8_t*>(sct->extensions.data()),
sct->extensions.size());
enum class LeafIndexStatus {
kFoundValid,
kFoundInvalid,
kNotFound,
};
LeafIndexStatus status = LeafIndexStatus::kNotFound;
// Look for a valid leaf index extension. The extension can be anywhere, so
// keep looking until we can find one. There must not be more than one leaf
// index extension.
while (CBS_len(&extension_cbs) != 0) {
uint8_t extension_type;
if (!CBS_get_u8(&extension_cbs, &extension_type)) {
return false;
}
CBS extension_data;
if (!CBS_get_u16_length_prefixed(&extension_cbs, &extension_data)) {
return false;
}
if (extension_type == kExtensionTypeLeafIndex) {
if (status != LeafIndexStatus::kNotFound) {
// Must not have multiple leaf index extensions.
return false;
}
status = IsValidLeafIndexExtension(&extension_data)
? LeafIndexStatus::kFoundValid
: LeafIndexStatus::kFoundInvalid;
}
}
return status == LeafIndexStatus::kFoundValid;
}
} // namespace
OperatorHistoryEntry::OperatorHistoryEntry() = default;
OperatorHistoryEntry::~OperatorHistoryEntry() = default;
OperatorHistoryEntry::OperatorHistoryEntry(const OperatorHistoryEntry& other) =
default;
ChromeCTPolicyEnforcer::ChromeCTPolicyEnforcer(
base::Time log_list_date,
std::vector<std::pair<std::string, base::Time>> disqualified_logs,
std::map<std::string, LogInfo> log_info,
bool enable_static_ct_api_enforcement)
: disqualified_logs_(std::move(disqualified_logs)),
log_info_(std::move(log_info)),
log_list_date_(log_list_date),
enable_static_ct_api_enforcement_(enable_static_ct_api_enforcement) {}
ChromeCTPolicyEnforcer::~ChromeCTPolicyEnforcer() = default;
CTPolicyCompliance ChromeCTPolicyEnforcer::CheckCompliance(
net::X509Certificate* cert,
const net::ct::SCTList& verified_scts,
base::Time current_time,
const net::NetLogWithSource& net_log) const {
// If the build is not timely, no certificate is considered compliant
// with CT policy. The reasoning is that, for example, a log might
// have been pulled and is no longer considered valid; thus, a client
// needs up-to-date information about logs to consider certificates to
// be compliant with policy.
bool build_timely = IsLogDataTimely(current_time);
CTPolicyCompliance compliance;
if (!build_timely) {
compliance = CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY;
} else {
compliance = CheckCTPolicyCompliance(*cert, verified_scts, current_time);
}
net_log.AddEvent(net::NetLogEventType::CERT_CT_COMPLIANCE_CHECKED, [&] {
return NetLogCertComplianceCheckResultParams(cert, build_timely,
log_list_date_, compliance);
});
return compliance;
}
std::optional<base::Time> ChromeCTPolicyEnforcer::GetLogDisqualificationTime(
std::string_view log_id) const {
CHECK_EQ(log_id.size(), crypto::kSHA256Length);
auto p = std::lower_bound(
std::begin(disqualified_logs_), std::end(disqualified_logs_), log_id,
[](const auto& a, std::string_view b) { return a.first < b; });
if (p == std::end(disqualified_logs_) || p->first != log_id) {
return std::nullopt;
}
return p->second;
}
bool ChromeCTPolicyEnforcer::IsCtEnabled() const {
return true;
}
bool ChromeCTPolicyEnforcer::IsLogDisqualified(
std::string_view log_id,
base::Time current_time,
base::Time* out_disqualification_date) const {
std::optional<base::Time> disqualification_date =
GetLogDisqualificationTime(log_id);
if (!disqualification_date.has_value()) {
return false;
}
*out_disqualification_date = disqualification_date.value();
return current_time >= disqualification_date.value();
}
bool ChromeCTPolicyEnforcer::IsLogDataTimely(base::Time current_time) const {
// We consider built-in information to be timely for 10 weeks.
return (current_time - log_list_date_).InDays() < 70 /* 10 weeks */;
}
// Evaluates against the "on-or-after 15 April 2022" policy specified at
// https://googlechrome.github.io/CertificateTransparency/ct_policy.html
// (No certificate issued before that date could still be valid.)
CTPolicyCompliance ChromeCTPolicyEnforcer::CheckCTPolicyCompliance(
const net::X509Certificate& cert,
const net::ct::SCTList& verified_scts,
base::Time current_time) const {
// Cert is outside the bounds of parsable; reject it.
if (cert.valid_start().is_null() || cert.valid_expiry().is_null() ||
cert.valid_start().is_max() || cert.valid_expiry().is_max()) {
return CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
}
// Scan for the earliest SCT. This is used to determine whether to enforce
// log diversity requirements, as well as whether to enforce whether or not
// a log was qualified or pending qualification at time of issuance (in the
// case of embedded SCTs). It's acceptable to ignore the origin of the SCT,
// because SCTs delivered via OCSP/TLS extension will cover the full
// certificate, which necessarily will exist only after the precertificate
// has been logged and the actual certificate issued.
// Note: Here, issuance date is defined as the earliest of all SCTs, rather
// than the latest of embedded SCTs, in order to give CAs the benefit of
// the doubt in the event a log is revoked in the midst of processing
// a precertificate and issuing the certificate.
base::Time issuance_date = base::Time::Max();
for (const auto& sct : verified_scts) {
base::Time unused;
if (IsLogDisqualified(sct->log_id, current_time, &unused)) {
continue;
}
issuance_date = std::min(sct->timestamp, issuance_date);
}
bool has_valid_embedded_sct = false;
bool has_valid_nonembedded_sct = false;
bool has_diverse_log_operators = false;
bool has_rfc6962_log = false;
std::vector<std::string_view> embedded_log_ids;
std::string first_seen_operator;
for (const auto& sct : verified_scts) {
base::Time disqualification_date;
bool is_disqualified =
IsLogDisqualified(sct->log_id, current_time, &disqualification_date);
if (is_disqualified &&
sct->origin != net::ct::SignedCertificateTimestamp::SCT_EMBEDDED) {
// For OCSP and TLS delivered SCTs, only SCTs that are valid at the
// time of check are accepted.
continue;
}
auto log_type = GetLogType(sct->log_id);
if (enable_static_ct_api_enforcement_ &&
log_type == network::mojom::CTLogInfo::LogType::kStaticCTAPI &&
!HasValidLeafIndex(sct)) {
continue;
}
if (sct->origin != net::ct::SignedCertificateTimestamp::SCT_EMBEDDED) {
has_valid_nonembedded_sct = true;
} else {
has_valid_embedded_sct |= !is_disqualified;
// If the log is disqualified, it only counts towards quorum if
// the certificate was issued before the log was disqualified, and the
// SCT was obtained before the log was disqualified.
if (!is_disqualified || (issuance_date < disqualification_date &&
sct->timestamp < disqualification_date)) {
embedded_log_ids.push_back(sct->log_id);
}
}
if (!has_diverse_log_operators) {
std::string sct_operator = GetOperatorForLog(sct->log_id, sct->timestamp);
if (first_seen_operator.empty()) {
first_seen_operator = sct_operator;
} else {
has_diverse_log_operators |= first_seen_operator != sct_operator;
}
}
if (enable_static_ct_api_enforcement_) {
// TODO(crbug.com/370724580): Disallow kUnspecified once all logs in the
// hardcoded and component updater protos have proper log types.
has_rfc6962_log |=
(log_type == network::mojom::CTLogInfo::LogType::kRFC6962 ||
log_type == network::mojom::CTLogInfo::LogType::kUnspecified);
}
}
// Option 1:
// An SCT presented via the TLS extension OR embedded within a stapled OCSP
// response is from a log qualified at time of check;
// AND there are at least two SCTs from logs with different operators,
// presented by any method.
//
// Note: Because SCTs embedded via TLS or OCSP can be updated on the fly,
// the issuance date is irrelevant, as any policy changes can be
// accommodated.
if (has_valid_nonembedded_sct && has_diverse_log_operators &&
(!enable_static_ct_api_enforcement_ || has_rfc6962_log)) {
return CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
}
// Note: If has_valid_nonembedded_sct was true, but Option 2 isn't met,
// then the result will be that there weren't diverse enough SCTs, as that
// the only other way for the conditional above to fail). Because Option 1
// has the diversity requirement, it's implicitly a minimum number of SCTs
// (specifically, 2), but that's not explicitly specified in the policy.
// Option 2:
// There is at least one embedded SCT from a log qualified at the time of
// check ...
if (!has_valid_embedded_sct) {
// Under Option 2, there weren't enough SCTs, and potentially under
// Option 1, there weren't diverse enough SCTs. Try to signal the error
// that is most easily fixed.
return has_valid_nonembedded_sct
? CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS
: CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
}
size_t num_required_embedded_scts = 5;
// ... AND there are at least two SCTs from logs with different
// operators ...
if (!has_diverse_log_operators) {
return CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS;
}
// ... AND at least one of the SCTs must come from an RFC6962 log.
if (enable_static_ct_api_enforcement_ && !has_rfc6962_log) {
return CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS;
}
// ... AND the certificate embeds SCTs from AT LEAST the number of logs
// once or currently qualified shown in Table 1 of the CT Policy.
base::TimeDelta lifetime = cert.valid_expiry() - cert.valid_start();
if (lifetime > base::Days(180)) {
num_required_embedded_scts = 3;
} else {
num_required_embedded_scts = 2;
}
// Sort the embedded log IDs and remove duplicates, so that only a single
// SCT from each log is accepted. This is to handle the case where a given
// log returns different SCTs for the same precertificate (which is
// permitted, but advised against).
std::sort(embedded_log_ids.begin(), embedded_log_ids.end());
auto sorted_end =
std::unique(embedded_log_ids.begin(), embedded_log_ids.end());
size_t num_embedded_scts =
std::distance(embedded_log_ids.begin(), sorted_end);
if (num_embedded_scts >= num_required_embedded_scts) {
return CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
}
// Under Option 2, there weren't enough SCTs, and potentially under Option
// 1, there weren't diverse enough SCTs. Try to signal the error that is
// most easily fixed.
return has_valid_nonembedded_sct
? CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS
: CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
}
std::string ChromeCTPolicyEnforcer::GetOperatorForLog(
const std::string& log_id,
base::Time timestamp) const {
DCHECK(log_info_.find(log_id) != log_info_.end());
const OperatorHistoryEntry& log_history =
log_info_.at(log_id).operator_history;
for (const auto& operator_entry : log_history.previous_operators) {
if (timestamp < operator_entry.second) {
return operator_entry.first;
}
}
// Either the log has only ever had one operator, or the timestamp is after
// the last operator change.
return log_history.current_operator;
}
network::mojom::CTLogInfo::LogType ChromeCTPolicyEnforcer::GetLogType(
const std::string& log_id) const {
DCHECK(log_info_.find(log_id) != log_info_.end());
return log_info_.at(log_id).log_type;
}
} // namespace certificate_transparency