Certificate Transparency: Remove SSLWatcher's Alpha log.

Per Ryan's recent announcement, SSLWatcher's Alpha log is no longer recognized by Chrome, so remove it. This change also removes the assumption (made in the CertPolicyEnforcer) that in case of having only 2 logs recognized by Chrome, only 2 will be required where the policy currently says 3 would be necessary. BUG=441337 Review URL: https://codereview.chromium.org/795013003 Cr-Commit-Position: refs/heads/master@{#308437}

Certificate Transparency: Remove SSLWatcher's Alpha log.
Per Ryan's recent announcement, SSLWatcher's Alpha log is no longer recognized by Chrome, so remove it. This change also removes the assumption (made in the CertPolicyEnforcer) that in case of having only 2 logs recognized by Chrome, only 2 will be required where the policy currently says 3 would be necessary. BUG=441337 Review URL: https://codereview.chromium.org/795013003 Cr-Commit-Position: refs/heads/master@{#308437}
bce7c1b3 · eranm · Commit bot · af17af4b · bce7c1b3 · bce7c1b3
Commit bce7c1b3 authored Dec 15, 2014 by eranm Committed by Commit bot Dec 15, 2014
5 changed files
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -658,9 +658,9 @@ void IOThread::InitAsync() {
  net::CertPolicyEnforcer* policy_enforcer = NULL;
  // TODO(eranm): Control with Finch, crbug.com/437766
  if (command_line.HasSwitch(switches::kRequireCTForEV)) {
-    policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, true);
+    policy_enforcer = new net::CertPolicyEnforcer(true);
  } else {
-    policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, false);
+    policy_enforcer = new net::CertPolicyEnforcer(false);
  }
  globals_->cert_policy_enforcer.reset(policy_enforcer);

--- a/net/cert/cert_policy_enforcer.cc
+++ b/net/cert/cert_policy_enforcer.cc
@@ -67,9 +67,8 @@ void LogCTComplianceStatusToUMA(CTComplianceStatus status) {
 }  // namespace
-CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs,
+CertPolicyEnforcer::CertPolicyEnforcer(bool require_ct_for_ev)
-                                       bool require_ct_for_ev)
+    : require_ct_for_ev_(require_ct_for_ev) {
-    : num_ct_logs_(num_ct_logs), require_ct_for_ev_(require_ct_for_ev) {
 }
 CertPolicyEnforcer::~CertPolicyEnforcer() {
@@ -157,9 +156,7 @@ bool CertPolicyEnforcer::HasRequiredNumberOfSCTs(
    num_required_embedded_scts = 2;
  }
-  size_t min_acceptable_logs = std::max(num_ct_logs_, static_cast<size_t>(2u));
+  return num_embedded_scts >= num_required_embedded_scts;
-  return num_embedded_scts >=
-         std::min(num_required_embedded_scts, min_acceptable_logs);
 }
 }  // namespace net
--- a/net/cert/cert_policy_enforcer.h
+++ b/net/cert/cert_policy_enforcer.h
@@ -24,11 +24,9 @@ class X509Certificate;
 class NET_EXPORT CertPolicyEnforcer {
 public:
  // Set the parameters for this policy enforcer:
-  // |num_ct_logs| is the number of Certificate Transparency log currently
-  // known to Chrome.
  // |require_ct_for_ev| indicates whether Certificate Transparency presence
  // is required for EV certificates.
-  CertPolicyEnforcer(size_t num_ct_logs, bool require_ct_for_ev);
+  explicit CertPolicyEnforcer(bool require_ct_for_ev);
  virtual ~CertPolicyEnforcer();
  // Returns true if the collection of SCTs for the given certificate
@@ -47,7 +45,6 @@ class NET_EXPORT CertPolicyEnforcer {
  bool HasRequiredNumberOfSCTs(X509Certificate* cert,
                               const ct::CTVerifyResult& ct_result);
-  size_t num_ct_logs_;
  bool require_ct_for_ev_;
 };

--- a/net/cert/cert_policy_enforcer_unittest.cc
+++ b/net/cert/cert_policy_enforcer_unittest.cc
@@ -44,7 +44,7 @@ class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {
 class CertPolicyEnforcerTest : public ::testing::Test {
 public:
  virtual void SetUp() override {
-    policy_enforcer_.reset(new CertPolicyEnforcer(5, true));
+    policy_enforcer_.reset(new CertPolicyEnforcer(true));
    std::string der_test_cert(ct::GetDerEncodedX509Cert());
    chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
@@ -109,7 +109,7 @@ TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
 }
 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) {
-  scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false));
+  scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(false));
  ct::CTVerifyResult result;
  FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
@@ -164,19 +164,6 @@ TEST_F(CertPolicyEnforcerTest,
  }
 }
-TEST_F(CertPolicyEnforcerTest,
-       ConformsToPolicyButDoesNotRequireMoreThanNumLogs) {
-  scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true));
-  ct::CTVerifyResult result;
-  FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
-                             &result);
-  // Expect true despite the chain not having enough SCTs according to the
-  // policy
-  // since we only have 2 logs.
-  EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result));
-}
 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
  scoped_refptr<ct::EVCertsWhitelist> whitelist(
      new DummyEVCertsWhitelist(true, true));

--- a/net/cert/ct_known_logs_static.h
+++ b/net/cert/ct_known_logs_static.h
@@ -27,17 +27,9 @@ const CTLogInfo kCTLogList[] = {
    "\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85"
    "\x3b\x0d\xf7\x1f\x3f\xe9",
    "Google 'Aviator' log"
-  },
-  {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86"
-    "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa2\xf7\xed\x13\xe1\xd3\x5c"
-    "\x02\x08\xc4\x8e\x8b\x9b\x8b\x3b\x39\x68\xc7\x92\x6a\x38\xa1\x4f\x23"
-    "\xc5\xa5\x6f\x6f\xd7\x65\x81\xf8\xc1\x9b\xf4\x9f\xa9\x8b\x45\xf4\xb9"
-    "\x4e\x1b\xc9\xa2\x69\x17\xa5\x78\x87\xd9\xce\x88\x6f\x41\x03\xbb\xa3"
-    "\x2a\xe3\x77\x97\x8d\x78",
-    "SSLWatcher.com CT log 'alpha'"
  }
 };
-const size_t kNumKnownCTLogs = 3;
+const size_t kNumKnownCTLogs = 2;
 #endif  // NET_CERT_CT_KNOWN_LOGS_STATIC_H_