diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-08-09 01:54:16 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-08-09 01:54:16 +0000 |
| commit | d70e808c7e3ebcae52143509d14ab37eaefe2b0c (patch) | |
| tree | 93f961876bf5854c1fc6045708d1e97601b49517 /net | |
| parent | dd807f42f2d8ded6eee0b06e3fa238380deb5d9c (diff) | |
| download | chromium_src-d70e808c7e3ebcae52143509d14ab37eaefe2b0c.zip chromium_src-d70e808c7e3ebcae52143509d14ab37eaefe2b0c.tar.gz chromium_src-d70e808c7e3ebcae52143509d14ab37eaefe2b0c.tar.bz2 | |
Adjust histograms for CA's BR compliance to also consider the notBefore date
The histograms were only considering the expiration date, as that is
all that Appendix B lists as applicable for key sizes. However,
Appendix B is only relevant if the certificate is in scope of the BRs,
which itself is gated on issuance date (BRs 1.0 were adopted with an
effective date of 2012-01-07, although root programs were slower to
require audit compliance).
BUG=102949
R=wtc,asvitkine
Review URL: https://chromiumcodereview.appspot.com/22606007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@216537 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/cert/cert_verify_proc.cc | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc index b9bbbe0..ec1ef68 100644 --- a/net/cert/cert_verify_proc.cc +++ b/net/cert/cert_verify_proc.cc @@ -64,12 +64,12 @@ const char* CertTypeToString(int cert_type) { } void RecordPublicKeyHistogram(const char* chain_position, - bool after_baseline_date, + bool baseline_keysize_applies, size_t size_bits, X509Certificate::PublicKeyType cert_type) { std::string histogram_name = - base::StringPrintf("CertificateType.%s.%s.%s", - after_baseline_date ? "BR" : "NonBR", + base::StringPrintf("CertificateType2.%s.%s.%s", + baseline_keysize_applies ? "BR" : "NonBR", chain_position, CertTypeToString(cert_type)); // Do not use UMA_HISTOGRAM_... macros here, as it caches the Histogram @@ -118,18 +118,26 @@ bool IsWeakKey(X509Certificate::PublicKeyType type, size_t size_bits) { bool ExaminePublicKeys(const scoped_refptr<X509Certificate>& cert, bool should_histogram) { // The effective date of the CA/Browser Forum's Baseline Requirements - - // 2014-01-01 00:00:00 UTC. + // 2012-07-01 00:00:00 UTC. const base::Time kBaselineEffectiveDate = + base::Time::FromInternalValue(GG_INT64_C(12985574400000000)); + // The effective date of the key size requirements from Appendix A, v1.1.5 + // 2014-01-01 00:00:00 UTC. + const base::Time kBaselineKeysizeEffectiveDate = base::Time::FromInternalValue(GG_INT64_C(13033008000000000)); size_t size_bits = 0; X509Certificate::PublicKeyType type = X509Certificate::kPublicKeyTypeUnknown; bool weak_key = false; - bool after_baseline_date = cert->valid_expiry() >= kBaselineEffectiveDate; + bool baseline_keysize_applies = + cert->valid_start() >= kBaselineEffectiveDate && + cert->valid_expiry() >= kBaselineKeysizeEffectiveDate; X509Certificate::GetPublicKeyInfo(cert->os_cert_handle(), &size_bits, &type); - if (should_histogram) - RecordPublicKeyHistogram(kLeafCert, after_baseline_date, size_bits, type); + if (should_histogram) { + RecordPublicKeyHistogram(kLeafCert, baseline_keysize_applies, size_bits, + type); + } if (IsWeakKey(type, size_bits)) weak_key = true; @@ -140,7 +148,7 @@ bool ExaminePublicKeys(const scoped_refptr<X509Certificate>& cert, if (should_histogram) { RecordPublicKeyHistogram( (i < intermediates.size() - 1) ? kIntermediateCert : kRootCert, - after_baseline_date, + baseline_keysize_applies, size_bits, type); } |