Fix Sharding logic with using notbefore of a certificate. (google#647)

According to GoogleChrome/CertificateTransparency#6, a NotAfter validity field of a X509 Certificate should be used. The policy is as follows. For a certificate to be accepted by the Log that has a time range specified. The certificate’s ‘Not After’ validity field value must: Be at or after ‘Start’ and Be before ‘End’
n-ct · Mar 1, 2020 · 1583ee0 · 1583ee0
1 parent 4faf9cf
commit 1583ee0
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 33 deletions.
diff --git a/loglist2/logfilter.go b/loglist2/logfilter.go
@@ -97,7 +97,7 @@ func (ll *LogList) RootCompatible(certRoot *x509.Certificate, roots LogRoots) Lo
 
 // TemporallyCompatible creates a new LogList containing only the logs of
 // original LogList that are compatible with the provided cert, according to
-// NotBefore and TemporalInterval matching.
+// NotAfter and TemporalInterval matching.
 // Returns empty LogList if nil-cert is provided.
 func (ll *LogList) TemporallyCompatible(cert *x509.Certificate) LogList {
 	var compatible LogList
@@ -113,7 +113,7 @@ func (ll *LogList) TemporallyCompatible(cert *x509.Certificate) LogList {
 				compatibleOp.Logs = append(compatibleOp.Logs, l)
 				continue
 			}
-			if cert.NotBefore.Before(l.TemporalInterval.EndExclusive) && (cert.NotBefore.After(l.TemporalInterval.StartInclusive) || cert.NotBefore.Equal(l.TemporalInterval.StartInclusive)) {
+			if cert.NotAfter.Before(l.TemporalInterval.EndExclusive) && (cert.NotAfter.After(l.TemporalInterval.StartInclusive) || cert.NotAfter.Equal(l.TemporalInterval.StartInclusive)) {
 				compatibleOp.Logs = append(compatibleOp.Logs, l)
 			}
 		}

diff --git a/loglist2/logfilter_test.go b/loglist2/logfilter_test.go
@@ -174,53 +174,53 @@ func TestTemporallyCompatible(t *testing.T) {
 	cert, _ := x509util.CertificateFromPEM([]byte(testdata.TestPreCertPEM))
 
 	tests := []struct {
-		name      string
-		in        LogList
-		cert      *x509.Certificate
-		notBefore time.Time
-		want      LogList
+		name     string
+		in       LogList
+		cert     *x509.Certificate
+		notAfter time.Time
+		want     LogList
 	}{
 		{
-			name:      "AllLogsFitTemporally",
-			in:        sampleLogList,
-			cert:      cert,
-			notBefore: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")),
-			want:      subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://log.bob.io": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
+			name:     "AllLogsFitTemporally",
+			in:       sampleLogList,
+			cert:     cert,
+			notAfter: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")),
+			want:     subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://log.bob.io": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
 		},
 		{
-			name:      "OperatorExcludedAllItsLogsMismatch",
-			in:        sampleLogList,
-			cert:      cert,
-			notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2014")),
-			want:      subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
+			name:     "OperatorExcludedAllItsLogsMismatch",
+			in:       sampleLogList,
+			cert:     cert,
+			notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2014")),
+			want:     subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
 		},
 		{
-			name:      "TwoLogsAfterCertTimeExcluded",
-			in:        sampleLogList,
-			cert:      cert,
-			notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2013")),
-			want:      subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
+			name:     "TwoLogsAfterCertTimeExcluded",
+			in:       sampleLogList,
+			cert:     cert,
+			notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2013")),
+			want:     subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
 		},
 		{
-			name:      "TwoLogsBeforeCertTimeExcluded",
-			in:        sampleLogList,
-			cert:      cert,
-			notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2016")),
-			want:      subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
+			name:     "TwoLogsBeforeCertTimeExcluded",
+			in:       sampleLogList,
+			cert:     cert,
+			notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2016")),
+			want:     subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
 		},
 		{
-			name:      "NilCert",
-			in:        sampleLogList,
-			cert:      nil,
-			notBefore: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")),
-			want:      subLogList(map[string]bool{}),
+			name:     "NilCert",
+			in:       sampleLogList,
+			cert:     nil,
+			notAfter: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")),
+			want:     subLogList(map[string]bool{}),
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			if test.cert != nil {
-				test.cert.NotBefore = test.notBefore
+				test.cert.NotAfter = test.notAfter
 			}
 			got := test.in.TemporallyCompatible(test.cert)
 			if diff := pretty.Compare(test.want, got); diff != "" {