From c23cf29075ee479f0b5d9af5030b658c17bcbbc9 Mon Sep 17 00:00:00 2001 From: eccopark <52172533+eccopark@users.noreply.github.com> Date: Thu, 6 Feb 2020 06:41:08 -0800 Subject: [PATCH] Fix Sharding logic with using notbefore of a certificate. (#647) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit According to https://github.com/chromium/ct-policy/issues/6, a NotAfter validity field of a X509 Certificate should be used. The policy is as follows. For a certificate to be accepted by the Log that has a time range specified. The certificate’s ‘Not After’ validity field value must: Be at or after ‘Start’ and Be before ‘End’ --- loglist2/logfilter.go | 4 +-- loglist2/logfilter_test.go | 62 +++++++++++++++++++------------------- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/loglist2/logfilter.go b/loglist2/logfilter.go index 5d055375684..e7a325957cb 100644 --- a/loglist2/logfilter.go +++ b/loglist2/logfilter.go @@ -97,7 +97,7 @@ func (ll *LogList) RootCompatible(certRoot *x509.Certificate, roots LogRoots) Lo // TemporallyCompatible creates a new LogList containing only the logs of // original LogList that are compatible with the provided cert, according to -// NotBefore and TemporalInterval matching. +// NotAfter and TemporalInterval matching. // Returns empty LogList if nil-cert is provided. func (ll *LogList) TemporallyCompatible(cert *x509.Certificate) LogList { var compatible LogList @@ -113,7 +113,7 @@ func (ll *LogList) TemporallyCompatible(cert *x509.Certificate) LogList { compatibleOp.Logs = append(compatibleOp.Logs, l) continue } - if cert.NotBefore.Before(l.TemporalInterval.EndExclusive) && (cert.NotBefore.After(l.TemporalInterval.StartInclusive) || cert.NotBefore.Equal(l.TemporalInterval.StartInclusive)) { + if cert.NotAfter.Before(l.TemporalInterval.EndExclusive) && (cert.NotAfter.After(l.TemporalInterval.StartInclusive) || cert.NotAfter.Equal(l.TemporalInterval.StartInclusive)) { compatibleOp.Logs = append(compatibleOp.Logs, l) } } diff --git a/loglist2/logfilter_test.go b/loglist2/logfilter_test.go index 230879d646f..6ebad7e3740 100644 --- a/loglist2/logfilter_test.go +++ b/loglist2/logfilter_test.go @@ -174,53 +174,53 @@ func TestTemporallyCompatible(t *testing.T) { cert, _ := x509util.CertificateFromPEM([]byte(testdata.TestPreCertPEM)) tests := []struct { - name string - in LogList - cert *x509.Certificate - notBefore time.Time - want LogList + name string + in LogList + cert *x509.Certificate + notAfter time.Time + want LogList }{ { - name: "AllLogsFitTemporally", - in: sampleLogList, - cert: cert, - notBefore: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")), - want: subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://log.bob.io": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}), + name: "AllLogsFitTemporally", + in: sampleLogList, + cert: cert, + notAfter: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")), + want: subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://log.bob.io": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}), }, { - name: "OperatorExcludedAllItsLogsMismatch", - in: sampleLogList, - cert: cert, - notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2014")), - want: subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}), + name: "OperatorExcludedAllItsLogsMismatch", + in: sampleLogList, + cert: cert, + notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2014")), + want: subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}), }, { - name: "TwoLogsAfterCertTimeExcluded", - in: sampleLogList, - cert: cert, - notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2013")), - want: subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}), + name: "TwoLogsAfterCertTimeExcluded", + in: sampleLogList, + cert: cert, + notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2013")), + want: subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}), }, { - name: "TwoLogsBeforeCertTimeExcluded", - in: sampleLogList, - cert: cert, - notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2016")), - want: subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}), + name: "TwoLogsBeforeCertTimeExcluded", + in: sampleLogList, + cert: cert, + notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2016")), + want: subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}), }, { - name: "NilCert", - in: sampleLogList, - cert: nil, - notBefore: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")), - want: subLogList(map[string]bool{}), + name: "NilCert", + in: sampleLogList, + cert: nil, + notAfter: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")), + want: subLogList(map[string]bool{}), }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { if test.cert != nil { - test.cert.NotBefore = test.notBefore + test.cert.NotAfter = test.notAfter } got := test.in.TemporallyCompatible(test.cert) if diff := pretty.Compare(test.want, got); diff != "" {