Skip to content

Commit

Permalink
Fix Sharding logic with using notbefore of a certificate. (#647)
Browse files Browse the repository at this point in the history
According to GoogleChrome/CertificateTransparency#6, a NotAfter
validity field of a X509 Certificate should be used.

The policy is as follows.
For a certificate to be accepted by the Log that has a time range
specified.
The certificate’s ‘Not After’ validity field value must:
Be at or after ‘Start’ and Be before ‘End’
  • Loading branch information
eccopark authored Feb 6, 2020
1 parent 203e829 commit 1be4951
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 33 deletions.
4 changes: 2 additions & 2 deletions loglist2/logfilter.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ func (ll *LogList) RootCompatible(certRoot *x509.Certificate, roots LogRoots) Lo

// TemporallyCompatible creates a new LogList containing only the logs of
// original LogList that are compatible with the provided cert, according to
// NotBefore and TemporalInterval matching.
// NotAfter and TemporalInterval matching.
// Returns empty LogList if nil-cert is provided.
func (ll *LogList) TemporallyCompatible(cert *x509.Certificate) LogList {
var compatible LogList
Expand All @@ -113,7 +113,7 @@ func (ll *LogList) TemporallyCompatible(cert *x509.Certificate) LogList {
compatibleOp.Logs = append(compatibleOp.Logs, l)
continue
}
if cert.NotBefore.Before(l.TemporalInterval.EndExclusive) && (cert.NotBefore.After(l.TemporalInterval.StartInclusive) || cert.NotBefore.Equal(l.TemporalInterval.StartInclusive)) {
if cert.NotAfter.Before(l.TemporalInterval.EndExclusive) && (cert.NotAfter.After(l.TemporalInterval.StartInclusive) || cert.NotAfter.Equal(l.TemporalInterval.StartInclusive)) {
compatibleOp.Logs = append(compatibleOp.Logs, l)
}
}
Expand Down
62 changes: 31 additions & 31 deletions loglist2/logfilter_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -174,53 +174,53 @@ func TestTemporallyCompatible(t *testing.T) {
cert, _ := x509util.CertificateFromPEM([]byte(testdata.TestPreCertPEM))

tests := []struct {
name string
in LogList
cert *x509.Certificate
notBefore time.Time
want LogList
name string
in LogList
cert *x509.Certificate
notAfter time.Time
want LogList
}{
{
name: "AllLogsFitTemporally",
in: sampleLogList,
cert: cert,
notBefore: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")),
want: subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://log.bob.io": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
name: "AllLogsFitTemporally",
in: sampleLogList,
cert: cert,
notAfter: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")),
want: subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://log.bob.io": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
},
{
name: "OperatorExcludedAllItsLogsMismatch",
in: sampleLogList,
cert: cert,
notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2014")),
want: subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
name: "OperatorExcludedAllItsLogsMismatch",
in: sampleLogList,
cert: cert,
notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2014")),
want: subLogList(map[string]bool{"https://ct.googleapis.com/aviator/": true, "https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
},
{
name: "TwoLogsAfterCertTimeExcluded",
in: sampleLogList,
cert: cert,
notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2013")),
want: subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
name: "TwoLogsAfterCertTimeExcluded",
in: sampleLogList,
cert: cert,
notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2013")),
want: subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
},
{
name: "TwoLogsBeforeCertTimeExcluded",
in: sampleLogList,
cert: cert,
notBefore: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2016")),
want: subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
name: "TwoLogsBeforeCertTimeExcluded",
in: sampleLogList,
cert: cert,
notAfter: stripErr(time.Parse(time.UnixDate, "Sat Mar 8 11:06:00 PST 2016")),
want: subLogList(map[string]bool{"https://ct.googleapis.com/icarus/": true, "https://ct.googleapis.com/racketeer/": true, "https://ct.googleapis.com/rocketeer/": true}),
},
{
name: "NilCert",
in: sampleLogList,
cert: nil,
notBefore: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")),
want: subLogList(map[string]bool{}),
name: "NilCert",
in: sampleLogList,
cert: nil,
notAfter: stripErr(time.Parse(time.UnixDate, "Sat Nov 8 11:06:00 PST 2014")),
want: subLogList(map[string]bool{}),
},
}

for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
if test.cert != nil {
test.cert.NotBefore = test.notBefore
test.cert.NotAfter = test.notAfter
}
got := test.in.TemporallyCompatible(test.cert)
if diff := pretty.Compare(test.want, got); diff != "" {
Expand Down

0 comments on commit 1be4951

Please sign in to comment.