tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 5d4aa3bd96bcce9bdd821b1b9457e84f03581592
parent cc84f9200946018c16d075cc9a407a5ef22b67b5
Author: Dana Keeler <dkeeler@mozilla.com>
Date:   Tue,  2 Dec 2025 00:41:32 +0000

Bug 2003369 - remove "at least one RFC 6962 log" requirement from certificate transparency policy r=jschanck

This change makes it so connections no longer require at least one SCT from an
RFC 6962 log.

Differential Revision: https://phabricator.services.mozilla.com/D274649

Diffstat:

Msecurity/ct/CTPolicyEnforcer.cpp | 17+++--------------


Msecurity/ct/tests/gtest/CTPolicyEnforcerTest.cpp | 9++++-----


2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/security/ct/CTPolicyEnforcer.cpp b/security/ct/CTPolicyEnforcer.cpp
@@ -75,13 +75,11 @@ bool LogWasQualifiedForSct(const VerifiedSCT& verifiedSct,
 // lifetime of the certificate. If the certificate lifetime is less than or
 // equal to 180 days, N is 2. Otherwise, N is 3.
 // Among these SCTs, at least two must be issued from distinct log operators.
-// Additionally, at least one must be issued from an RFC6962 log.
 CTPolicyCompliance EmbeddedSCTsCompliant(const VerifiedSCTList& verifiedScts,
                                          uint64_t certIssuanceTime,
                                          Duration certLifetime) {
   size_t admissibleCount = 0;
   size_t admissibleOrRetiredCount = 0;
-  size_t rfc6962Count = 0;
   std::set<CTLogOperatorId> logOperators;
   std::set<Buffer> logIds;
   for (const auto& verifiedSct : verifiedScts) {
@@ -97,9 +95,6 @@ CTPolicyCompliance EmbeddedSCTsCompliant(const VerifiedSCTList& verifiedScts,
         verifiedSct.sct.leafIndex.isNothing()) {
       continue;
     }
-    if (verifiedSct.logFormat == CTLogFormat::RFC6962) {
-      rfc6962Count++;
-    }
     // Note that a single SCT can count for both the "from a log that was
     // admissible" case and the "from a log that was admissible or retired"
     // case.
@@ -114,8 +109,7 @@ CTPolicyCompliance EmbeddedSCTsCompliant(const VerifiedSCTList& verifiedScts,
   }
 
   size_t requiredEmbeddedScts = GetRequiredEmbeddedSctsCount(certLifetime);
-  if (admissibleCount < 1 || admissibleOrRetiredCount < requiredEmbeddedScts ||
-      rfc6962Count < 1) {
+  if (admissibleCount < 1 || admissibleOrRetiredCount < requiredEmbeddedScts) {
     return CTPolicyCompliance::NotEnoughScts;
   }
   if (logIds.size() < requiredEmbeddedScts || logOperators.size() < 2) {
@@ -128,12 +122,10 @@ CTPolicyCompliance EmbeddedSCTsCompliant(const VerifiedSCTList& verifiedScts,
 // or OCSP response):
 // There must be at least two SCTs from logs that were Admissible (i.e.
 // Qualified, Usable, or ReadOnly) at the time of the check. Among these SCTs,
-// at least two must be issued from distinct log operators. Additionally, at
-// least one must be issued from an RFC6962 log.
+// at least two must be issued from distinct log operators.
 CTPolicyCompliance NonEmbeddedSCTsCompliant(
     const VerifiedSCTList& verifiedScts) {
   size_t admissibleCount = 0;
-  size_t rfc6962Count = 0;
   std::set<CTLogOperatorId> logOperators;
   std::set<Buffer> logIds;
   for (const auto& verifiedSct : verifiedScts) {
@@ -149,14 +141,11 @@ CTPolicyCompliance NonEmbeddedSCTsCompliant(
       continue;
     }
     admissibleCount++;
-    if (verifiedSct.logFormat == CTLogFormat::RFC6962) {
-      rfc6962Count++;
-    }
     logIds.insert(verifiedSct.sct.logId);
     logOperators.insert(verifiedSct.logOperatorId);
   }
 
-  if (admissibleCount < 2 || rfc6962Count < 1) {
+  if (admissibleCount < 2) {
     return CTPolicyCompliance::NotEnoughScts;
   }
   if (logIds.size() < 2 || logOperators.size() < 2) {
diff --git a/security/ct/tests/gtest/CTPolicyEnforcerTest.cpp b/security/ct/tests/gtest/CTPolicyEnforcerTest.cpp
@@ -323,7 +323,7 @@ TEST_F(CTPolicyEnforcerTest,
   CheckCompliance(scts, DEFAULT_LIFETIME, CTPolicyCompliance::Compliant);
 }
 
-TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyWithNoRFC6962Logs) {
+TEST_F(CTPolicyEnforcerTest, DoesConformToCTPolicyWithNoRFC6962Logs) {
   VerifiedSCTList scts;
 
   AddSct(scts, LOG_1, OPERATOR_1, ORIGIN_TLS, TIMESTAMP_1,
@@ -331,11 +331,10 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyWithNoRFC6962Logs) {
   AddSct(scts, LOG_2, OPERATOR_2, ORIGIN_TLS, TIMESTAMP_1,
          CTLogState::Admissible, CTLogFormat::Tiled, Some(23));
 
-  CheckCompliance(scts, DEFAULT_LIFETIME, CTPolicyCompliance::NotEnoughScts);
+  CheckCompliance(scts, DEFAULT_LIFETIME, CTPolicyCompliance::Compliant);
 }
 
-TEST_F(CTPolicyEnforcerTest,
-       DoesNotConformToCTPolicyWithNoRFC6962LogsEmbedded) {
+TEST_F(CTPolicyEnforcerTest, DoesConformToCTPolicyWithNoRFC6962LogsEmbedded) {
   VerifiedSCTList scts;
 
   // 3 embedded SCTs required for DEFAULT_LIFETIME.
@@ -346,7 +345,7 @@ TEST_F(CTPolicyEnforcerTest,
   AddSct(scts, LOG_3, OPERATOR_2, ORIGIN_EMBEDDED, TIMESTAMP_1,
          CTLogState::Admissible, CTLogFormat::Tiled, Some(23));
 
-  CheckCompliance(scts, DEFAULT_LIFETIME, CTPolicyCompliance::NotEnoughScts);
+  CheckCompliance(scts, DEFAULT_LIFETIME, CTPolicyCompliance::Compliant);
 }
 
 TEST_F(CTPolicyEnforcerTest,