Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-30 08:12:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
197fea4f23
gecko-dev/security/ct/moz.build
Dana Keeler 49686e9766 Bug 1912120 - implement updated certificate transparency policy r=jschanck 
This updates the certificate transparency policy based on Chrome's policy,
found at https://googlechrome.github.io/CertificateTransparency/ct_policy.html.
Both it and the Chrome policy are similar to the Apple policy, found at
https://support.apple.com/en-us/103214.

Essentially, the policy can be satisfied in two ways, depending on the source
of the collected SCTs.
For embedded SCTs, at least one must be from a log that was Admissible
(Qualified, Usable, or ReadOnly) at the time of the check. There must be SCTs
from N distinct logs that were Admissible or Retired at the time of the check,
where N depends on the lifetime of the certificate. If the certificate lifetime
is less than or equal to 180 days, N is 2. Otherwise, N is 3. Among these SCTs,
at least two must be issued from distinct log operators.
For SCTs delivered via the TLS handshake or an OCSP response, at least two must
be from a log that was Admissible at the time of the check. Among these SCTs,
at least two must be issued from distinct log operators.

Differential Revision: https://phabricator.services.mozilla.com/D218800
2024-08-12 19:41:58 +00:00

54 lines
1.2 KiB
Python
Raw Blame History

# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
with Files("**"):
BUG_COMPONENT = ("Core", "Security: PSM")
EXPORTS += [
"BTTypes.h",
"BTVerifier.h",
"Buffer.h",
"CTKnownLogs.h",
"CTLog.h",
"CTPolicyEnforcer.h",
"CTVerifyResult.h",
"SignedCertificateTimestamp.h",
]
UNIFIED_SOURCES += [
"BTVerifier.cpp",
"Buffer.cpp",
"CTLogVerifier.cpp",
"CTObjectsExtractor.cpp",
"CTPolicyEnforcer.cpp",
"CTSerialization.cpp",
"CTVerifyResult.cpp",
"MultiLogCTVerifier.cpp",
"SignedCertificateTimestamp.cpp",
]
TEST_DIRS += [
"tests/gtest",
]
if not CONFIG["MOZ_DEBUG"]:
DEFINES["NDEBUG"] = True
CXXFLAGS += [
"-Wextra",
"-Wunreachable-code",
]
# Gecko headers aren't warning-free enough for us to enable these warnings.
CXXFLAGS += [
"-Wno-unused-parameter",
]
FINAL_LIBRARY = "xul"
if CONFIG["CC_TYPE"] == "clang-cl":
AllowCompilerWarnings() # workaround for bug 1090497
Reference in New Issue View Git Blame Copy Permalink