Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(99)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 1042973002: Implement the ability to whitelist certs from specific issuers (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Stupid windows Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/cert/cert_verify_proc_whitelist.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc.h" 5 #include "net/cert/cert_verify_proc.h"
6 6
7 #include <stdint.h> 7 #include <stdint.h>
8 8
9 #include "base/basictypes.h" 9 #include "base/basictypes.h"
10 #include "base/metrics/histogram.h" 10 #include "base/metrics/histogram.h"
11 #include "base/sha1.h" 11 #include "base/sha1.h"
12 #include "base/strings/stringprintf.h" 12 #include "base/strings/stringprintf.h"
13 #include "base/time/time.h" 13 #include "base/time/time.h"
14 #include "build/build_config.h" 14 #include "build/build_config.h"
15 #include "net/base/net_errors.h" 15 #include "net/base/net_errors.h"
16 #include "net/base/net_util.h" 16 #include "net/base/net_util.h"
17 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" 17 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
18 #include "net/cert/cert_status_flags.h" 18 #include "net/cert/cert_status_flags.h"
19 #include "net/cert/cert_verifier.h" 19 #include "net/cert/cert_verifier.h"
20 #include "net/cert/cert_verify_proc_whitelist.h"
20 #include "net/cert/cert_verify_result.h" 21 #include "net/cert/cert_verify_result.h"
21 #include "net/cert/crl_set.h" 22 #include "net/cert/crl_set.h"
22 #include "net/cert/x509_certificate.h" 23 #include "net/cert/x509_certificate.h"
23 #include "url/url_canon.h" 24 #include "url/url_canon.h"
24 25
25 #if defined(USE_NSS) || defined(OS_IOS) 26 #if defined(USE_NSS) || defined(OS_IOS)
26 #include "net/cert/cert_verify_proc_nss.h" 27 #include "net/cert/cert_verify_proc_nss.h"
27 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) 28 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
28 #include "net/cert/cert_verify_proc_openssl.h" 29 #include "net/cert/cert_verify_proc_openssl.h"
29 #elif defined(OS_ANDROID) 30 #elif defined(OS_ANDROID)
(...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after
228 std::vector<std::string> dns_names, ip_addrs; 229 std::vector<std::string> dns_names, ip_addrs;
229 cert->GetSubjectAltName(&dns_names, &ip_addrs); 230 cert->GetSubjectAltName(&dns_names, &ip_addrs);
230 if (HasNameConstraintsViolation(verify_result->public_key_hashes, 231 if (HasNameConstraintsViolation(verify_result->public_key_hashes,
231 cert->subject().common_name, 232 cert->subject().common_name,
232 dns_names, 233 dns_names,
233 ip_addrs)) { 234 ip_addrs)) {
234 verify_result->cert_status |= CERT_STATUS_NAME_CONSTRAINT_VIOLATION; 235 verify_result->cert_status |= CERT_STATUS_NAME_CONSTRAINT_VIOLATION;
235 rv = MapCertStatusToNetError(verify_result->cert_status); 236 rv = MapCertStatusToNetError(verify_result->cert_status);
236 } 237 }
237 238
239 if (IsNonWhitelistedCertificate(*verify_result->verified_cert,
240 verify_result->public_key_hashes)) {
241 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
242 rv = MapCertStatusToNetError(verify_result->cert_status);
243 }
244
238 // Check for weak keys in the entire verified chain. 245 // Check for weak keys in the entire verified chain.
239 bool weak_key = ExaminePublicKeys(verify_result->verified_cert, 246 bool weak_key = ExaminePublicKeys(verify_result->verified_cert,
240 verify_result->is_issued_by_known_root); 247 verify_result->is_issued_by_known_root);
241 248
242 if (weak_key) { 249 if (weak_key) {
243 verify_result->cert_status |= CERT_STATUS_WEAK_KEY; 250 verify_result->cert_status |= CERT_STATUS_WEAK_KEY;
244 // Avoid replacing a more serious error, such as an OS/library failure, 251 // Avoid replacing a more serious error, such as an OS/library failure,
245 // by ensuring that if verification failed, it failed with a certificate 252 // by ensuring that if verification failed, it failed with a certificate
246 // error. 253 // error.
247 if (rv == OK || IsCertificateError(rv)) 254 if (rv == OK || IsCertificateError(rv))
(...skipping 415 matching lines...) Expand 10 before | Expand all | Expand 10 after
663 return true; 670 return true;
664 671
665 // For certificates issued after 1 April 2015: 39 months. 672 // For certificates issued after 1 April 2015: 39 months.
666 if (start >= time_2015_04_01 && month_diff > 39) 673 if (start >= time_2015_04_01 && month_diff > 39)
667 return true; 674 return true;
668 675
669 return false; 676 return false;
670 } 677 }
671 678
672 } // namespace net 679 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/cert/cert_verify_proc_whitelist.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698