net/cert/cert_verify_proc.cc - Issue 1042973002: Implement the ability to whitelist certs from specific issuers

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 1042973002: Implement the ability to whitelist certs from specific issuers (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: WIP Created 5 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8	8

9 #include "base/basictypes.h"	9 #include "base/basictypes.h"

10 #include "base/metrics/histogram.h"	10 #include "base/metrics/histogram.h"

11 #include "base/sha1.h"	11 #include "base/sha1.h"

12 #include "base/strings/stringprintf.h"	12 #include "base/strings/stringprintf.h"

13 #include "base/time/time.h"	13 #include "base/time/time.h"

14 #include "build/build_config.h"	14 #include "build/build_config.h"

	15 #include "crypto/sha2.h"
	davidben 2015/03/31 02:02:12 No longer necessary here? No longer necessary here?
15 #include "net/base/net_errors.h"	16 #include "net/base/net_errors.h"

16 #include "net/base/net_util.h"	17 #include "net/base/net_util.h"

17 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"	18 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"

18 #include "net/cert/cert_status_flags.h"	19 #include "net/cert/cert_status_flags.h"

19 #include "net/cert/cert_verifier.h"	20 #include "net/cert/cert_verifier.h"

	21 #include "net/cert/cert_verify_proc_whitelist.h"

20 #include "net/cert/cert_verify_result.h"	22 #include "net/cert/cert_verify_result.h"

21 #include "net/cert/crl_set.h"	23 #include "net/cert/crl_set.h"

22 #include "net/cert/x509_certificate.h"	24 #include "net/cert/x509_certificate.h"

23 #include "url/url_canon.h"	25 #include "url/url_canon.h"

24	26

25 #if defined(USE_NSS) \|\| defined(OS_IOS)	27 #if defined(USE_NSS) \|\| defined(OS_IOS)

26 #include "net/cert/cert_verify_proc_nss.h"	28 #include "net/cert/cert_verify_proc_nss.h"

27 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)	29 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)

28 #include "net/cert/cert_verify_proc_openssl.h"	30 #include "net/cert/cert_verify_proc_openssl.h"

29 #elif defined(OS_ANDROID)	31 #elif defined(OS_ANDROID)

(...skipping 198 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
228 std::vector<std::string> dns_names, ip_addrs;	230 std::vector<std::string> dns_names, ip_addrs;

229 cert->GetSubjectAltName(&dns_names, &ip_addrs);	231 cert->GetSubjectAltName(&dns_names, &ip_addrs);

230 if (HasNameConstraintsViolation(verify_result->public_key_hashes,	232 if (HasNameConstraintsViolation(verify_result->public_key_hashes,

231 cert->subject().common_name,	233 cert->subject().common_name,

232 dns_names,	234 dns_names,

233 ip_addrs)) {	235 ip_addrs)) {

234 verify_result->cert_status \|= CERT_STATUS_NAME_CONSTRAINT_VIOLATION;	236 verify_result->cert_status \|= CERT_STATUS_NAME_CONSTRAINT_VIOLATION;

235 rv = MapCertStatusToNetError(verify_result->cert_status);	237 rv = MapCertStatusToNetError(verify_result->cert_status);

236 }	238 }

237	239

	240 if (IsNonWhitelistedCertificate(*verify_result->verified_cert,

	241 verify_result->public_key_hashes)) {

	242 verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;

	243 rv = MapCertStatusToNetError(verify_result->cert_status);

	244 }

	245

238 // Check for weak keys in the entire verified chain.	246 // Check for weak keys in the entire verified chain.

239 bool weak_key = ExaminePublicKeys(verify_result->verified_cert,	247 bool weak_key = ExaminePublicKeys(verify_result->verified_cert,

240 verify_result->is_issued_by_known_root);	248 verify_result->is_issued_by_known_root);

241	249

242 if (weak_key) {	250 if (weak_key) {

243 verify_result->cert_status \|= CERT_STATUS_WEAK_KEY;	251 verify_result->cert_status \|= CERT_STATUS_WEAK_KEY;

244 // Avoid replacing a more serious error, such as an OS/library failure,	252 // Avoid replacing a more serious error, such as an OS/library failure,

245 // by ensuring that if verification failed, it failed with a certificate	253 // by ensuring that if verification failed, it failed with a certificate

246 // error.	254 // error.

247 if (rv == OK \|\| IsCertificateError(rv))	255 if (rv == OK \|\| IsCertificateError(rv))

(...skipping 415 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
663 return true;	671 return true;

664	672

665 // For certificates issued after 1 April 2015: 39 months.	673 // For certificates issued after 1 April 2015: 39 months.

666 if (start >= time_2015_04_01 && month_diff > 39)	674 if (start >= time_2015_04_01 && month_diff > 39)

667 return true;	675 return true;

668	676

669 return false;	677 return false;

670 }	678 }

671	679

672 } // namespace net	680 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | net/cert/cert_verify_proc_whitelist.h » ('j') | net/cert/cert_verify_proc_whitelist.cc » ('J')