| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include "base/basictypes.h" | |
| 10 #include "base/metrics/histogram.h" | 9 #include "base/metrics/histogram.h" |
| 11 #include "base/sha1.h" | 10 #include "base/sha1.h" |
| 12 #include "base/strings/stringprintf.h" | 11 #include "base/strings/stringprintf.h" |
| 13 #include "base/time/time.h" | 12 #include "base/time/time.h" |
| 14 #include "build/build_config.h" | 13 #include "build/build_config.h" |
| 15 #include "net/base/net_errors.h" | 14 #include "net/base/net_errors.h" |
| 16 #include "net/base/net_util.h" | 15 #include "net/base/net_util.h" |
| 17 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 16 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
| 18 #include "net/cert/cert_status_flags.h" | 17 #include "net/cert/cert_status_flags.h" |
| 19 #include "net/cert/cert_verifier.h" | 18 #include "net/cert/cert_verifier.h" |
| (...skipping 272 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 292 if (rv == OK) | 291 if (rv == OK) |
| 293 rv = MapCertStatusToNetError(verify_result->cert_status); | 292 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 294 } | 293 } |
| 295 | 294 |
| 296 return rv; | 295 return rv; |
| 297 } | 296 } |
| 298 | 297 |
| 299 // static | 298 // static |
| 300 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { | 299 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
| 301 static const unsigned kComodoSerialBytes = 16; | 300 static const unsigned kComodoSerialBytes = 16; |
| 302 static const uint8 kComodoSerials[][kComodoSerialBytes] = { | 301 static const uint8_t kComodoSerials[][kComodoSerialBytes] = { |
| 303 // Not a real certificate. For testing only. | 302 // Not a real certificate. For testing only. |
| 304 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,
0x1c}, | 303 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,
0x1c}, |
| 305 | 304 |
| 306 // The next nine certificates all expire on Fri Mar 14 23:59:59 2014. | 305 // The next nine certificates all expire on Fri Mar 14 23:59:59 2014. |
| 307 // Some serial numbers actually have a leading 0x00 byte required to | 306 // Some serial numbers actually have a leading 0x00 byte required to |
| 308 // encode a positive integer in DER if the most significant bit is 0. | 307 // encode a positive integer in DER if the most significant bit is 0. |
| 309 // We omit the leading 0x00 bytes to make all serial numbers 16 bytes. | 308 // We omit the leading 0x00 bytes to make all serial numbers 16 bytes. |
| 310 | 309 |
| 311 // Subject: CN=mail.google.com | 310 // Subject: CN=mail.google.com |
| 312 // subjectAltName dNSName: mail.google.com, www.mail.google.com | 311 // subjectAltName dNSName: mail.google.com, www.mail.google.com |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 365 // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus | 364 // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus |
| 366 // all certificates where the CN ends with ".cloudflare.com" with a prior | 365 // all certificates where the CN ends with ".cloudflare.com" with a prior |
| 367 // issuance date are rejected. | 366 // issuance date are rejected. |
| 368 // | 367 // |
| 369 // The old certs had a lifetime of five years, so this can be removed April | 368 // The old certs had a lifetime of five years, so this can be removed April |
| 370 // 2nd, 2019. | 369 // 2nd, 2019. |
| 371 const std::string& cn = cert->subject().common_name; | 370 const std::string& cn = cert->subject().common_name; |
| 372 static const char kCloudFlareCNSuffix[] = ".cloudflare.com"; | 371 static const char kCloudFlareCNSuffix[] = ".cloudflare.com"; |
| 373 // kCloudFlareEpoch is the base::Time internal value for midnight at the | 372 // kCloudFlareEpoch is the base::Time internal value for midnight at the |
| 374 // beginning of April 2nd, 2014, UTC. | 373 // beginning of April 2nd, 2014, UTC. |
| 375 static const int64 kCloudFlareEpoch = INT64_C(13040870400000000); | 374 static const int64_t kCloudFlareEpoch = INT64_C(13040870400000000); |
| 376 if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 && | 375 if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 && |
| 377 cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1), | 376 cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1), |
| 378 arraysize(kCloudFlareCNSuffix) - 1, | 377 arraysize(kCloudFlareCNSuffix) - 1, |
| 379 kCloudFlareCNSuffix) == 0 && | 378 kCloudFlareCNSuffix) == 0 && |
| 380 cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) { | 379 cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) { |
| 381 return true; | 380 return true; |
| 382 } | 381 } |
| 383 | 382 |
| 384 return false; | 383 return false; |
| 385 } | 384 } |
| 386 | 385 |
| 387 // static | 386 // static |
| 388 // NOTE: This implementation assumes and enforces that the hashes are SHA1. | 387 // NOTE: This implementation assumes and enforces that the hashes are SHA1. |
| 389 bool CertVerifyProc::IsPublicKeyBlacklisted( | 388 bool CertVerifyProc::IsPublicKeyBlacklisted( |
| 390 const HashValueVector& public_key_hashes) { | 389 const HashValueVector& public_key_hashes) { |
| 391 static const unsigned kNumHashes = 17; | 390 static const unsigned kNumHashes = 17; |
| 392 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = { | 391 static const uint8_t kHashes[kNumHashes][base::kSHA1Length] = { |
| 393 // Subject: CN=DigiNotar Root CA | 392 // Subject: CN=DigiNotar Root CA |
| 394 // Issuer: CN=Entrust.net x2 and self-signed | 393 // Issuer: CN=Entrust.net x2 and self-signed |
| 395 {0x41, 0x0f, 0x36, 0x36, 0x32, 0x58, 0xf3, 0x0b, 0x34, 0x7d, | 394 {0x41, 0x0f, 0x36, 0x36, 0x32, 0x58, 0xf3, 0x0b, 0x34, 0x7d, |
| 396 0x12, 0xce, 0x48, 0x63, 0xe4, 0x33, 0x43, 0x78, 0x06, 0xa8}, | 395 0x12, 0xce, 0x48, 0x63, 0xe4, 0x33, 0x43, 0x78, 0x06, 0xa8}, |
| 397 // Subject: CN=DigiNotar Cyber CA | 396 // Subject: CN=DigiNotar Cyber CA |
| 398 // Issuer: CN=GTE CyberTrust Global Root | 397 // Issuer: CN=GTE CyberTrust Global Root |
| 399 {0xc4, 0xf9, 0x66, 0x37, 0x16, 0xcd, 0x5e, 0x71, 0xd6, 0x95, | 398 {0xc4, 0xf9, 0x66, 0x37, 0x16, 0xcd, 0x5e, 0x71, 0xd6, 0x95, |
| 400 0x0b, 0x5f, 0x33, 0xce, 0x04, 0x1c, 0x95, 0xb4, 0x35, 0xd1}, | 399 0x0b, 0x5f, 0x33, 0xce, 0x04, 0x1c, 0x95, 0xb4, 0x35, 0xd1}, |
| 401 // Subject: CN=DigiNotar Services 1024 CA | 400 // Subject: CN=DigiNotar Services 1024 CA |
| 402 // Issuer: CN=Entrust.net | 401 // Issuer: CN=Entrust.net |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 522 return false; | 521 return false; |
| 523 } | 522 } |
| 524 | 523 |
| 525 return true; | 524 return true; |
| 526 } | 525 } |
| 527 | 526 |
| 528 // PublicKeyDomainLimitation contains a SHA1, SPKI hash and a pointer to an | 527 // PublicKeyDomainLimitation contains a SHA1, SPKI hash and a pointer to an |
| 529 // array of fixed-length strings that contain the domains that the SPKI is | 528 // array of fixed-length strings that contain the domains that the SPKI is |
| 530 // allowed to issue for. | 529 // allowed to issue for. |
| 531 struct PublicKeyDomainLimitation { | 530 struct PublicKeyDomainLimitation { |
| 532 uint8 public_key[base::kSHA1Length]; | 531 uint8_t public_key[base::kSHA1Length]; |
| 533 const char (*domains)[kMaxDomainLength]; | 532 const char (*domains)[kMaxDomainLength]; |
| 534 }; | 533 }; |
| 535 | 534 |
| 536 // static | 535 // static |
| 537 bool CertVerifyProc::HasNameConstraintsViolation( | 536 bool CertVerifyProc::HasNameConstraintsViolation( |
| 538 const HashValueVector& public_key_hashes, | 537 const HashValueVector& public_key_hashes, |
| 539 const std::string& common_name, | 538 const std::string& common_name, |
| 540 const std::vector<std::string>& dns_names, | 539 const std::vector<std::string>& dns_names, |
| 541 const std::vector<std::string>& ip_addrs) { | 540 const std::vector<std::string>& ip_addrs) { |
| 542 static const char kDomainsANSSI[][kMaxDomainLength] = { | 541 static const char kDomainsANSSI[][kMaxDomainLength] = { |
| (...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 671 return true; | 670 return true; |
| 672 | 671 |
| 673 // For certificates issued after 1 April 2015: 39 months. | 672 // For certificates issued after 1 April 2015: 39 months. |
| 674 if (start >= time_2015_04_01 && month_diff > 39) | 673 if (start >= time_2015_04_01 && month_diff > 39) |
| 675 return true; | 674 return true; |
| 676 | 675 |
| 677 return false; | 676 return false; |
| 678 } | 677 } |
| 679 | 678 |
| 680 } // namespace net | 679 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1158923005:
Use the exact-width integer types defined in <stdint.h> rather than (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master