OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include "base/metrics/histogram.h" | 7 #include "base/metrics/histogram.h" |
8 #include "base/sha1.h" | 8 #include "base/sha1.h" |
9 #include "build/build_config.h" | 9 #include "build/build_config.h" |
10 #include "net/base/net_errors.h" | 10 #include "net/base/net_errors.h" |
| 11 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
11 #include "net/cert/cert_status_flags.h" | 12 #include "net/cert/cert_status_flags.h" |
12 #include "net/cert/cert_verifier.h" | 13 #include "net/cert/cert_verifier.h" |
13 #include "net/cert/cert_verify_result.h" | 14 #include "net/cert/cert_verify_result.h" |
14 #include "net/cert/crl_set.h" | 15 #include "net/cert/crl_set.h" |
15 #include "net/cert/x509_certificate.h" | 16 #include "net/cert/x509_certificate.h" |
16 | 17 |
17 #if defined(USE_NSS) || defined(OS_IOS) | 18 #if defined(USE_NSS) || defined(OS_IOS) |
18 #include "net/cert/cert_verify_proc_nss.h" | 19 #include "net/cert/cert_verify_proc_nss.h" |
19 #elif defined(USE_OPENSSL) && !defined(OS_ANDROID) | 20 #elif defined(USE_OPENSSL) && !defined(OS_ANDROID) |
20 #include "net/cert/cert_verify_proc_openssl.h" | 21 #include "net/cert/cert_verify_proc_openssl.h" |
(...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
143 // Flag certificates using weak signature algorithms. | 144 // Flag certificates using weak signature algorithms. |
144 if (verify_result->has_md5) { | 145 if (verify_result->has_md5) { |
145 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 146 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
146 // Avoid replacing a more serious error, such as an OS/library failure, | 147 // Avoid replacing a more serious error, such as an OS/library failure, |
147 // by ensuring that if verification failed, it failed with a certificate | 148 // by ensuring that if verification failed, it failed with a certificate |
148 // error. | 149 // error. |
149 if (rv == OK || IsCertificateError(rv)) | 150 if (rv == OK || IsCertificateError(rv)) |
150 rv = MapCertStatusToNetError(verify_result->cert_status); | 151 rv = MapCertStatusToNetError(verify_result->cert_status); |
151 } | 152 } |
152 | 153 |
| 154 // Flag certificates from publicly-trusted CAs that are issued to intranet |
| 155 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
| 156 // these to be issued until 1 November 2015, they represent a real risk for |
| 157 // the deployment of gTLDs and are being phased out. |
| 158 // |
| 159 // Note: This means that as new gTLDs are introduced, this logic will |
| 160 // incorrectly flag them as non-unique, because they will not be in the |
| 161 // registry controlled domain list yet. However, since new gTLDs are expected |
| 162 // to have significant advance notice, this is an acceptable tradeoff to |
| 163 // deprecate the practice. |
| 164 if (verify_result->is_issued_by_known_root && |
| 165 0 == registry_controlled_domains::GetRegistryLength( |
| 166 hostname, |
| 167 registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES, |
| 168 registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) { |
| 169 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
| 170 } |
| 171 |
153 return rv; | 172 return rv; |
154 } | 173 } |
155 | 174 |
156 // static | 175 // static |
157 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { | 176 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
158 static const unsigned kComodoSerialBytes = 16; | 177 static const unsigned kComodoSerialBytes = 16; |
159 static const uint8 kComodoSerials[][kComodoSerialBytes] = { | 178 static const uint8 kComodoSerials[][kComodoSerialBytes] = { |
160 // Not a real certificate. For testing only. | 179 // Not a real certificate. For testing only. |
161 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,
0x1c}, | 180 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,
0x1c}, |
162 | 181 |
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
280 memcmp(j->data(), kHashes[i], base::kSHA1Length) == 0) { | 299 memcmp(j->data(), kHashes[i], base::kSHA1Length) == 0) { |
281 return true; | 300 return true; |
282 } | 301 } |
283 } | 302 } |
284 } | 303 } |
285 | 304 |
286 return false; | 305 return false; |
287 } | 306 } |
288 | 307 |
289 } // namespace net | 308 } // namespace net |
OLD | NEW |