OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include "base/metrics/histogram.h" | 7 #include "base/metrics/histogram.h" |
8 #include "base/sha1.h" | 8 #include "base/sha1.h" |
9 #include "build/build_config.h" | 9 #include "build/build_config.h" |
| 10 #include "googleurl/src/url_canon.h" |
10 #include "net/base/net_errors.h" | 11 #include "net/base/net_errors.h" |
| 12 #include "net/base/net_util.h" |
| 13 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
11 #include "net/cert/cert_status_flags.h" | 14 #include "net/cert/cert_status_flags.h" |
12 #include "net/cert/cert_verifier.h" | 15 #include "net/cert/cert_verifier.h" |
13 #include "net/cert/cert_verify_result.h" | 16 #include "net/cert/cert_verify_result.h" |
14 #include "net/cert/crl_set.h" | 17 #include "net/cert/crl_set.h" |
15 #include "net/cert/x509_certificate.h" | 18 #include "net/cert/x509_certificate.h" |
16 | 19 |
17 #if defined(USE_NSS) || defined(OS_IOS) | 20 #if defined(USE_NSS) || defined(OS_IOS) |
18 #include "net/cert/cert_verify_proc_nss.h" | 21 #include "net/cert/cert_verify_proc_nss.h" |
19 #elif defined(USE_OPENSSL) && !defined(OS_ANDROID) | 22 #elif defined(USE_OPENSSL) && !defined(OS_ANDROID) |
20 #include "net/cert/cert_verify_proc_openssl.h" | 23 #include "net/cert/cert_verify_proc_openssl.h" |
(...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
143 // Flag certificates using weak signature algorithms. | 146 // Flag certificates using weak signature algorithms. |
144 if (verify_result->has_md5) { | 147 if (verify_result->has_md5) { |
145 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 148 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
146 // Avoid replacing a more serious error, such as an OS/library failure, | 149 // Avoid replacing a more serious error, such as an OS/library failure, |
147 // by ensuring that if verification failed, it failed with a certificate | 150 // by ensuring that if verification failed, it failed with a certificate |
148 // error. | 151 // error. |
149 if (rv == OK || IsCertificateError(rv)) | 152 if (rv == OK || IsCertificateError(rv)) |
150 rv = MapCertStatusToNetError(verify_result->cert_status); | 153 rv = MapCertStatusToNetError(verify_result->cert_status); |
151 } | 154 } |
152 | 155 |
| 156 // Flag certificates from publicly-trusted CAs that are issued to intranet |
| 157 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
| 158 // these to be issued until 1 November 2015, they represent a real risk for |
| 159 // the deployment of gTLDs and are being phased out. |
| 160 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { |
| 161 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
| 162 } |
| 163 |
153 return rv; | 164 return rv; |
154 } | 165 } |
155 | 166 |
156 // static | 167 // static |
157 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { | 168 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
158 static const unsigned kComodoSerialBytes = 16; | 169 static const unsigned kComodoSerialBytes = 16; |
159 static const uint8 kComodoSerials[][kComodoSerialBytes] = { | 170 static const uint8 kComodoSerials[][kComodoSerialBytes] = { |
160 // Not a real certificate. For testing only. | 171 // Not a real certificate. For testing only. |
161 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,
0x1c}, | 172 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,
0x1c}, |
162 | 173 |
(...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
279 if (j->tag == HASH_VALUE_SHA1 && | 290 if (j->tag == HASH_VALUE_SHA1 && |
280 memcmp(j->data(), kHashes[i], base::kSHA1Length) == 0) { | 291 memcmp(j->data(), kHashes[i], base::kSHA1Length) == 0) { |
281 return true; | 292 return true; |
282 } | 293 } |
283 } | 294 } |
284 } | 295 } |
285 | 296 |
286 return false; | 297 return false; |
287 } | 298 } |
288 | 299 |
| 300 // static |
| 301 bool CertVerifyProc::IsHostnameNonUnique(const std::string& hostname) { |
| 302 // CanonicalizeHost requires surrounding brackets to parse an IPv6 address. |
| 303 const std::string host_or_ip = hostname.find(':') != std::string::npos ? |
| 304 "[" + hostname + "]" : hostname; |
| 305 url_canon::CanonHostInfo host_info; |
| 306 std::string canonical_name = CanonicalizeHost(host_or_ip, &host_info); |
| 307 |
| 308 // If canonicalization fails, then the input is truly malformed. However, |
| 309 // to avoid mis-reporting bad inputs as "non-unique", treat them as unique. |
| 310 if (canonical_name.empty()) |
| 311 return false; |
| 312 |
| 313 // If |hostname| is an IP address, presume it's unique. |
| 314 // TODO(rsleevi): In the future, this should also reject IP addresses in |
| 315 // IANA-reserved ranges, since those are also non-unique among publicly |
| 316 // trusted CAs. |
| 317 if (host_info.IsIPAddress()) |
| 318 return false; |
| 319 |
| 320 // Check for a registry controlled portion of |hostname|, ignoring private |
| 321 // registries, as they already chain to ICANN-administered registries, |
| 322 // and explicitly ignoring unknown registries. |
| 323 // |
| 324 // Note: This means that as new gTLDs are introduced on the Internet, they |
| 325 // will be treated as non-unique until the registry controlled domain list |
| 326 // is updated. However, because gTLDs are expected to provide significant |
| 327 // advance notice to deprecate older versions of this code, this an |
| 328 // acceptable tradeoff. |
| 329 return 0 == registry_controlled_domains::GetRegistryLength( |
| 330 canonical_name, |
| 331 registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES, |
| 332 registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); |
| 333 } |
| 334 |
289 } // namespace net | 335 } // namespace net |
OLD | NEW |