Reject certificates that are valid for too long.

net/cert/cert_verify_proc.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include "base/metrics/histogram.h"
 #include "base/sha1.h"
+#include "base/time/time.h"
 #include "build/build_config.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/x509_certificate.h"
 #include "url/url_canon.h"
@@ skipping 135 matching lines @@
   }
 
   // Flag certificates from publicly-trusted CAs that are issued to intranet
   // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit
   // these to be issued until 1 November 2015, they represent a real risk for
   // the deployment of gTLDs and are being phased out.
   if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) {
     verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME;
   }
 
+  // Flag certificates using too long validity periods.
+  if (HasTooLongValidity(*cert)) {
+    verify_result->cert_status |= CERT_STATUS_TOO_LONG_VALIDITY;
+    if (rv == OK)
+      rv = MapCertStatusToNetError(verify_result->cert_status);
+  }
+
   return rv;
 }
 
 // static
 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) {
   static const unsigned kComodoSerialBytes = 16;
   static const uint8 kComodoSerials[][kComodoSerialBytes] = {
     // Not a real certificate. For testing only.
     {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,0x1c},
 
@@ skipping 151 matching lines @@
   // will be treated as non-unique until the registry controlled domain list
   // is updated. However, because gTLDs are expected to provide significant
   // advance notice to deprecate older versions of this code, this an
   // acceptable tradeoff.
   return 0 == registry_controlled_domains::GetRegistryLength(
                   canonical_name,
                   registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES,
                   registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
 }
 
+// static
+bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
+  base::Time::Exploded start;
+  base::Time::Exploded expiry;
+  cert.valid_start().UTCExplode(&start);
+  cert.valid_expiry().UTCExplode(&expiry);
+  int month_diff =
+      expiry.year * 12 + expiry.month - start.year * 12 - start.month;
+  // Add any remainder as a full month.
+  if (expiry.day_of_month > start.day_of_month)
+    ++month_diff;

[Ryan Sleevi, 2013/08/19 17:57:50]

Definitely should add unittests for this logic.

My biggest concern here is about the clamping behaviour on systems where time_t
is 32-bit, and valid_start()/valid_expiry() get off into the woods.

+
+  base::Time Apr2015;
+  base::Time Jul2012;
+  base::Time Jul2019;
+  base::Time::FromString("1 Apr 2015", &Apr2015);
+  base::Time::FromString("1 Jul 2012", &Jul2012);
+  base::Time::FromString("1 Jul 2019", &Jul2019);

[Ryan Sleevi, 2013/08/19 17:57:50]

Style: Palmer, can you hardcode these and use
base::Time::FromInternal(GG_INT64_C(constant_here));?

Avoid the need for additional parsing.

[palmer, 2013/08/21 22:24:15]

Done.

+
+  if (cert.valid_start() >= Apr2015)
+    return month_diff > 39;
+  if (cert.valid_start() >= Jul2012)
+    return month_diff > 60;
+  return month_diff > 120 || cert.valid_expiry() > Jul2019;
+}
+
 }  // namespace net