OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include "base/metrics/histogram.h" | 7 #include "base/metrics/histogram.h" |
8 #include "base/sha1.h" | 8 #include "base/sha1.h" |
9 #include "base/time/time.h" | |
9 #include "build/build_config.h" | 10 #include "build/build_config.h" |
10 #include "net/base/net_errors.h" | 11 #include "net/base/net_errors.h" |
11 #include "net/base/net_util.h" | 12 #include "net/base/net_util.h" |
12 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 13 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
13 #include "net/cert/cert_status_flags.h" | 14 #include "net/cert/cert_status_flags.h" |
14 #include "net/cert/cert_verifier.h" | 15 #include "net/cert/cert_verifier.h" |
15 #include "net/cert/cert_verify_result.h" | 16 #include "net/cert/cert_verify_result.h" |
16 #include "net/cert/crl_set.h" | 17 #include "net/cert/crl_set.h" |
17 #include "net/cert/x509_certificate.h" | 18 #include "net/cert/x509_certificate.h" |
18 #include "url/url_canon.h" | 19 #include "url/url_canon.h" |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
154 } | 155 } |
155 | 156 |
156 // Flag certificates from publicly-trusted CAs that are issued to intranet | 157 // Flag certificates from publicly-trusted CAs that are issued to intranet |
157 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit | 158 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
158 // these to be issued until 1 November 2015, they represent a real risk for | 159 // these to be issued until 1 November 2015, they represent a real risk for |
159 // the deployment of gTLDs and are being phased out. | 160 // the deployment of gTLDs and are being phased out. |
160 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { | 161 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { |
161 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; | 162 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
162 } | 163 } |
163 | 164 |
165 // Flag certificates using too long validity periods. | |
166 if (HasTooLongValidity(*cert)) { | |
167 verify_result->cert_status |= CERT_STATUS_TOO_LONG_VALIDITY; | |
168 if (rv == OK) | |
169 rv = MapCertStatusToNetError(verify_result->cert_status); | |
170 } | |
171 | |
164 return rv; | 172 return rv; |
165 } | 173 } |
166 | 174 |
167 // static | 175 // static |
168 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { | 176 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
169 static const unsigned kComodoSerialBytes = 16; | 177 static const unsigned kComodoSerialBytes = 16; |
170 static const uint8 kComodoSerials[][kComodoSerialBytes] = { | 178 static const uint8 kComodoSerials[][kComodoSerialBytes] = { |
171 // Not a real certificate. For testing only. | 179 // Not a real certificate. For testing only. |
172 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c}, | 180 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c}, |
173 | 181 |
(...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
325 // will be treated as non-unique until the registry controlled domain list | 333 // will be treated as non-unique until the registry controlled domain list |
326 // is updated. However, because gTLDs are expected to provide significant | 334 // is updated. However, because gTLDs are expected to provide significant |
327 // advance notice to deprecate older versions of this code, this an | 335 // advance notice to deprecate older versions of this code, this an |
328 // acceptable tradeoff. | 336 // acceptable tradeoff. |
329 return 0 == registry_controlled_domains::GetRegistryLength( | 337 return 0 == registry_controlled_domains::GetRegistryLength( |
330 canonical_name, | 338 canonical_name, |
331 registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES, | 339 registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES, |
332 registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); | 340 registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); |
333 } | 341 } |
334 | 342 |
343 // static | |
344 bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) { | |
345 base::Time::Exploded start; | |
346 base::Time::Exploded expiry; | |
347 cert.valid_start().UTCExplode(&start); | |
348 cert.valid_expiry().UTCExplode(&expiry); | |
349 int month_diff = | |
350 expiry.year * 12 + expiry.month - start.year * 12 - start.month; | |
351 // Add any remainder as a full month. | |
352 if (expiry.day_of_month > start.day_of_month) | |
353 ++month_diff; | |
Ryan Sleevi
2013/08/19 17:57:50
Definitely should add unittests for this logic.
M
| |
354 | |
355 base::Time Apr2015; | |
356 base::Time Jul2012; | |
357 base::Time Jul2019; | |
358 base::Time::FromString("1 Apr 2015", &Apr2015); | |
359 base::Time::FromString("1 Jul 2012", &Jul2012); | |
360 base::Time::FromString("1 Jul 2019", &Jul2019); | |
Ryan Sleevi
2013/08/19 17:57:50
Style: Palmer, can you hardcode these and use base
palmer
2013/08/21 22:24:15
Done.
| |
361 | |
362 if (cert.valid_start() >= Apr2015) | |
363 return month_diff > 39; | |
364 if (cert.valid_start() >= Jul2012) | |
365 return month_diff > 60; | |
366 return month_diff > 120 || cert.valid_expiry() > Jul2019; | |
367 } | |
368 | |
335 } // namespace net | 369 } // namespace net |
OLD | NEW |