net/cert/cert_verify_proc.h - Issue 20628006: Reject certificates that are valid for too long.

Side by Side Diff: net/cert/cert_verify_proc.h

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_	5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_

6 #define NET_CERT_CERT_VERIFY_PROC_H_	6 #define NET_CERT_CERT_VERIFY_PROC_H_

7	7

8 #include <string>	8 #include <string>

9 #include <vector>	9 #include <vector>

10	10

(...skipping 84 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
95 // certificates (eg: an "internal server name").	95 // certificates (eg: an "internal server name").

96 //	96 //

97 // While such names are not scheduled to be deprecated until 1 November 2015	97 // While such names are not scheduled to be deprecated until 1 November 2015

98 // according to the CA/Browser Forum Baseline Requirements (v1.1), they	98 // according to the CA/Browser Forum Baseline Requirements (v1.1), they

99 // represent a real risk for the deployment of new gTLDs, and thus being	99 // represent a real risk for the deployment of new gTLDs, and thus being

100 // phased out ahead of the hard deadline.	100 // phased out ahead of the hard deadline.

101 // TODO(rsleevi): http://crbug.com/119212 - Also match internal IP address	101 // TODO(rsleevi): http://crbug.com/119212 - Also match internal IP address

102 // ranges.	102 // ranges.

103 static bool IsHostnameNonUnique(const std::string& hostname);	103 static bool IsHostnameNonUnique(const std::string& hostname);

104	104

	105 // The CA/Browser Forum's Baseline Requirements specify maximum validity

	106 // periods (https://cabforum.org/Baseline_Requirements_V1.pdf):

	107 //

	108 // For certificates issued after 1 July 2012: 60 months.

	109 // For certificates issued after 1 April 2015: 39 months.
	Ryan Sleevi 2013/08/19 17:57:50 This is not correct. After 1 April 2015, it IS per This is not correct. After 1 April 2015, it IS permissible to be > 39 months, but <= 60 months, provided you meet the criteria. While I support this change in spirit, I'm not sure what ill-effects will be seen from the 39-month (if any), so I think we need to be careful. palmer 2013/08/21 01:26:25 Shall we just go with 60 months then? Show quoted text > This is not correct. After 1 April 2015, it IS permissible to be > 39 months, > but <= 60 months, provided you meet the criteria. > > While I support this change in spirit, I'm not sure what ill-effects will be > seen from the 39-month (if any), so I think we need to be careful. Shall we just go with 60 months then? Ryan Sleevi 2013/08/21 20:07:41 I'm fine landing this as the plan of record, and g Show quoted text On 2013/08/21 01:26:25, Chromium Palmer wrote: > > This is not correct. After 1 April 2015, it IS permissible to be > 39 months, > > but <= 60 months, provided you meet the criteria. > > > > While I support this change in spirit, I'm not sure what ill-effects will be > > seen from the 39-month (if any), so I think we need to be careful. > > Shall we just go with 60 months then? I'm fine landing this as the plan of record, and going back on that if necessary. I don't think we can safely histogram this either. We can just work to publicize it as "It's acceptable for CAs to do so for legacy hardware/clients, but if you're wanting to talk to Chrome, 39 months". This doesn't mean CAs are violating the BRs though - just that Chrome's policy is security. May affect the interstitial warnings. palmer 2013/08/21 22:24:15 Can you suggest accurate wording for the comment? Can you suggest accurate wording for the comment?
	110 //

	111 // There are no guidelines for certificates issued before the BRs were

	112 // set, but we clamp them at 120 months, and they must expire within 7

	113 // years after the BRs (i.e. by July 2019).
	Ryan Sleevi 2013/08/19 17:57:50 comment nit: rephrase this part without the pronou comment nit: rephrase this part without the pronouns, as "we" is unclear here. // For certificates issued before the BRs took effect, there were no // guidelines, but clamp them at a maximum of 10 year validity, with // the requirement they expire within 7 years after the effective // date of the BRs (i.e. by 1 July 2019). palmer 2013/08/21 01:26:25 Done. Your fixation is odd. :) Show quoted text On 2013/08/19 17:57:50, Ryan Sleevi wrote: > comment nit: rephrase this part without the pronouns, as "we" is unclear here. > > // For certificates issued before the BRs took effect, there were no > // guidelines, but clamp them at a maximum of 10 year validity, with > // the requirement they expire within 7 years after the effective > // date of the BRs (i.e. by 1 July 2019). Done. Your fixation is odd. :)
	114 static bool HasTooLongValidity(const X509Certificate& cert);
	Ryan Sleevi 2013/08/19 17:57:50 There's no need to make this a static function, as There's no need to make this a static function, as opposed to within an unnamed namespace, since this is used (internally) by the CertVerifyProc, and isn't being unittested. palmer 2013/08/21 01:26:25 I see it as being like \|IsHostnameNonUnique\| and s Show quoted text On 2013/08/19 17:57:50, Ryan Sleevi wrote: > There's no need to make this a static function, as opposed to within an unnamed > namespace, since this is used (internally) by the CertVerifyProc, and isn't > being unittested. I see it as being like \|IsHostnameNonUnique\| and so on, and perhaps should be unit-tested? Ryan Sleevi 2013/08/21 20:07:41 Glad you just volunteered to write unit tests ;) T Show quoted text On 2013/08/21 01:26:25, Chromium Palmer wrote: > On 2013/08/19 17:57:50, Ryan Sleevi wrote: > > There's no need to make this a static function, as opposed to within an > unnamed > > namespace, since this is used (internally) by the CertVerifyProc, and isn't > > being unittested. > > I see it as being like \|IsHostnameNonUnique\| and so on, and perhaps should be > unit-tested? Glad you just volunteered to write unit tests ;) That was the goal :) palmer 2013/08/21 22:24:15 Done. Show quoted text On 2013/08/21 20:07:41, Ryan Sleevi wrote: > On 2013/08/21 01:26:25, Chromium Palmer wrote: > > On 2013/08/19 17:57:50, Ryan Sleevi wrote: > > > There's no need to make this a static function, as opposed to within an > > unnamed > > > namespace, since this is used (internally) by the CertVerifyProc, and isn't > > > being unittested. > > > > I see it as being like \|IsHostnameNonUnique\| and so on, and perhaps should be > > unit-tested? > > Glad you just volunteered to write unit tests ;) That was the goal :) Done.
	115

105 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc);	116 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc);

106 };	117 };

107	118

108 } // namespace net	119 } // namespace net

109	120

110 #endif // NET_CERT_CERT_VERIFY_PROC_H_	121 #endif // NET_CERT_CERT_VERIFY_PROC_H_

OLD	NEW

« chrome/app/generated_resources.grd ('K') | « net/cert/cert_status_flags.cc ('k') | net/cert/cert_verify_proc.cc » ('j') | net/cert/cert_verify_proc.cc » ('J')