Reject certificates that are valid for too long.

net/cert/cert_verify_proc.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include "base/metrics/histogram.h"
 #include "base/sha1.h"
 #include "base/strings/stringprintf.h"
+#include "base/time/time.h"
 #include "build/build_config.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/x509_certificate.h"
 #include "url/url_canon.h"
@@ skipping 245 matching lines @@
   // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit
   // these to be issued until 1 November 2015, they represent a real risk for
   // the deployment of gTLDs and are being phased out ahead of the hard
   // deadline.
   if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) {
     verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME;
     // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For
     // now treat it as a warning and do not map it to an error return value.
   }
 
+  // Flag certificates using too long validity periods.
+  if (HasTooLongValidity(*cert)) {

[Ryan Sleevi, 2014/10/27 22:07:39]

Remind me why we aren't checking is_issued_by_known_root here?

Creating an internal cert for 30 years is pretty common and not a Bad Thing
(tm), since it's local policy.

[palmer, 2014/10/28 00:05:53]

Done.

+    verify_result->cert_status |= CERT_STATUS_TOO_LONG_VALIDITY;
+    if (rv == OK)
+      rv = MapCertStatusToNetError(verify_result->cert_status);
+  }
+
   return rv;
 }
 
 // static
 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) {
   static const unsigned kComodoSerialBytes = 16;
   static const uint8 kComodoSerials[][kComodoSerialBytes] = {
     // Not a real certificate. For testing only.
     {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,0x1c},
 
@@ skipping 240 matching lines @@
           if (!CheckNameConstraints(dns_names, kLimits[i].tlds))
             return true;
         }
       }
     }
   }
 
   return false;
 }
 
+// static
+bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
+  base::Time::Exploded start;
+  base::Time::Exploded expiry;
+  cert.valid_start().UTCExplode(&start);
+  cert.valid_expiry().UTCExplode(&expiry);

[Ryan Sleevi, 2014/10/27 22:07:39]

Note that both of these can fail for some certificates (e.g. assume hostile
2038-bug exploiting certs)

Also, shouldn't you be checking that expiry > start, since we may be calling
this method for certs where it's not true? (Nothing is guaranteed in the
pre/post conditions that this is a 'valid' cert)

[palmer, 2014/10/28 00:05:53]

Done for a first pass. My immediate goal is to re-build this CL (it's so old it
doesn't apply cleanly anymore). See what you think of the up-coming patchset.

+  int month_diff =
+      expiry.year * 12 + expiry.month - start.year * 12 - start.month;
+  // Add any remainder as a full month.
+  if (expiry.day_of_month > start.day_of_month)
+    ++month_diff;
+
+  static const base::Time time_2015_04_01 = base::Time::FromInternalValue(
+      GG_INT64_C(1427871600));
+  static const base::Time time_2012_07_01 = base::Time::FromInternalValue(
+      GG_INT64_C(1341126000));
+  static const base::Time time_2019_07_01 = base::Time::FromInternalValue(
+      GG_INT64_C(1561964400));
+
+  if (cert.valid_start() >= time_2015_04_01)
+    return month_diff > 39;
+  if (cert.valid_start() >= time_2012_07_01)
+    return month_diff > 60;
+  return month_diff > 120 || cert.valid_expiry() > time_2019_07_01;
+}
+
 }  // namespace net