Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(209)

Side by Side Diff: net/cert/cert_verify_proc.h

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Rebase?! In our moment of triumph?! Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_ 5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_
6 #define NET_CERT_CERT_VERIFY_PROC_H_ 6 #define NET_CERT_CERT_VERIFY_PROC_H_
7 7
8 #include <string> 8 #include <string>
9 #include <vector> 9 #include <vector>
10 10
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after
66 // passed to Verify() is ignored when this returns false. 66 // passed to Verify() is ignored when this returns false.
67 virtual bool SupportsAdditionalTrustAnchors() const = 0; 67 virtual bool SupportsAdditionalTrustAnchors() const = 0;
68 68
69 protected: 69 protected:
70 CertVerifyProc(); 70 CertVerifyProc();
71 virtual ~CertVerifyProc(); 71 virtual ~CertVerifyProc();
72 72
73 private: 73 private:
74 friend class base::RefCountedThreadSafe<CertVerifyProc>; 74 friend class base::RefCountedThreadSafe<CertVerifyProc>;
75 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); 75 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts);
76 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity);
76 77
77 // Performs the actual verification using the desired underlying 78 // Performs the actual verification using the desired underlying
78 // cryptographic library. 79 // cryptographic library.
79 virtual int VerifyInternal(X509Certificate* cert, 80 virtual int VerifyInternal(X509Certificate* cert,
80 const std::string& hostname, 81 const std::string& hostname,
81 int flags, 82 int flags,
82 CRLSet* crl_set, 83 CRLSet* crl_set,
83 const CertificateList& additional_trust_anchors, 84 const CertificateList& additional_trust_anchors,
84 CertVerifyResult* verify_result) = 0; 85 CertVerifyResult* verify_result) = 0;
85 86
86 // Returns true if |cert| is explicitly blacklisted. 87 // Returns true if |cert| is explicitly blacklisted.
87 static bool IsBlacklisted(X509Certificate* cert); 88 static bool IsBlacklisted(X509Certificate* cert);
88 89
89 // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which 90 // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which
90 // are hashes of SubjectPublicKeyInfo structures) is explicitly blocked. 91 // are hashes of SubjectPublicKeyInfo structures) is explicitly blocked.
91 static bool IsPublicKeyBlacklisted(const HashValueVector& public_key_hashes); 92 static bool IsPublicKeyBlacklisted(const HashValueVector& public_key_hashes);
92 93
93 // HasNameConstraintsViolation returns true iff one of |public_key_hashes| 94 // HasNameConstraintsViolation returns true iff one of |public_key_hashes|
94 // (which are hashes of SubjectPublicKeyInfo structures) has name constraints 95 // (which are hashes of SubjectPublicKeyInfo structures) has name constraints
95 // imposed on it and the names in |dns_names| are not permitted. 96 // imposed on it and the names in |dns_names| are not permitted.
96 static bool HasNameConstraintsViolation( 97 static bool HasNameConstraintsViolation(
97 const HashValueVector& public_key_hashes, 98 const HashValueVector& public_key_hashes,
98 const std::string& common_name, 99 const std::string& common_name,
99 const std::vector<std::string>& dns_names, 100 const std::vector<std::string>& dns_names,
100 const std::vector<std::string>& ip_addrs); 101 const std::vector<std::string>& ip_addrs);
101 102
103 // The CA/Browser Forum's Baseline Requirements specify maximum validity
104 // periods (https://cabforum.org/Baseline_Requirements_V1.pdf):
105 //
106 // For certificates issued after 1 July 2012: 60 months.
107 // For certificates issued after 1 April 2015: 39 months.
108 //
109 // For certificates issued before the BRs took effect, there were no
110 // guidelines, but clamp them at a maximum of 10 year validity, with the
111 // requirement they expire within 7 years after the effective date of the BRs
112 // (i.e. by 1 July 2019).
113 static bool HasTooLongValidity(const X509Certificate& cert);
114
102 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc); 115 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc);
103 }; 116 };
104 117
105 } // namespace net 118 } // namespace net
106 119
107 #endif // NET_CERT_CERT_VERIFY_PROC_H_ 120 #endif // NET_CERT_CERT_VERIFY_PROC_H_
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698