net/cert/cert_verify_proc.cc - Issue 20628006: Reject certificates that are valid for too long.

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: "Manual rebase" due to age. Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include "base/basictypes.h"	7 #include "base/basictypes.h"

8 #include "base/metrics/histogram.h"	8 #include "base/metrics/histogram.h"

9 #include "base/sha1.h"	9 #include "base/sha1.h"

10 #include "base/strings/stringprintf.h"	10 #include "base/strings/stringprintf.h"

	11 #include "base/time/time.h"

11 #include "build/build_config.h"	12 #include "build/build_config.h"

12 #include "net/base/net_errors.h"	13 #include "net/base/net_errors.h"

13 #include "net/base/net_util.h"	14 #include "net/base/net_util.h"

14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"	15 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"

15 #include "net/cert/cert_status_flags.h"	16 #include "net/cert/cert_status_flags.h"

16 #include "net/cert/cert_verifier.h"	17 #include "net/cert/cert_verifier.h"

17 #include "net/cert/cert_verify_result.h"	18 #include "net/cert/cert_verify_result.h"

18 #include "net/cert/crl_set.h"	19 #include "net/cert/crl_set.h"

19 #include "net/cert/x509_certificate.h"	20 #include "net/cert/x509_certificate.h"

20 #include "url/url_canon.h"	21 #include "url/url_canon.h"

(...skipping 248 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
269 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit	270 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit

270 // these to be issued until 1 November 2015, they represent a real risk for	271 // these to be issued until 1 November 2015, they represent a real risk for

271 // the deployment of gTLDs and are being phased out ahead of the hard	272 // the deployment of gTLDs and are being phased out ahead of the hard

272 // deadline.	273 // deadline.

273 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) {	274 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) {

274 verify_result->cert_status \|= CERT_STATUS_NON_UNIQUE_NAME;	275 verify_result->cert_status \|= CERT_STATUS_NON_UNIQUE_NAME;

275 // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For	276 // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For

276 // now treat it as a warning and do not map it to an error return value.	277 // now treat it as a warning and do not map it to an error return value.

277 }	278 }

278	279

	280 // Flag certificates using too long validity periods.

	281 if (!verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) {
	Ryan Sleevi 2014/10/29 22:22:07 This is wrong. if (verify_result->is_issued_by_kn This is wrong. if (verify_result->is_issued_by_known_root ...) [This will also make your test fail, which is right, because the test is wrong] palmer 2014/10/30 01:23:16 Done. Show quoted text On 2014/10/29 22:22:07, Ryan Sleevi wrote: > This is wrong. > > if (verify_result->is_issued_by_known_root ...) > > [This will also make your test fail, which is right, because the test is wrong] Done.
	282 verify_result->cert_status \|= CERT_STATUS_TOO_LONG_VALIDITY;

	283 if (rv == OK)

	284 rv = MapCertStatusToNetError(verify_result->cert_status);

	285 }

	286

279 return rv;	287 return rv;

280 }	288 }

281	289

282 // static	290 // static

283 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) {	291 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) {

284 static const unsigned kComodoSerialBytes = 16;	292 static const unsigned kComodoSerialBytes = 16;

285 static const uint8 kComodoSerials[][kComodoSerialBytes] = {	293 static const uint8 kComodoSerials[][kComodoSerialBytes] = {

286 // Not a real certificate. For testing only.	294 // Not a real certificate. For testing only.

287 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c},	295 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c},

288	296

(...skipping 318 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
607 if (!CheckNameConstraints(dns_names, kLimits[i].domains))	615 if (!CheckNameConstraints(dns_names, kLimits[i].domains))

608 return true;	616 return true;

609 }	617 }

610 }	618 }

611 }	619 }

612 }	620 }

613	621

614 return false;	622 return false;

615 }	623 }

616	624

	625 // static

	626 bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {

	627 const base::Time& start = cert.valid_start();

	628 const base::Time& expiry = cert.valid_expiry();

	629 if (start.is_max() \|\| start.is_null() \|\|

	630 expiry.is_max() \|\| expiry.is_null() \|\|

	631 start > expiry) {

	632 return true;

	633 }

	634

	635 base::Time::Exploded exploded_start;

	636 base::Time::Exploded exploded_expiry;

	637 cert.valid_start().UTCExplode(&exploded_start);

	638 cert.valid_expiry().UTCExplode(&exploded_expiry);

	639

	640 int month_diff =

	641 exploded_expiry.year * 12 + exploded_expiry.month -

	642 exploded_start.year * 12 - exploded_start.month;
	Ryan Sleevi 2014/10/29 22:22:07 I still hate math and years, but also hate multipl I still hate math and years, but also hate multiplying ints by 12. Even if they shouldn't exceed 9999. if ((exploded_expiry.year - exploded_start.year) > 10) return true; int month_diff = (exploded_expiry.year - exploded_start.year) * 12 + (exploded_expiry.month - exploded_start.month); 2014/01 - 2014/03 = 0 * 12 + (3 - 1) = 2 2014/01 - 2015/01 = 1 * 12 + (1 - 1) = 12 2014/12 - 2015/01 = 1 * 12 + (1 - 12) = 1 2014/01 - 2015/03 = 1 * 12 + (3 - 1) = 14 Pretty sure the math works... (If you disagree, well, your indents are still wrong at least. git cl format that) palmer 2014/10/30 01:23:16 Done. Show quoted text On 2014/10/29 22:22:07, Ryan Sleevi wrote: > I still hate math and years, but also hate multiplying ints by 12. Even if they > shouldn't exceed 9999. > > if ((exploded_expiry.year - exploded_start.year) > 10) > return true; > int month_diff = > (exploded_expiry.year - exploded_start.year) * 12 + > (exploded_expiry.month - exploded_start.month); > > 2014/01 - 2014/03 = 0 * 12 + (3 - 1) = 2 > 2014/01 - 2015/01 = 1 * 12 + (1 - 1) = 12 > 2014/12 - 2015/01 = 1 * 12 + (1 - 12) = 1 > 2014/01 - 2015/03 = 1 * 12 + (3 - 1) = 14 > > Pretty sure the math works... > > (If you disagree, well, your indents are still wrong at least. git cl format > that) Done.
	643 // Add any remainder as a full month.

	644 if (exploded_expiry.day_of_month > exploded_start.day_of_month)

	645 ++month_diff;

	646

	647 static const base::Time time_2015_04_01 = base::Time::FromInternalValue(

	648 GG_INT64_C(1427871600));
	Ryan Sleevi 2014/10/29 22:22:07 GG_ is deprecated. Long live the <stdint.h> macros GG_ is deprecated. Long live the <stdint.h> macros of INT64_C palmer 2014/10/30 01:23:16 Done. Show quoted text On 2014/10/29 22:22:07, Ryan Sleevi wrote: > GG_ is deprecated. Long live the <stdint.h> macros of INT64_C Done.
	649 static const base::Time time_2012_07_01 = base::Time::FromInternalValue(

	650 GG_INT64_C(1341126000));

	651 static const base::Time time_2019_07_01 = base::Time::FromInternalValue(

	652 GG_INT64_C(1561964400));

	653

	654 if (start >= time_2015_04_01)

	655 return month_diff > 39;

	656 if (start >= time_2012_07_01)

	657 return month_diff > 60;

	658 return month_diff > 120 \|\| expiry > time_2019_07_01;

	659 }

	660

617 } // namespace net	661 } // namespace net

OLD	NEW

« net/base/net_error_list.h ('K') | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | net/data/ssl/certificates/README » ('J')