OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
8 #include "base/metrics/histogram.h" | 8 #include "base/metrics/histogram.h" |
9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
10 #include "base/strings/stringprintf.h" | 10 #include "base/strings/stringprintf.h" |
11 #include "base/time/time.h" | |
11 #include "build/build_config.h" | 12 #include "build/build_config.h" |
12 #include "net/base/net_errors.h" | 13 #include "net/base/net_errors.h" |
13 #include "net/base/net_util.h" | 14 #include "net/base/net_util.h" |
14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 15 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
15 #include "net/cert/cert_status_flags.h" | 16 #include "net/cert/cert_status_flags.h" |
16 #include "net/cert/cert_verifier.h" | 17 #include "net/cert/cert_verifier.h" |
17 #include "net/cert/cert_verify_result.h" | 18 #include "net/cert/cert_verify_result.h" |
18 #include "net/cert/crl_set.h" | 19 #include "net/cert/crl_set.h" |
19 #include "net/cert/x509_certificate.h" | 20 #include "net/cert/x509_certificate.h" |
20 #include "url/url_canon.h" | 21 #include "url/url_canon.h" |
(...skipping 248 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
269 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit | 270 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
270 // these to be issued until 1 November 2015, they represent a real risk for | 271 // these to be issued until 1 November 2015, they represent a real risk for |
271 // the deployment of gTLDs and are being phased out ahead of the hard | 272 // the deployment of gTLDs and are being phased out ahead of the hard |
272 // deadline. | 273 // deadline. |
273 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { | 274 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { |
274 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; | 275 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
275 // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For | 276 // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For |
276 // now treat it as a warning and do not map it to an error return value. | 277 // now treat it as a warning and do not map it to an error return value. |
277 } | 278 } |
278 | 279 |
280 // Flag certificates using too long validity periods. | |
281 if (!verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) { | |
Ryan Sleevi
2014/10/29 22:22:07
This is wrong.
if (verify_result->is_issued_by_kn
palmer
2014/10/30 01:23:16
Done.
| |
282 verify_result->cert_status |= CERT_STATUS_TOO_LONG_VALIDITY; | |
283 if (rv == OK) | |
284 rv = MapCertStatusToNetError(verify_result->cert_status); | |
285 } | |
286 | |
279 return rv; | 287 return rv; |
280 } | 288 } |
281 | 289 |
282 // static | 290 // static |
283 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { | 291 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
284 static const unsigned kComodoSerialBytes = 16; | 292 static const unsigned kComodoSerialBytes = 16; |
285 static const uint8 kComodoSerials[][kComodoSerialBytes] = { | 293 static const uint8 kComodoSerials[][kComodoSerialBytes] = { |
286 // Not a real certificate. For testing only. | 294 // Not a real certificate. For testing only. |
287 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c}, | 295 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c}, |
288 | 296 |
(...skipping 318 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
607 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) | 615 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) |
608 return true; | 616 return true; |
609 } | 617 } |
610 } | 618 } |
611 } | 619 } |
612 } | 620 } |
613 | 621 |
614 return false; | 622 return false; |
615 } | 623 } |
616 | 624 |
625 // static | |
626 bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) { | |
627 const base::Time& start = cert.valid_start(); | |
628 const base::Time& expiry = cert.valid_expiry(); | |
629 if (start.is_max() || start.is_null() || | |
630 expiry.is_max() || expiry.is_null() || | |
631 start > expiry) { | |
632 return true; | |
633 } | |
634 | |
635 base::Time::Exploded exploded_start; | |
636 base::Time::Exploded exploded_expiry; | |
637 cert.valid_start().UTCExplode(&exploded_start); | |
638 cert.valid_expiry().UTCExplode(&exploded_expiry); | |
639 | |
640 int month_diff = | |
641 exploded_expiry.year * 12 + exploded_expiry.month - | |
642 exploded_start.year * 12 - exploded_start.month; | |
Ryan Sleevi
2014/10/29 22:22:07
I still hate math and years, but also hate multipl
palmer
2014/10/30 01:23:16
Done.
| |
643 // Add any remainder as a full month. | |
644 if (exploded_expiry.day_of_month > exploded_start.day_of_month) | |
645 ++month_diff; | |
646 | |
647 static const base::Time time_2015_04_01 = base::Time::FromInternalValue( | |
648 GG_INT64_C(1427871600)); | |
Ryan Sleevi
2014/10/29 22:22:07
GG_ is deprecated. Long live the <stdint.h> macros
palmer
2014/10/30 01:23:16
Done.
| |
649 static const base::Time time_2012_07_01 = base::Time::FromInternalValue( | |
650 GG_INT64_C(1341126000)); | |
651 static const base::Time time_2019_07_01 = base::Time::FromInternalValue( | |
652 GG_INT64_C(1561964400)); | |
653 | |
654 if (start >= time_2015_04_01) | |
655 return month_diff > 39; | |
656 if (start >= time_2012_07_01) | |
657 return month_diff > 60; | |
658 return month_diff > 120 || expiry > time_2019_07_01; | |
659 } | |
660 | |
617 } // namespace net | 661 } // namespace net |
OLD | NEW |