OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_ | 5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_ |
6 #define NET_CERT_CERT_VERIFY_PROC_H_ | 6 #define NET_CERT_CERT_VERIFY_PROC_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
66 // passed to Verify() is ignored when this returns false. | 66 // passed to Verify() is ignored when this returns false. |
67 virtual bool SupportsAdditionalTrustAnchors() const = 0; | 67 virtual bool SupportsAdditionalTrustAnchors() const = 0; |
68 | 68 |
69 protected: | 69 protected: |
70 CertVerifyProc(); | 70 CertVerifyProc(); |
71 virtual ~CertVerifyProc(); | 71 virtual ~CertVerifyProc(); |
72 | 72 |
73 private: | 73 private: |
74 friend class base::RefCountedThreadSafe<CertVerifyProc>; | 74 friend class base::RefCountedThreadSafe<CertVerifyProc>; |
75 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); | 75 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); |
| 76 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity); |
76 | 77 |
77 // Performs the actual verification using the desired underlying | 78 // Performs the actual verification using the desired underlying |
78 // cryptographic library. | 79 // cryptographic library. |
79 virtual int VerifyInternal(X509Certificate* cert, | 80 virtual int VerifyInternal(X509Certificate* cert, |
80 const std::string& hostname, | 81 const std::string& hostname, |
81 int flags, | 82 int flags, |
82 CRLSet* crl_set, | 83 CRLSet* crl_set, |
83 const CertificateList& additional_trust_anchors, | 84 const CertificateList& additional_trust_anchors, |
84 CertVerifyResult* verify_result) = 0; | 85 CertVerifyResult* verify_result) = 0; |
85 | 86 |
86 // Returns true if |cert| is explicitly blacklisted. | 87 // Returns true if |cert| is explicitly blacklisted. |
87 static bool IsBlacklisted(X509Certificate* cert); | 88 static bool IsBlacklisted(X509Certificate* cert); |
88 | 89 |
89 // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which | 90 // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which |
90 // are hashes of SubjectPublicKeyInfo structures) is explicitly blocked. | 91 // are hashes of SubjectPublicKeyInfo structures) is explicitly blocked. |
91 static bool IsPublicKeyBlacklisted(const HashValueVector& public_key_hashes); | 92 static bool IsPublicKeyBlacklisted(const HashValueVector& public_key_hashes); |
92 | 93 |
93 // HasNameConstraintsViolation returns true iff one of |public_key_hashes| | 94 // HasNameConstraintsViolation returns true iff one of |public_key_hashes| |
94 // (which are hashes of SubjectPublicKeyInfo structures) has name constraints | 95 // (which are hashes of SubjectPublicKeyInfo structures) has name constraints |
95 // imposed on it and the names in |dns_names| are not permitted. | 96 // imposed on it and the names in |dns_names| are not permitted. |
96 static bool HasNameConstraintsViolation( | 97 static bool HasNameConstraintsViolation( |
97 const HashValueVector& public_key_hashes, | 98 const HashValueVector& public_key_hashes, |
98 const std::string& common_name, | 99 const std::string& common_name, |
99 const std::vector<std::string>& dns_names, | 100 const std::vector<std::string>& dns_names, |
100 const std::vector<std::string>& ip_addrs); | 101 const std::vector<std::string>& ip_addrs); |
101 | 102 |
| 103 // The CA/Browser Forum's Baseline Requirements specify maximum validity |
| 104 // periods (https://cabforum.org/Baseline_Requirements_V1.pdf): |
| 105 // |
| 106 // For certificates issued after 1 July 2012: 60 months. |
| 107 // For certificates issued after 1 April 2015: 39 months. |
| 108 // |
| 109 // For certificates issued before the BRs took effect, there were no |
| 110 // guidelines, but clamp them at a maximum of 10 year validity, with the |
| 111 // requirement they expire within 7 years after the effective date of the BRs |
| 112 // (i.e. by 1 July 2019). |
| 113 static bool HasTooLongValidity(const X509Certificate& cert); |
| 114 |
102 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc); | 115 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc); |
103 }; | 116 }; |
104 | 117 |
105 } // namespace net | 118 } // namespace net |
106 | 119 |
107 #endif // NET_CERT_CERT_VERIFY_PROC_H_ | 120 #endif // NET_CERT_CERT_VERIFY_PROC_H_ |
OLD | NEW |