Index: net/cert/cert_verify_proc.cc |
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc |
index 3bd3735d4fc9b332682b93fbaafde22d8019c9c9..cb2ed5c87e7112daaac1809be97a972e61cc4752 100644 |
--- a/net/cert/cert_verify_proc.cc |
+++ b/net/cert/cert_verify_proc.cc |
@@ -6,6 +6,7 @@ |
#include "base/metrics/histogram.h" |
#include "base/sha1.h" |
+#include "base/time/time.h" |
#include "build/build_config.h" |
#include "net/base/net_errors.h" |
#include "net/base/net_util.h" |
@@ -161,6 +162,13 @@ int CertVerifyProc::Verify(X509Certificate* cert, |
verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
} |
+ // Flag certificates using too long validity periods. |
+ if (HasTooLongValidity(*cert)) { |
+ verify_result->cert_status |= CERT_STATUS_TOO_LONG_VALIDITY; |
+ if (rv == OK) |
+ rv = MapCertStatusToNetError(verify_result->cert_status); |
+ } |
+ |
return rv; |
} |
@@ -332,4 +340,30 @@ bool CertVerifyProc::IsHostnameNonUnique(const std::string& hostname) { |
registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); |
} |
+// static |
+bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) { |
+ base::Time::Exploded start; |
+ base::Time::Exploded expiry; |
+ cert.valid_start().UTCExplode(&start); |
+ cert.valid_expiry().UTCExplode(&expiry); |
+ int month_diff = |
+ expiry.year * 12 + expiry.month - start.year * 12 - start.month; |
+ // Add any remainder as a full month. |
+ if (expiry.day_of_month > start.day_of_month) |
+ ++month_diff; |
Ryan Sleevi
2013/08/19 17:57:50
Definitely should add unittests for this logic.
M
|
+ |
+ base::Time Apr2015; |
+ base::Time Jul2012; |
+ base::Time Jul2019; |
+ base::Time::FromString("1 Apr 2015", &Apr2015); |
+ base::Time::FromString("1 Jul 2012", &Jul2012); |
+ base::Time::FromString("1 Jul 2019", &Jul2019); |
Ryan Sleevi
2013/08/19 17:57:50
Style: Palmer, can you hardcode these and use base
palmer
2013/08/21 22:24:15
Done.
|
+ |
+ if (cert.valid_start() >= Apr2015) |
+ return month_diff > 39; |
+ if (cert.valid_start() >= Jul2012) |
+ return month_diff > 60; |
+ return month_diff > 120 || cert.valid_expiry() > Jul2019; |
+} |
+ |
} // namespace net |