Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(150)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc.cc

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Rebase?! In our moment of triumph?! Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc.cc
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index 798d90203663b9796bd93d4e25290b13dcc9632a..e3de4300c31d396bdb93019c5202f78f7f19961a 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -7,6 +7,7 @@
#include "base/metrics/histogram.h"
#include "base/sha1.h"
#include "base/strings/stringprintf.h"
+#include "base/time/time.h"
#include "build/build_config.h"
#include "net/base/net_errors.h"
#include "net/base/net_util.h"
@@ -272,6 +273,13 @@ int CertVerifyProc::Verify(X509Certificate* cert,
// now treat it as a warning and do not map it to an error return value.
}
+ // Flag certificates using too long validity periods.
+ if (HasTooLongValidity(*cert)) {
Ryan Sleevi 2014/10/27 22:07:39 Remind me why we aren't checking is_issued_by_know
palmer 2014/10/28 00:05:53 Done.
+ verify_result->cert_status |= CERT_STATUS_TOO_LONG_VALIDITY;
+ if (rv == OK)
+ rv = MapCertStatusToNetError(verify_result->cert_status);
+ }
+
return rv;
}
@@ -532,4 +540,30 @@ bool CertVerifyProc::HasNameConstraintsViolation(
return false;
}
+// static
+bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
+ base::Time::Exploded start;
+ base::Time::Exploded expiry;
+ cert.valid_start().UTCExplode(&start);
+ cert.valid_expiry().UTCExplode(&expiry);
Ryan Sleevi 2014/10/27 22:07:39 Note that both of these can fail for some certific
palmer 2014/10/28 00:05:53 Done for a first pass. My immediate goal is to re-
+ int month_diff =
+ expiry.year * 12 + expiry.month - start.year * 12 - start.month;
+ // Add any remainder as a full month.
+ if (expiry.day_of_month > start.day_of_month)
+ ++month_diff;
+
+ static const base::Time time_2015_04_01 = base::Time::FromInternalValue(
+ GG_INT64_C(1427871600));
+ static const base::Time time_2012_07_01 = base::Time::FromInternalValue(
+ GG_INT64_C(1341126000));
+ static const base::Time time_2019_07_01 = base::Time::FromInternalValue(
+ GG_INT64_C(1561964400));
+
+ if (cert.valid_start() >= time_2015_04_01)
+ return month_diff > 39;
+ if (cert.valid_start() >= time_2012_07_01)
+ return month_diff > 60;
+ return month_diff > 120 || cert.valid_expiry() > time_2019_07_01;
+}
+
} // namespace net
« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698