Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(153)

Unified Diff: net/cert/cert_verify_proc.cc

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Don't use arithmetic expressions in shell script. Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc.cc
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index 222ba47f51c98fcab412a52334146ee064d77696..981bea008dd12b7258b79fc0fadba79babdecac7 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -4,10 +4,13 @@
#include "net/cert/cert_verify_proc.h"
+#include <stdint.h>
+
#include "base/basictypes.h"
#include "base/metrics/histogram.h"
#include "base/sha1.h"
#include "base/strings/stringprintf.h"
+#include "base/time/time.h"
#include "build/build_config.h"
#include "net/base/net_errors.h"
#include "net/base/net_util.h"
@@ -33,7 +36,6 @@
#error Implement certificate verification.
#endif
-
namespace net {
namespace {
@@ -276,6 +278,13 @@ int CertVerifyProc::Verify(X509Certificate* cert,
// now treat it as a warning and do not map it to an error return value.
}
+ // Flag certificates using too long validity periods.
+ if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) {
+ verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG;
+ if (rv == OK)
+ rv = MapCertStatusToNetError(verify_result->cert_status);
+ }
+
return rv;
}
@@ -614,4 +623,41 @@ bool CertVerifyProc::HasNameConstraintsViolation(
return false;
}
+// static
+bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
+ const base::Time& start = cert.valid_start();
+ const base::Time& expiry = cert.valid_expiry();
+ if (start.is_max() || start.is_null() || expiry.is_max() ||
+ expiry.is_null() || start > expiry) {
+ return true;
+ }
+
+ base::Time::Exploded exploded_start;
+ base::Time::Exploded exploded_expiry;
+ cert.valid_start().UTCExplode(&exploded_start);
+ cert.valid_expiry().UTCExplode(&exploded_expiry);
+
+ if (exploded_expiry.year - exploded_start.year > 10)
+ return true;
+ int month_diff = (exploded_expiry.year - exploded_start.year) * 12 +
+ (exploded_expiry.month - exploded_start.month);
+
+ // Add any remainder as a full month.
+ if (exploded_expiry.day_of_month > exploded_start.day_of_month)
+ ++month_diff;
+
+ static const base::Time time_2015_04_01 =
+ base::Time::FromInternalValue(INT64_C(1427871600));
+ static const base::Time time_2012_07_01 =
+ base::Time::FromInternalValue(INT64_C(1341126000));
+ static const base::Time time_2019_07_01 =
+ base::Time::FromInternalValue(INT64_C(1561964400));
+
+ if (start >= time_2015_04_01)
haavardm 2014/11/10 16:20:01 The 39 month check kicks in since the hardcoded da
+ return month_diff > 39;
+ if (start >= time_2012_07_01)
+ return month_diff > 60;
+ return month_diff > 120 || expiry > time_2019_07_01;
+}
+
} // namespace net
« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698