net/cert/cert_verify_proc.cc - Issue 2483783003: Distrust publicly trusted SHA-1 certs

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 2483783003: Distrust publicly trusted SHA-1 certs (Closed)

Patch Set: Rebased & Fixed Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8	8

9 #include <algorithm>	9 #include <algorithm>

10	10

(...skipping 23 matching lines...) Expand all Loading...
34 #include "net/cert/cert_verify_proc_nss.h"	34 #include "net/cert/cert_verify_proc_nss.h"

35 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)	35 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)

36 #include "net/cert/cert_verify_proc_openssl.h"	36 #include "net/cert/cert_verify_proc_openssl.h"

37 #elif defined(OS_ANDROID)	37 #elif defined(OS_ANDROID)

38 #include "net/cert/cert_verify_proc_android.h"	38 #include "net/cert/cert_verify_proc_android.h"

39 #elif defined(OS_IOS)	39 #elif defined(OS_IOS)

40 #include "net/cert/cert_verify_proc_ios.h"	40 #include "net/cert/cert_verify_proc_ios.h"

41 #elif defined(OS_MACOSX)	41 #elif defined(OS_MACOSX)

42 #include "net/cert/cert_verify_proc_mac.h"	42 #include "net/cert/cert_verify_proc_mac.h"

43 #elif defined(OS_WIN)	43 #elif defined(OS_WIN)

	44 #include "base/win/windows_version.h"

44 #include "net/cert/cert_verify_proc_win.h"	45 #include "net/cert/cert_verify_proc_win.h"

45 #else	46 #else

46 #error Implement certificate verification.	47 #error Implement certificate verification.

47 #endif	48 #endif

48	49

49 namespace net {	50 namespace net {

50	51

51 namespace {	52 namespace {

52	53

53 // Constants used to build histogram names	54 // Constants used to build histogram names

(...skipping 296 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
350 }	351 }

351	352

352 template <size_t N>	353 template <size_t N>

353 bool operator()(const HashValue& lhs, const uint8_t(&rhs)[N]) const {	354 bool operator()(const HashValue& lhs, const uint8_t(&rhs)[N]) const {

354 static_assert(N == crypto::kSHA256Length,	355 static_assert(N == crypto::kSHA256Length,

355 "Only SHA-256 hashes are supported");	356 "Only SHA-256 hashes are supported");

356 return memcmp(lhs.data(), rhs, crypto::kSHA256Length) < 0;	357 return memcmp(lhs.data(), rhs, crypto::kSHA256Length) < 0;

357 }	358 }

358 };	359 };

359	360

	361 bool AreSHA1IntermediatesAllowed() {

	362 #if defined(OS_WIN)

	363 // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved

	364 // for Windows 7/2008 users.

	365 // Note: This must be kept in sync with cert_verify_proc_unittest.cc

	366 return base::win::GetVersion() < base::win::VERSION_WIN8;

	367 #else

	368 return false;

	369 #endif

	370 };

	371

360 } // namespace	372 } // namespace

361	373

362 // static	374 // static

363 CertVerifyProc* CertVerifyProc::CreateDefault() {	375 CertVerifyProc* CertVerifyProc::CreateDefault() {

364 #if defined(USE_NSS_CERTS)	376 #if defined(USE_NSS_CERTS)

365 return new CertVerifyProcNSS();	377 return new CertVerifyProcNSS();

366 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)	378 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)

367 return new CertVerifyProcOpenSSL();	379 return new CertVerifyProcOpenSSL();

368 #elif defined(OS_ANDROID)	380 #elif defined(OS_ANDROID)

369 return new CertVerifyProcAndroid();	381 return new CertVerifyProcAndroid();

(...skipping 96 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
466 // The CA/Browser Forum Baseline Requirements (beginning with v1.2.1)	478 // The CA/Browser Forum Baseline Requirements (beginning with v1.2.1)

467 // prohibits SHA-1 certificates from being issued beginning on	479 // prohibits SHA-1 certificates from being issued beginning on

468 // 1 January 2016. Ideally, all of SHA-1 in new certificates would be	480 // 1 January 2016. Ideally, all of SHA-1 in new certificates would be

469 // disabled on this date, but enterprises need more time to transition.	481 // disabled on this date, but enterprises need more time to transition.

470 // As the risk is greatest for publicly trusted certificates, prevent	482 // As the risk is greatest for publicly trusted certificates, prevent

471 // those certificates from being trusted from that date forward.	483 // those certificates from being trusted from that date forward.

472 //	484 //

473 // TODO(mattm): apply the SHA-1 deprecation check to all certs unless	485 // TODO(mattm): apply the SHA-1 deprecation check to all certs unless

474 // CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present.	486 // CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present.

475 if (verify_result->has_md5 \|\|	487 if (verify_result->has_md5 \|\|

476 (verify_result->has_sha1_leaf && verify_result->is_issued_by_known_root &&	488 // Current SHA-1 behaviour:

477 IsPastSHA1DeprecationDate(*cert))) {	489 // - Reject all publicly trusted SHA-1

	490 // - ... unless it's in the intermediate and SHA-1 intermediates are

	491 // allowed for that platform. See https://crbug.com/588789

	492 (!base::FeatureList::IsEnabled(kSHA1LegacyMode) &&

	493 (verify_result->is_issued_by_known_root &&

	494 (verify_result->has_sha1_leaf \|\|

	495 (verify_result->has_sha1 && !AreSHA1IntermediatesAllowed())))) \|\|

	496 // Legacy SHA-1 behaviour:

	497 // - Reject all publicly trusted SHA-1 leaf certs issued after

	498 // 2016-01-01.

	499 (base::FeatureList::IsEnabled(kSHA1LegacyMode) &&

	500 (verify_result->has_sha1_leaf &&

	501 verify_result->is_issued_by_known_root &&

	502 IsPastSHA1DeprecationDate(*cert)))) {

478 verify_result->cert_status \|= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;	503 verify_result->cert_status \|= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;

479 // Avoid replacing a more serious error, such as an OS/library failure,	504 // Avoid replacing a more serious error, such as an OS/library failure,

480 // by ensuring that if verification failed, it failed with a certificate	505 // by ensuring that if verification failed, it failed with a certificate

481 // error.	506 // error.

482 if (rv == OK \|\| IsCertificateError(rv))	507 if (rv == OK \|\| IsCertificateError(rv))

483 rv = MapCertStatusToNetError(verify_result->cert_status);	508 rv = MapCertStatusToNetError(verify_result->cert_status);

484 }	509 }

485	510

486 // Flag certificates from publicly-trusted CAs that are issued to intranet	511 // Flag certificates from publicly-trusted CAs that are issued to intranet

487 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit	512 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit

(...skipping 252 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
740 if (start >= time_2012_07_01 && month_diff > 60)	765 if (start >= time_2012_07_01 && month_diff > 60)

741 return true;	766 return true;

742	767

743 // For certificates issued after 1 April 2015: 39 months.	768 // For certificates issued after 1 April 2015: 39 months.

744 if (start >= time_2015_04_01 && month_diff > 39)	769 if (start >= time_2015_04_01 && month_diff > 39)

745 return true;	770 return true;

746	771

747 return false;	772 return false;

748 }	773 }

749	774

	775 // static

	776 const base::Feature CertVerifyProc::kSHA1LegacyMode{

	777 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};

	778

750 } // namespace net	779 } // namespace net

OLD	NEW

« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | net/cert/cert_verify_proc_unittest.cc » ('J')