Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(44)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc.h

Issue 2483783003: Distrust publicly trusted SHA-1 certs (Closed)
Patch Set: Rebased & Fixed Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/cert/cert_verify_proc.cc » ('j') | net/cert/cert_verify_proc_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_ 5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_
6 #define NET_CERT_CERT_VERIFY_PROC_H_ 6 #define NET_CERT_CERT_VERIFY_PROC_H_
7 7
8 #include <string> 8 #include <string>
9 #include <vector> 9 #include <vector>
10 10
11 #include "base/feature_list.h"
11 #include "base/gtest_prod_util.h" 12 #include "base/gtest_prod_util.h"
12 #include "base/macros.h" 13 #include "base/macros.h"
13 #include "base/memory/ref_counted.h" 14 #include "base/memory/ref_counted.h"
14 #include "net/base/net_export.h" 15 #include "net/base/net_export.h"
15 #include "net/cert/x509_cert_types.h" 16 #include "net/cert/x509_cert_types.h"
16 17
17 namespace net { 18 namespace net {
18 19
19 class CertVerifyResult; 20 class CertVerifyResult;
20 class CRLSet; 21 class CRLSet;
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after
76 virtual bool SupportsOCSPStapling() const = 0; 77 virtual bool SupportsOCSPStapling() const = 0;
77 78
78 protected: 79 protected:
79 CertVerifyProc(); 80 CertVerifyProc();
80 virtual ~CertVerifyProc(); 81 virtual ~CertVerifyProc();
81 82
82 private: 83 private:
83 friend class base::RefCountedThreadSafe<CertVerifyProc>; 84 friend class base::RefCountedThreadSafe<CertVerifyProc>;
84 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); 85 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts);
85 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity); 86 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity);
87 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest,
88 VerifyRejectsSHA1AfterDeprecationLegacyMode);
86 89
87 // Performs the actual verification using the desired underlying 90 // Performs the actual verification using the desired underlying
88 // cryptographic library. On entry, |verify_result->verified_cert| 91 // cryptographic library. On entry, |verify_result->verified_cert|
89 // is set to |cert|, the unverified chain. If no chain is built, the 92 // is set to |cert|, the unverified chain. If no chain is built, the
90 // value must be left untouched. 93 // value must be left untouched.
91 virtual int VerifyInternal(X509Certificate* cert, 94 virtual int VerifyInternal(X509Certificate* cert,
92 const std::string& hostname, 95 const std::string& hostname,
93 const std::string& ocsp_response, 96 const std::string& ocsp_response,
94 int flags, 97 int flags,
95 CRLSet* crl_set, 98 CRLSet* crl_set,
(...skipping 21 matching lines...) Expand all
117 // 120 //
118 // For certificates issued after 1 July 2012: 60 months. 121 // For certificates issued after 1 July 2012: 60 months.
119 // For certificates issued after 1 April 2015: 39 months. 122 // For certificates issued after 1 April 2015: 39 months.
120 // 123 //
121 // For certificates issued before the BRs took effect, there were no 124 // For certificates issued before the BRs took effect, there were no
122 // guidelines, but clamp them at a maximum of 10 year validity, with the 125 // guidelines, but clamp them at a maximum of 10 year validity, with the
123 // requirement they expire within 7 years after the effective date of the BRs 126 // requirement they expire within 7 years after the effective date of the BRs
124 // (i.e. by 1 July 2019). 127 // (i.e. by 1 July 2019).
125 static bool HasTooLongValidity(const X509Certificate& cert); 128 static bool HasTooLongValidity(const X509Certificate& cert);
126 129
130 // Emergency kill-switch for SHA-1 deprecation. Disabled by default.
131 static const base::Feature kSHA1LegacyMode;
132
127 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc); 133 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc);
128 }; 134 };
129 135
130 } // namespace net 136 } // namespace net
131 137
132 #endif // NET_CERT_CERT_VERIFY_PROC_H_ 138 #endif // NET_CERT_CERT_VERIFY_PROC_H_
OLDNEW
« no previous file with comments | « no previous file | net/cert/cert_verify_proc.cc » ('j') | net/cert/cert_verify_proc_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698