net/cert/cert_verify_proc.cc - Issue 2483783003: Distrust publicly trusted SHA-1 certs

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/cert_verify_proc.cc

Issue 2483783003: Distrust publicly trusted SHA-1 certs (Closed)

Patch Set: Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/cert_verify_proc.cc

diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc

index c2c5930c305abd0a79d9eaf0767f7e659675cb3a..4d6584768dbc2e8be6f12b7038fd0cbf5674b22b 100644

--- a/net/cert/cert_verify_proc.cc

+++ b/net/cert/cert_verify_proc.cc

@@ -41,6 +41,7 @@

#elif defined(OS_MACOSX)

#include "net/cert/cert_verify_proc_mac.h"

#elif defined(OS_WIN)

+#include "base/win/windows_version.h"

#include "net/cert/cert_verify_proc_win.h"

#else

#error Implement certificate verification.

@@ -357,6 +358,17 @@ struct HashToArrayComparator {

}

};

+bool AreSHA1IntermediatesAllowed() {

+#if defined(OS_WIN)

+ // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved

+ // for Windows 7/2008 users.

+ // Note: This must be kept in sync with cert_verify_proc_unittest.

+ return base::win::GetVersion() >= base::win::VERSION_WIN8;

+#else

+ return false;

+#endif

+};

} // namespace

// static

@@ -473,8 +485,21 @@ int CertVerifyProc::Verify(X509Certificate* cert,

// TODO(mattm): apply the SHA-1 deprecation check to all certs unless

// CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present.

if (verify_result->has_md5 ||

- (verify_result->has_sha1_leaf && verify_result->is_issued_by_known_root &&

- IsPastSHA1DeprecationDate(*cert))) {

+ // Current SHA-1 behaviour:

+ // - Reject all publicly trusted SHA-1

+ // - ... unless it's in the intermediate and SHA-1 intermediates are

+ // allowed for that platform. See https://crbug.com/588789

+ (!base::FeatureList::IsEnabled(kSHA1LegacyMode) &&

+ (verify_result->is_issued_by_known_root &&

+ (verify_result->has_sha1_leaf ||

+ (verify_result->has_sha1 && !AreSHA1IntermediatesAllowed())))) ||

+ // Legacy SHA-1 behaviour:

+ // - Reject all publicly trusted SHA-1 leaf certs issued after

+ // 2016-01-01.

+ (base::FeatureList::IsEnabled(kSHA1LegacyMode) &&

+ (verify_result->has_sha1_leaf &&

+ verify_result->is_issued_by_known_root &&

+ IsPastSHA1DeprecationDate(*cert)))) {

verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;

// Avoid replacing a more serious error, such as an OS/library failure,

// by ensuring that if verification failed, it failed with a certificate

@@ -747,4 +772,8 @@ bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {

return false;

}

+// static

+const base::Feature CertVerifyProc::kSHA1LegacyMode{

+ "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};

} // namespace net

« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | net/cert/cert_verify_proc_unittest.cc » ('J')