net/cert/cert_verify_proc.cc - Issue 2487063003: Revert of Distrust publicly trusted SHA-1 certs

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 2487063003: Revert of Distrust publicly trusted SHA-1 certs (Closed)

Patch Set: Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8	8

9 #include <algorithm>	9 #include <algorithm>

10	10

(...skipping 23 matching lines...) Expand all Loading...
34 #include "net/cert/cert_verify_proc_nss.h"	34 #include "net/cert/cert_verify_proc_nss.h"

35 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)	35 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)

36 #include "net/cert/cert_verify_proc_openssl.h"	36 #include "net/cert/cert_verify_proc_openssl.h"

37 #elif defined(OS_ANDROID)	37 #elif defined(OS_ANDROID)

38 #include "net/cert/cert_verify_proc_android.h"	38 #include "net/cert/cert_verify_proc_android.h"

39 #elif defined(OS_IOS)	39 #elif defined(OS_IOS)

40 #include "net/cert/cert_verify_proc_ios.h"	40 #include "net/cert/cert_verify_proc_ios.h"

41 #elif defined(OS_MACOSX)	41 #elif defined(OS_MACOSX)

42 #include "net/cert/cert_verify_proc_mac.h"	42 #include "net/cert/cert_verify_proc_mac.h"

43 #elif defined(OS_WIN)	43 #elif defined(OS_WIN)

44 #include "base/win/windows_version.h"

45 #include "net/cert/cert_verify_proc_win.h"	44 #include "net/cert/cert_verify_proc_win.h"

46 #else	45 #else

47 #error Implement certificate verification.	46 #error Implement certificate verification.

48 #endif	47 #endif

49	48

50 namespace net {	49 namespace net {

51	50

52 namespace {	51 namespace {

53	52

54 // Constants used to build histogram names	53 // Constants used to build histogram names

(...skipping 296 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
351 }	350 }

352	351

353 template <size_t N>	352 template <size_t N>

354 bool operator()(const HashValue& lhs, const uint8_t(&rhs)[N]) const {	353 bool operator()(const HashValue& lhs, const uint8_t(&rhs)[N]) const {

355 static_assert(N == crypto::kSHA256Length,	354 static_assert(N == crypto::kSHA256Length,

356 "Only SHA-256 hashes are supported");	355 "Only SHA-256 hashes are supported");

357 return memcmp(lhs.data(), rhs, crypto::kSHA256Length) < 0;	356 return memcmp(lhs.data(), rhs, crypto::kSHA256Length) < 0;

358 }	357 }

359 };	358 };

360	359

361 bool AreSHA1IntermediatesAllowed() {

362 #if defined(OS_WIN)

363 // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved

364 // for Windows 7/2008 users.

365 // Note: This must be kept in sync with cert_verify_proc_unittest.

366 return base::win::GetVersion() >= base::win::VERSION_WIN8;

367 #else

368 return false;

369 #endif

370 };

371

372 } // namespace	360 } // namespace

373	361

374 // static	362 // static

375 CertVerifyProc* CertVerifyProc::CreateDefault() {	363 CertVerifyProc* CertVerifyProc::CreateDefault() {

376 #if defined(USE_NSS_CERTS)	364 #if defined(USE_NSS_CERTS)

377 return new CertVerifyProcNSS();	365 return new CertVerifyProcNSS();

378 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)	366 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)

379 return new CertVerifyProcOpenSSL();	367 return new CertVerifyProcOpenSSL();

380 #elif defined(OS_ANDROID)	368 #elif defined(OS_ANDROID)

381 return new CertVerifyProcAndroid();	369 return new CertVerifyProcAndroid();

(...skipping 96 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
478 // The CA/Browser Forum Baseline Requirements (beginning with v1.2.1)	466 // The CA/Browser Forum Baseline Requirements (beginning with v1.2.1)

479 // prohibits SHA-1 certificates from being issued beginning on	467 // prohibits SHA-1 certificates from being issued beginning on

480 // 1 January 2016. Ideally, all of SHA-1 in new certificates would be	468 // 1 January 2016. Ideally, all of SHA-1 in new certificates would be

481 // disabled on this date, but enterprises need more time to transition.	469 // disabled on this date, but enterprises need more time to transition.

482 // As the risk is greatest for publicly trusted certificates, prevent	470 // As the risk is greatest for publicly trusted certificates, prevent

483 // those certificates from being trusted from that date forward.	471 // those certificates from being trusted from that date forward.

484 //	472 //

485 // TODO(mattm): apply the SHA-1 deprecation check to all certs unless	473 // TODO(mattm): apply the SHA-1 deprecation check to all certs unless

486 // CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present.	474 // CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present.

487 if (verify_result->has_md5 \|\|	475 if (verify_result->has_md5 \|\|

488 // Current SHA-1 behaviour:	476 (verify_result->has_sha1_leaf && verify_result->is_issued_by_known_root &&

489 // - Reject all publicly trusted SHA-1	477 IsPastSHA1DeprecationDate(*cert))) {

490 // - ... unless it's in the intermediate and SHA-1 intermediates are

491 // allowed for that platform. See https://crbug.com/588789

492 (!base::FeatureList::IsEnabled(kSHA1LegacyMode) &&

493 (verify_result->is_issued_by_known_root &&

494 (verify_result->has_sha1_leaf \|\|

495 (verify_result->has_sha1 && !AreSHA1IntermediatesAllowed())))) \|\|

496 // Legacy SHA-1 behaviour:

497 // - Reject all publicly trusted SHA-1 leaf certs issued after

498 // 2016-01-01.

499 (base::FeatureList::IsEnabled(kSHA1LegacyMode) &&

500 (verify_result->has_sha1_leaf &&

501 verify_result->is_issued_by_known_root &&

502 IsPastSHA1DeprecationDate(*cert)))) {

503 verify_result->cert_status \|= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;	478 verify_result->cert_status \|= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;

504 // Avoid replacing a more serious error, such as an OS/library failure,	479 // Avoid replacing a more serious error, such as an OS/library failure,

505 // by ensuring that if verification failed, it failed with a certificate	480 // by ensuring that if verification failed, it failed with a certificate

506 // error.	481 // error.

507 if (rv == OK \|\| IsCertificateError(rv))	482 if (rv == OK \|\| IsCertificateError(rv))

508 rv = MapCertStatusToNetError(verify_result->cert_status);	483 rv = MapCertStatusToNetError(verify_result->cert_status);

509 }	484 }

510	485

511 // Flag certificates from publicly-trusted CAs that are issued to intranet	486 // Flag certificates from publicly-trusted CAs that are issued to intranet

512 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit	487 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit

(...skipping 252 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
765 if (start >= time_2012_07_01 && month_diff > 60)	740 if (start >= time_2012_07_01 && month_diff > 60)

766 return true;	741 return true;

767	742

768 // For certificates issued after 1 April 2015: 39 months.	743 // For certificates issued after 1 April 2015: 39 months.

769 if (start >= time_2015_04_01 && month_diff > 39)	744 if (start >= time_2015_04_01 && month_diff > 39)

770 return true;	745 return true;

771	746

772 return false;	747 return false;

773 }	748 }

774	749

775 // static

776 const base::Feature CertVerifyProc::kSHA1LegacyMode{

777 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};

778

779 } // namespace net	750 } // namespace net

OLD	NEW

« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | no next file with comments »