net/cert/cert_verify_proc.cc - Issue 2487063003: Revert of Distrust publicly trusted SHA-1 certs

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/cert_verify_proc.cc

Issue 2487063003: Revert of Distrust publicly trusted SHA-1 certs (Closed)

Patch Set: Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/cert_verify_proc.cc

diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc

index 4d6584768dbc2e8be6f12b7038fd0cbf5674b22b..c2c5930c305abd0a79d9eaf0767f7e659675cb3a 100644

--- a/net/cert/cert_verify_proc.cc

+++ b/net/cert/cert_verify_proc.cc

@@ -41,7 +41,6 @@

#elif defined(OS_MACOSX)

#include "net/cert/cert_verify_proc_mac.h"

#elif defined(OS_WIN)

-#include "base/win/windows_version.h"

#include "net/cert/cert_verify_proc_win.h"

#else

#error Implement certificate verification.

@@ -358,17 +357,6 @@

}

};

-bool AreSHA1IntermediatesAllowed() {

-#if defined(OS_WIN)

- // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved

- // for Windows 7/2008 users.

- // Note: This must be kept in sync with cert_verify_proc_unittest.

- return base::win::GetVersion() >= base::win::VERSION_WIN8;

-#else

- return false;

-#endif

-};

} // namespace

// static

@@ -485,21 +473,8 @@

// TODO(mattm): apply the SHA-1 deprecation check to all certs unless

// CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present.

if (verify_result->has_md5 ||

- // Current SHA-1 behaviour:

- // - Reject all publicly trusted SHA-1

- // - ... unless it's in the intermediate and SHA-1 intermediates are

- // allowed for that platform. See https://crbug.com/588789

- (!base::FeatureList::IsEnabled(kSHA1LegacyMode) &&

- (verify_result->is_issued_by_known_root &&

- (verify_result->has_sha1_leaf ||

- (verify_result->has_sha1 && !AreSHA1IntermediatesAllowed())))) ||

- // Legacy SHA-1 behaviour:

- // - Reject all publicly trusted SHA-1 leaf certs issued after

- // 2016-01-01.

- (base::FeatureList::IsEnabled(kSHA1LegacyMode) &&

- (verify_result->has_sha1_leaf &&

- verify_result->is_issued_by_known_root &&

- IsPastSHA1DeprecationDate(*cert)))) {

+ (verify_result->has_sha1_leaf && verify_result->is_issued_by_known_root &&

+ IsPastSHA1DeprecationDate(*cert))) {

verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;

// Avoid replacing a more serious error, such as an OS/library failure,

// by ensuring that if verification failed, it failed with a certificate

@@ -772,8 +747,4 @@

return false;

}

-// static

-const base::Feature CertVerifyProc::kSHA1LegacyMode{

- "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};

} // namespace net

« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | no next file with comments »