Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(226)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 2662673002: Restrict the set of WoSign/StartCom certs to the Alexa Top 1M (Closed)
Patch Set: Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/BUILD.gn ('k') | net/cert/cert_verify_proc_whitelist.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc.h" 5 #include "net/cert/cert_verify_proc.h"
6 6
7 #include <stdint.h> 7 #include <stdint.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 10
(...skipping 495 matching lines...) Expand 10 before | Expand all | Expand 10 after
506 cert->GetSubjectAltName(&dns_names, &ip_addrs); 506 cert->GetSubjectAltName(&dns_names, &ip_addrs);
507 if (HasNameConstraintsViolation(verify_result->public_key_hashes, 507 if (HasNameConstraintsViolation(verify_result->public_key_hashes,
508 cert->subject().common_name, 508 cert->subject().common_name,
509 dns_names, 509 dns_names,
510 ip_addrs)) { 510 ip_addrs)) {
511 verify_result->cert_status |= CERT_STATUS_NAME_CONSTRAINT_VIOLATION; 511 verify_result->cert_status |= CERT_STATUS_NAME_CONSTRAINT_VIOLATION;
512 rv = MapCertStatusToNetError(verify_result->cert_status); 512 rv = MapCertStatusToNetError(verify_result->cert_status);
513 } 513 }
514 514
515 if (IsNonWhitelistedCertificate(*verify_result->verified_cert, 515 if (IsNonWhitelistedCertificate(*verify_result->verified_cert,
516 verify_result->public_key_hashes)) { 516 verify_result->public_key_hashes, hostname)) {
517 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; 517 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
518 rv = MapCertStatusToNetError(verify_result->cert_status); 518 rv = MapCertStatusToNetError(verify_result->cert_status);
519 } 519 }
520 520
521 // Check for weak keys in the entire verified chain. 521 // Check for weak keys in the entire verified chain.
522 bool weak_key = ExaminePublicKeys(verify_result->verified_cert, 522 bool weak_key = ExaminePublicKeys(verify_result->verified_cert,
523 verify_result->is_issued_by_known_root); 523 verify_result->is_issued_by_known_root);
524 524
525 if (weak_key) { 525 if (weak_key) {
526 verify_result->cert_status |= CERT_STATUS_WEAK_KEY; 526 verify_result->cert_status |= CERT_STATUS_WEAK_KEY;
(...skipping 306 matching lines...) Expand 10 before | Expand all | Expand 10 after
833 return true; 833 return true;
834 834
835 return false; 835 return false;
836 } 836 }
837 837
838 // static 838 // static
839 const base::Feature CertVerifyProc::kSHA1LegacyMode{ 839 const base::Feature CertVerifyProc::kSHA1LegacyMode{
840 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; 840 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};
841 841
842 } // namespace net 842 } // namespace net
OLDNEW
« no previous file with comments | « net/BUILD.gn ('k') | net/cert/cert_verify_proc_whitelist.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698