net/cert/cert_verify_proc.cc - Issue 267913003: net: reject all CloudFlare certificates issued prior to April 2nd.

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 267913003: net: reject all CloudFlare certificates issued prior to April 2nd. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include "base/metrics/histogram.h"	7 #include "base/metrics/histogram.h"

8 #include "base/sha1.h"	8 #include "base/sha1.h"

9 #include "base/strings/stringprintf.h"	9 #include "base/strings/stringprintf.h"

10 #include "build/build_config.h"	10 #include "build/build_config.h"

(...skipping 323 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
334 if (serial.size() == kComodoSerialBytes) {	334 if (serial.size() == kComodoSerialBytes) {

335 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) {	335 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) {

336 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) {	336 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) {

337 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i,	337 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i,

338 arraysize(kComodoSerials) + 1);	338 arraysize(kComodoSerials) + 1);

339 return true;	339 return true;

340 }	340 }

341 }	341 }

342 }	342 }

343	343

	344 /* CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus
	wtc 2014/05/02 21:21:16 We should also note when these certificates will a We should also note when these certificates will all expire. That'll allow us to determine when we can remove this from the blacklist. agl 2014/05/02 23:17:49 Done. Show quoted text On 2014/05/02 21:21:16, wtc wrote: > > We should also note when these certificates will all expire. That'll allow us to > determine when we can remove this from the blacklist. Done.
	345 * all certificates where the CN ends with ".cloudflare.com" with a prior

	346 * issuance date are rejected. */

	347 const std::string& cn = cert->subject().common_name;

	348 const std::string kCloudFlareCNSuffix(".cloudflare.com");
	Ryan Sleevi 2014/05/02 22:11:33 static const char[] kCloudFlareCNSuffix = ".cloudf static const char[] kCloudFlareCNSuffix = ".cloudflare.com"; agl 2014/05/02 23:17:49 Done. Show quoted text On 2014/05/02 22:11:33, Ryan Sleevi wrote: > static const char[] kCloudFlareCNSuffix = ".cloudflare.com"; Done.
	349 if (cn.size() > kCloudFlareCNSuffix.size() &&

	350 cn.compare(cn.size() - kCloudFlareCNSuffix.size(),

	351 kCloudFlareCNSuffix.size(),
	Ryan Sleevi 2014/05/02 22:11:33 arraysize(kCloudFlareCNSuffix); arraysize(kCloudFlareCNSuffix); agl 2014/05/02 23:17:49 Done. Show quoted text On 2014/05/02 22:11:33, Ryan Sleevi wrote: > arraysize(kCloudFlareCNSuffix); Done.
	352 kCloudFlareCNSuffix) == 0) {

	353 base::Time::Exploded epoch = {0};

	354 epoch.year = 2014;

	355 epoch.month = 4;

	356 epoch.day_of_month = 2;

	357

	358 if (cert->valid_start() < base::Time::FromUTCExploded(epoch)) {
	Ryan Sleevi 2014/05/02 22:11:33 Could be more efficient using FromInternalValue() Could be more efficient using FromInternalValue() here, if we wanted to treat this as perf-critical. agl 2014/05/02 23:17:49 Done. Show quoted text On 2014/05/02 22:11:33, Ryan Sleevi wrote: > Could be more efficient using FromInternalValue() here, if we wanted to treat > this as perf-critical. Done.
	359 return true;

	360 }
	Ryan Sleevi 2014/05/02 22:11:33 no braces (consistent with the rest of the file fo no braces (consistent with the rest of the file for one-liners) agl 2014/05/02 23:17:49 Kept braces because now it's a single if with a mu Show quoted text On 2014/05/02 22:11:33, Ryan Sleevi wrote: > no braces (consistent with the rest of the file for one-liners) Kept braces because now it's a single if with a multi-line conditional, and omitting braces for that is a little too aggressive I feel. Don't really care either way, however.
	361 }

	362

344 return false;	363 return false;

345 }	364 }

346	365

347 // static	366 // static

348 // NOTE: This implementation assumes and enforces that the hashes are SHA1.	367 // NOTE: This implementation assumes and enforces that the hashes are SHA1.

349 bool CertVerifyProc::IsPublicKeyBlacklisted(	368 bool CertVerifyProc::IsPublicKeyBlacklisted(

350 const HashValueVector& public_key_hashes) {	369 const HashValueVector& public_key_hashes) {

351 static const unsigned kNumHashes = 14;	370 static const unsigned kNumHashes = 14;

352 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = {	371 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = {

353 // Subject: CN=DigiNotar Root CA	372 // Subject: CN=DigiNotar Root CA

(...skipping 181 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
535 return true;	554 return true;

536 }	555 }

537 }	556 }

538 }	557 }

539 }	558 }

540	559

541 return false;	560 return false;

542 }	561 }

543	562

544 } // namespace net	563 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »