OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include "base/metrics/histogram.h" | 7 #include "base/metrics/histogram.h" |
Ryan Sleevi
2014/05/03 00:08:59
IYWU - add base/basictypes.h to the include list.
agl
2014/05/05 18:50:19
Done.
| |
8 #include "base/sha1.h" | 8 #include "base/sha1.h" |
9 #include "base/strings/stringprintf.h" | 9 #include "base/strings/stringprintf.h" |
10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
11 #include "net/base/net_errors.h" | 11 #include "net/base/net_errors.h" |
12 #include "net/base/net_util.h" | 12 #include "net/base/net_util.h" |
13 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 13 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
14 #include "net/cert/cert_status_flags.h" | 14 #include "net/cert/cert_status_flags.h" |
15 #include "net/cert/cert_verifier.h" | 15 #include "net/cert/cert_verifier.h" |
16 #include "net/cert/cert_verify_result.h" | 16 #include "net/cert/cert_verify_result.h" |
17 #include "net/cert/crl_set.h" | 17 #include "net/cert/crl_set.h" |
(...skipping 316 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
334 if (serial.size() == kComodoSerialBytes) { | 334 if (serial.size() == kComodoSerialBytes) { |
335 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) { | 335 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) { |
336 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) { | 336 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) { |
337 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, | 337 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, |
338 arraysize(kComodoSerials) + 1); | 338 arraysize(kComodoSerials) + 1); |
339 return true; | 339 return true; |
340 } | 340 } |
341 } | 341 } |
342 } | 342 } |
343 | 343 |
344 // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus | |
345 // all certificates where the CN ends with ".cloudflare.com" with a prior | |
346 // issuance date are rejected. | |
347 // | |
348 // The old certs had a lifetime of five years, so this can be removed April | |
349 // 2nd, 2019. | |
350 const std::string& cn = cert->subject().common_name; | |
351 static const char kCloudFlareCNSuffix[] = ".cloudflare.com"; | |
352 // kCloudFlareEpoch is the base::Time internal value for midnight at the | |
353 // beginning of April 2nd, 2014, UTC. | |
354 static const int64 kCloudFlareEpoch = 13040870400000000ull; | |
Ryan Sleevi
2014/05/03 00:08:59
because arraysize is a constexpr, you could also "
Ryan Sleevi
2014/05/03 00:08:59
You declare the var as ULL, except it's an int64.
agl
2014/05/05 18:50:19
(Oh joy, another build config.)
Thanks for that.
| |
355 if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 && | |
356 cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1), | |
357 arraysize(kCloudFlareCNSuffix) - 1, | |
358 kCloudFlareCNSuffix) == 0 && | |
359 cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) { | |
360 return true; | |
361 } | |
362 | |
344 return false; | 363 return false; |
345 } | 364 } |
346 | 365 |
347 // static | 366 // static |
348 // NOTE: This implementation assumes and enforces that the hashes are SHA1. | 367 // NOTE: This implementation assumes and enforces that the hashes are SHA1. |
349 bool CertVerifyProc::IsPublicKeyBlacklisted( | 368 bool CertVerifyProc::IsPublicKeyBlacklisted( |
350 const HashValueVector& public_key_hashes) { | 369 const HashValueVector& public_key_hashes) { |
351 static const unsigned kNumHashes = 14; | 370 static const unsigned kNumHashes = 14; |
352 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = { | 371 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = { |
353 // Subject: CN=DigiNotar Root CA | 372 // Subject: CN=DigiNotar Root CA |
(...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
535 return true; | 554 return true; |
536 } | 555 } |
537 } | 556 } |
538 } | 557 } |
539 } | 558 } |
540 | 559 |
541 return false; | 560 return false; |
542 } | 561 } |
543 | 562 |
544 } // namespace net | 563 } // namespace net |
OLD | NEW |