net/cert/cert_verify_proc.cc - Issue 267913003: net: reject all CloudFlare certificates issued prior to April 2nd.

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 267913003: net: reject all CloudFlare certificates issued prior to April 2nd. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include "base/metrics/histogram.h"	7 #include "base/metrics/histogram.h"
	Ryan Sleevi 2014/05/03 00:08:59 IYWU - add base/basictypes.h to the include list. IYWU - add base/basictypes.h to the include list. agl 2014/05/05 18:50:19 Done. Show quoted text On 2014/05/03 00:08:59, Ryan Sleevi wrote: > IYWU - add base/basictypes.h to the include list. Done.
8 #include "base/sha1.h"	8 #include "base/sha1.h"

9 #include "base/strings/stringprintf.h"	9 #include "base/strings/stringprintf.h"

10 #include "build/build_config.h"	10 #include "build/build_config.h"

11 #include "net/base/net_errors.h"	11 #include "net/base/net_errors.h"

12 #include "net/base/net_util.h"	12 #include "net/base/net_util.h"

13 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"	13 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"

14 #include "net/cert/cert_status_flags.h"	14 #include "net/cert/cert_status_flags.h"

15 #include "net/cert/cert_verifier.h"	15 #include "net/cert/cert_verifier.h"

16 #include "net/cert/cert_verify_result.h"	16 #include "net/cert/cert_verify_result.h"

17 #include "net/cert/crl_set.h"	17 #include "net/cert/crl_set.h"

(...skipping 316 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
334 if (serial.size() == kComodoSerialBytes) {	334 if (serial.size() == kComodoSerialBytes) {

335 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) {	335 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) {

336 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) {	336 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) {

337 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i,	337 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i,

338 arraysize(kComodoSerials) + 1);	338 arraysize(kComodoSerials) + 1);

339 return true;	339 return true;

340 }	340 }

341 }	341 }

342 }	342 }

343	343

	344 // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus

	345 // all certificates where the CN ends with ".cloudflare.com" with a prior

	346 // issuance date are rejected.

	347 //

	348 // The old certs had a lifetime of five years, so this can be removed April

	349 // 2nd, 2019.

	350 const std::string& cn = cert->subject().common_name;

	351 static const char kCloudFlareCNSuffix[] = ".cloudflare.com";

	352 // kCloudFlareEpoch is the base::Time internal value for midnight at the

	353 // beginning of April 2nd, 2014, UTC.

	354 static const int64 kCloudFlareEpoch = 13040870400000000ull;
	Ryan Sleevi 2014/05/03 00:08:59 because arraysize is a constexpr, you could also " because arraysize is a constexpr, you could also "static const size_t kCloudFlareCnSuffixLen = arraysize(kCloudFlareCNSuffix) -1", if you wanted (to reduce the duplication of the three lines) Ryan Sleevi 2014/05/03 00:08:59 You declare the var as ULL, except it's an int64. You declare the var as ULL, except it's an int64. However, this is still wrong - use INT64_C(value), which will ensure L/LL as appropriate for LP64/LLP64 agl 2014/05/05 18:50:19 (Oh joy, another build config.) Thanks for that. Show quoted text On 2014/05/03 00:08:59, Ryan Sleevi wrote: > However, this is still wrong - use INT64_C(value), which will ensure L/LL as > appropriate for LP64/LLP64 (Oh joy, another build config.) Thanks for that.
	355 if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 &&

	356 cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1),

	357 arraysize(kCloudFlareCNSuffix) - 1,

	358 kCloudFlareCNSuffix) == 0 &&

	359 cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) {

	360 return true;

	361 }

	362

344 return false;	363 return false;

345 }	364 }

346	365

347 // static	366 // static

348 // NOTE: This implementation assumes and enforces that the hashes are SHA1.	367 // NOTE: This implementation assumes and enforces that the hashes are SHA1.

349 bool CertVerifyProc::IsPublicKeyBlacklisted(	368 bool CertVerifyProc::IsPublicKeyBlacklisted(

350 const HashValueVector& public_key_hashes) {	369 const HashValueVector& public_key_hashes) {

351 static const unsigned kNumHashes = 14;	370 static const unsigned kNumHashes = 14;

352 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = {	371 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = {

353 // Subject: CN=DigiNotar Root CA	372 // Subject: CN=DigiNotar Root CA

(...skipping 181 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
535 return true;	554 return true;

536 }	555 }

537 }	556 }

538 }	557 }

539 }	558 }

540	559

541 return false;	560 return false;

542 }	561 }

543	562

544 } // namespace net	563 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »