OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
| 7 #include "base/basictypes.h" |
7 #include "base/metrics/histogram.h" | 8 #include "base/metrics/histogram.h" |
8 #include "base/sha1.h" | 9 #include "base/sha1.h" |
9 #include "base/strings/stringprintf.h" | 10 #include "base/strings/stringprintf.h" |
10 #include "build/build_config.h" | 11 #include "build/build_config.h" |
11 #include "net/base/net_errors.h" | 12 #include "net/base/net_errors.h" |
12 #include "net/base/net_util.h" | 13 #include "net/base/net_util.h" |
13 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
14 #include "net/cert/cert_status_flags.h" | 15 #include "net/cert/cert_status_flags.h" |
15 #include "net/cert/cert_verifier.h" | 16 #include "net/cert/cert_verifier.h" |
16 #include "net/cert/cert_verify_result.h" | 17 #include "net/cert/cert_verify_result.h" |
(...skipping 317 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
334 if (serial.size() == kComodoSerialBytes) { | 335 if (serial.size() == kComodoSerialBytes) { |
335 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) { | 336 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) { |
336 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) { | 337 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) { |
337 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, | 338 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, |
338 arraysize(kComodoSerials) + 1); | 339 arraysize(kComodoSerials) + 1); |
339 return true; | 340 return true; |
340 } | 341 } |
341 } | 342 } |
342 } | 343 } |
343 | 344 |
| 345 // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus |
| 346 // all certificates where the CN ends with ".cloudflare.com" with a prior |
| 347 // issuance date are rejected. |
| 348 // |
| 349 // The old certs had a lifetime of five years, so this can be removed April |
| 350 // 2nd, 2019. |
| 351 const std::string& cn = cert->subject().common_name; |
| 352 static const char kCloudFlareCNSuffix[] = ".cloudflare.com"; |
| 353 // kCloudFlareEpoch is the base::Time internal value for midnight at the |
| 354 // beginning of April 2nd, 2014, UTC. |
| 355 static const int64 kCloudFlareEpoch = INT64_C(13040870400000000); |
| 356 if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 && |
| 357 cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1), |
| 358 arraysize(kCloudFlareCNSuffix) - 1, |
| 359 kCloudFlareCNSuffix) == 0 && |
| 360 cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) { |
| 361 return true; |
| 362 } |
| 363 |
344 return false; | 364 return false; |
345 } | 365 } |
346 | 366 |
347 // static | 367 // static |
348 // NOTE: This implementation assumes and enforces that the hashes are SHA1. | 368 // NOTE: This implementation assumes and enforces that the hashes are SHA1. |
349 bool CertVerifyProc::IsPublicKeyBlacklisted( | 369 bool CertVerifyProc::IsPublicKeyBlacklisted( |
350 const HashValueVector& public_key_hashes) { | 370 const HashValueVector& public_key_hashes) { |
351 static const unsigned kNumHashes = 14; | 371 static const unsigned kNumHashes = 14; |
352 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = { | 372 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = { |
353 // Subject: CN=DigiNotar Root CA | 373 // Subject: CN=DigiNotar Root CA |
(...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
535 return true; | 555 return true; |
536 } | 556 } |
537 } | 557 } |
538 } | 558 } |
539 } | 559 } |
540 | 560 |
541 return false; | 561 return false; |
542 } | 562 } |
543 | 563 |
544 } // namespace net | 564 } // namespace net |
OLD | NEW |