Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(642)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 267913003: net: reject all CloudFlare certificates issued prior to April 2nd. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc.h" 5 #include "net/cert/cert_verify_proc.h"
6 6
7 #include "base/basictypes.h"
7 #include "base/metrics/histogram.h" 8 #include "base/metrics/histogram.h"
8 #include "base/sha1.h" 9 #include "base/sha1.h"
9 #include "base/strings/stringprintf.h" 10 #include "base/strings/stringprintf.h"
10 #include "build/build_config.h" 11 #include "build/build_config.h"
11 #include "net/base/net_errors.h" 12 #include "net/base/net_errors.h"
12 #include "net/base/net_util.h" 13 #include "net/base/net_util.h"
13 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" 14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
14 #include "net/cert/cert_status_flags.h" 15 #include "net/cert/cert_status_flags.h"
15 #include "net/cert/cert_verifier.h" 16 #include "net/cert/cert_verifier.h"
16 #include "net/cert/cert_verify_result.h" 17 #include "net/cert/cert_verify_result.h"
(...skipping 317 matching lines...) Expand 10 before | Expand all | Expand 10 after
334 if (serial.size() == kComodoSerialBytes) { 335 if (serial.size() == kComodoSerialBytes) {
335 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) { 336 for (unsigned i = 0; i < arraysize(kComodoSerials); i++) {
336 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) { 337 if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) {
337 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, 338 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i,
338 arraysize(kComodoSerials) + 1); 339 arraysize(kComodoSerials) + 1);
339 return true; 340 return true;
340 } 341 }
341 } 342 }
342 } 343 }
343 344
345 // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus
346 // all certificates where the CN ends with ".cloudflare.com" with a prior
347 // issuance date are rejected.
348 //
349 // The old certs had a lifetime of five years, so this can be removed April
350 // 2nd, 2019.
351 const std::string& cn = cert->subject().common_name;
352 static const char kCloudFlareCNSuffix[] = ".cloudflare.com";
353 // kCloudFlareEpoch is the base::Time internal value for midnight at the
354 // beginning of April 2nd, 2014, UTC.
355 static const int64 kCloudFlareEpoch = INT64_C(13040870400000000);
356 if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 &&
357 cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1),
358 arraysize(kCloudFlareCNSuffix) - 1,
359 kCloudFlareCNSuffix) == 0 &&
360 cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) {
361 return true;
362 }
363
344 return false; 364 return false;
345 } 365 }
346 366
347 // static 367 // static
348 // NOTE: This implementation assumes and enforces that the hashes are SHA1. 368 // NOTE: This implementation assumes and enforces that the hashes are SHA1.
349 bool CertVerifyProc::IsPublicKeyBlacklisted( 369 bool CertVerifyProc::IsPublicKeyBlacklisted(
350 const HashValueVector& public_key_hashes) { 370 const HashValueVector& public_key_hashes) {
351 static const unsigned kNumHashes = 14; 371 static const unsigned kNumHashes = 14;
352 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = { 372 static const uint8 kHashes[kNumHashes][base::kSHA1Length] = {
353 // Subject: CN=DigiNotar Root CA 373 // Subject: CN=DigiNotar Root CA
(...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after
535 return true; 555 return true;
536 } 556 }
537 } 557 }
538 } 558 }
539 } 559 }
540 560
541 return false; 561 return false;
542 } 562 }
543 563
544 } // namespace net 564 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698