Chromium Code Reviews Chromium Code Reviews
Issue 267913003:
net: reject all CloudFlare certificates issued prior to April 2nd. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/cert/cert_verify_proc.cc |
| diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc |
| index df7054072ab12f19c209f15190e5034049afe13e..27720bc3211ed2b3d50ba982e79407c18c35d4b7 100644 |
| --- a/net/cert/cert_verify_proc.cc |
| +++ b/net/cert/cert_verify_proc.cc |
| @@ -341,6 +341,25 @@ bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
| } |
| } |
| + /* CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus |
|
wtc
2014/05/02 21:21:16
We should also note when these certificates will a
agl
2014/05/02 23:17:49
Done.
|
| + * all certificates where the CN ends with ".cloudflare.com" with a prior |
| + * issuance date are rejected. */ |
| + const std::string& cn = cert->subject().common_name; |
| + const std::string kCloudFlareCNSuffix(".cloudflare.com"); |
|
Ryan Sleevi
2014/05/02 22:11:33
static const char[] kCloudFlareCNSuffix = ".cloudf
agl
2014/05/02 23:17:49
Done.
|
| + if (cn.size() > kCloudFlareCNSuffix.size() && |
| + cn.compare(cn.size() - kCloudFlareCNSuffix.size(), |
| + kCloudFlareCNSuffix.size(), |
|
Ryan Sleevi
2014/05/02 22:11:33
arraysize(kCloudFlareCNSuffix);
agl
2014/05/02 23:17:49
Done.
|
| + kCloudFlareCNSuffix) == 0) { |
| + base::Time::Exploded epoch = {0}; |
| + epoch.year = 2014; |
| + epoch.month = 4; |
| + epoch.day_of_month = 2; |
| + |
| + if (cert->valid_start() < base::Time::FromUTCExploded(epoch)) { |
|
Ryan Sleevi
2014/05/02 22:11:33
Could be more efficient using FromInternalValue()
agl
2014/05/02 23:17:49
Done.
|
| + return true; |
| + } |
|
Ryan Sleevi
2014/05/02 22:11:33
no braces (consistent with the rest of the file fo
agl
2014/05/02 23:17:49
Kept braces because now it's a single if with a mu
|
| + } |
| + |
| return false; |
| } |
