Index: net/cert/cert_verify_proc.cc |
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc |
index df7054072ab12f19c209f15190e5034049afe13e..27720bc3211ed2b3d50ba982e79407c18c35d4b7 100644 |
--- a/net/cert/cert_verify_proc.cc |
+++ b/net/cert/cert_verify_proc.cc |
@@ -341,6 +341,25 @@ bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
} |
} |
+ /* CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus |
wtc
2014/05/02 21:21:16
We should also note when these certificates will a
agl
2014/05/02 23:17:49
Done.
|
+ * all certificates where the CN ends with ".cloudflare.com" with a prior |
+ * issuance date are rejected. */ |
+ const std::string& cn = cert->subject().common_name; |
+ const std::string kCloudFlareCNSuffix(".cloudflare.com"); |
Ryan Sleevi
2014/05/02 22:11:33
static const char[] kCloudFlareCNSuffix = ".cloudf
agl
2014/05/02 23:17:49
Done.
|
+ if (cn.size() > kCloudFlareCNSuffix.size() && |
+ cn.compare(cn.size() - kCloudFlareCNSuffix.size(), |
+ kCloudFlareCNSuffix.size(), |
Ryan Sleevi
2014/05/02 22:11:33
arraysize(kCloudFlareCNSuffix);
agl
2014/05/02 23:17:49
Done.
|
+ kCloudFlareCNSuffix) == 0) { |
+ base::Time::Exploded epoch = {0}; |
+ epoch.year = 2014; |
+ epoch.month = 4; |
+ epoch.day_of_month = 2; |
+ |
+ if (cert->valid_start() < base::Time::FromUTCExploded(epoch)) { |
Ryan Sleevi
2014/05/02 22:11:33
Could be more efficient using FromInternalValue()
agl
2014/05/02 23:17:49
Done.
|
+ return true; |
+ } |
Ryan Sleevi
2014/05/02 22:11:33
no braces (consistent with the rest of the file fo
agl
2014/05/02 23:17:49
Kept braces because now it's a single if with a mu
|
+ } |
+ |
return false; |
} |