net: reject all CloudFlare certificates issued prior to April 2nd.

net/cert/cert_verify_proc.cc

Index: net/cert/cert_verify_proc.cc
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index df7054072ab12f19c209f15190e5034049afe13e..2c96a6a817644783f0365155feed5a84bda01c07 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -341,6 +341,25 @@ bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) {
     }
   }
 
+  // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus
+  // all certificates where the CN ends with ".cloudflare.com" with a prior
+  // issuance date are rejected.
+  //
+  // The old certs had a lifetime of five years, so this can be removed April
+  // 2nd, 2019.
+  const std::string& cn = cert->subject().common_name;
+  static const char kCloudFlareCNSuffix[] = ".cloudflare.com";
+  // kCloudFlareEpoch is the base::Time internal value for midnight at the
+  // beginning of April 2nd, 2014, UTC.
+  static const int64 kCloudFlareEpoch = 13040870400000000ull;

[Ryan Sleevi, 2014/05/03 00:08:59]

because arraysize is a constexpr, you could also "static const size_t
kCloudFlareCnSuffixLen = arraysize(kCloudFlareCNSuffix) -1", if you wanted (to
reduce the duplication of the three lines)

[Ryan Sleevi, 2014/05/03 00:08:59]

You declare the var as ULL, except it's an int64. 

However, this is still wrong - use INT64_C(value), which will ensure L/LL as
appropriate for LP64/LLP64

[agl, 2014/05/05 18:50:19]

(Oh joy, another build config.)

Thanks for that.

+  if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 &&
+      cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1),
+                 arraysize(kCloudFlareCNSuffix) - 1,
+                 kCloudFlareCNSuffix) == 0 &&
+      cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) {
+    return true;
+  }
+
   return false;
 }