Index: net/cert/cert_verify_proc.cc |
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc |
index df7054072ab12f19c209f15190e5034049afe13e..2c96a6a817644783f0365155feed5a84bda01c07 100644 |
--- a/net/cert/cert_verify_proc.cc |
+++ b/net/cert/cert_verify_proc.cc |
@@ -341,6 +341,25 @@ bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
} |
} |
+ // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus |
+ // all certificates where the CN ends with ".cloudflare.com" with a prior |
+ // issuance date are rejected. |
+ // |
+ // The old certs had a lifetime of five years, so this can be removed April |
+ // 2nd, 2019. |
+ const std::string& cn = cert->subject().common_name; |
+ static const char kCloudFlareCNSuffix[] = ".cloudflare.com"; |
+ // kCloudFlareEpoch is the base::Time internal value for midnight at the |
+ // beginning of April 2nd, 2014, UTC. |
+ static const int64 kCloudFlareEpoch = 13040870400000000ull; |
Ryan Sleevi
2014/05/03 00:08:59
because arraysize is a constexpr, you could also "
Ryan Sleevi
2014/05/03 00:08:59
You declare the var as ULL, except it's an int64.
agl
2014/05/05 18:50:19
(Oh joy, another build config.)
Thanks for that.
|
+ if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 && |
+ cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1), |
+ arraysize(kCloudFlareCNSuffix) - 1, |
+ kCloudFlareCNSuffix) == 0 && |
+ cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) { |
+ return true; |
+ } |
+ |
return false; |
} |