Chromium Code Reviews

Issue 2719273002: Disable commonName matching for certificates (Closed)

Created:
3 years, 9 months ago by Ryan Sleevi
Modified:
3 years, 9 months ago
Reviewers:
mattm, Andrew T Wilson (Slow), davidben, emaxx, achuithb, Ilya Sherman
CC:
chromium-reviews, cbentzel+watch_chromium.org, net-reviews_chromium.org, bnc+watch_chromium.org, asvitkine+watch_chromium.org, mac-reviews_chromium.org, tnagel+watch_chromium.org
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Disable commonName matching for certificates Matching the commonName has been deprecated for nearly 20 years, as it's a fallback path for certificates that don't have a subjectAltName. Disable the matching by default, but introduce an enterprise policy that allows it to be enabled for certificates that chain to local trust anchors. This policy is similar to the SHA-1 deprecation policy, and is named EnableCommonNameFallbackForLocalAnchors. For systems without enterprise policies (meaning they aren't using SSLConfigManagerPref), the default is to keep the insecure behaviour, which is most compatible with legacy, but is not secure. BUG=308330 Review-Url: https://codereview.chromium.org/2719273002 Cr-Commit-Position: refs/heads/master@{#454752} Committed: https://chromium.googlesource.com/chromium/src/+/0f9bfb00c432d594504502728b8a1405a0ff2cf1

Patch Set 1 #

Total comments: 6

Patch Set 2 : Update tests & fix small bug with IPvsDNS sans #

Total comments: 1

Patch Set 3 : Regenerate test files #

Patch Set 4 : Rebased #

Patch Set 5 : More tests #

Patch Set 6 : More test updates #

Patch Set 7 : Fix typo #

Patch Set 8 : Update macOS Keychain #

Total comments: 11

Patch Set 9 : Feedback (reverting keychain) #

Patch Set 10 : Update keychains #

Total comments: 1

Patch Set 11 : Fix version #

Total comments: 1

Patch Set 12 : emaxx feedback #

Patch Set 13 : Update minica to spit out compliant certs #

Patch Set 14 : Style cleanup #

Total comments: 1

Patch Set 15 : More ChromeOS fixes #

Unified diffs Side-by-side diffs Stats (+2127 lines, -1893 lines)
M chrome/browser/chromeos/login/test/https_forwarder.py View 2 chunks +25 lines, -1 line 0 comments
M chrome/browser/policy/configuration_policy_handler_list_factory.cc View 1 chunk +3 lines, -0 lines 0 comments
M chrome/test/data/extensions/api_test/platform_keys/ca.cnf View 2 chunks +2 lines, -1 line 0 comments
M chrome/test/data/extensions/api_test/platform_keys/l1_interm.der View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Binary file 0 comments
M chrome/test/data/extensions/api_test/platform_keys/l1_leaf.der View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Binary file 0 comments
M chrome/test/data/extensions/api_test/platform_keys/l2_leaf.der View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Binary file 0 comments
M chrome/test/data/extensions/api_test/platform_keys/root.pem View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 chunk +17 lines, -17 lines 0 comments
M chrome/test/data/policy/policy_test_cases.json View 1 chunk +10 lines, -0 lines 0 comments
M components/policy/resources/policy_templates.json View 1 2 3 4 5 6 7 8 9 10 11 2 chunks +20 lines, -1 line 0 comments
M components/ssl_config/ssl_config_prefs.h View 1 chunk +1 line, -0 lines 0 comments
M components/ssl_config/ssl_config_prefs.cc View 1 chunk +2 lines, -0 lines 0 comments
M components/ssl_config/ssl_config_service_manager_pref.cc View 4 chunks +8 lines, -0 lines 0 comments
M net/cert/cert_verifier.h View 1 chunk +5 lines, -0 lines 0 comments
M net/cert/cert_verify_proc.cc View 1 2 3 1 chunk +4 lines, -9 lines 0 comments
M net/cert/cert_verify_proc_android.cc View 1 2 3 1 chunk +1 line, -0 lines 0 comments
M net/cert/cert_verify_proc_ios.cc View 1 2 3 1 chunk +3 lines, -0 lines 0 comments
M net/cert/cert_verify_proc_mac.cc View 1 2 3 4 5 6 7 8 1 chunk +2 lines, -2 lines 0 comments
M net/cert/cert_verify_proc_openssl.cc View 1 2 3 1 chunk +1 line, -0 lines 0 comments
M net/cert/cert_verify_proc_unittest.cc View 1 2 3 4 5 6 7 8 1 chunk +67 lines, -0 lines 0 comments
M net/cert/internal/path_builder_unittest.cc View 1 2 3 4 5 1 chunk +1 line, -1 line 0 comments
M net/cert/x509_certificate.h View 1 2 3 4 5 6 7 8 2 chunks +8 lines, -8 lines 0 comments
M net/cert/x509_certificate.cc View 1 2 4 chunks +13 lines, -9 lines 0 comments
M net/cert/x509_certificate_unittest.cc View 1 2 5 chunks +20 lines, -12 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/generate-certs.py View 1 2 3 4 5 1 chunk +9 lines, -0 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/i.pem View 1 2 3 4 5 2 chunks +50 lines, -50 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/i2.pem View 1 2 3 4 5 2 chunks +50 lines, -50 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/i3.pem View 1 2 3 4 5 2 chunks +50 lines, -50 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/root.pem View 1 2 3 4 5 2 chunks +50 lines, -50 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_file_aia.pem View 1 2 3 4 5 2 chunks +53 lines, -51 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_file_and_http_aia.pem View 1 2 3 4 5 2 chunks +56 lines, -53 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_invalid_and_http_aia.pem View 1 2 3 4 5 2 chunks +53 lines, -50 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_invalid_url_aia.pem View 1 2 3 4 5 2 chunks +53 lines, -50 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_no_aia.pem View 1 2 3 4 5 2 chunks +53 lines, -51 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_one_aia.pem View 1 2 3 4 5 2 chunks +53 lines, -51 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_six_aia.pem View 1 2 3 4 5 2 chunks +53 lines, -51 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_three_aia.pem View 1 2 3 4 5 2 chunks +53 lines, -51 lines 0 comments
M net/data/cert_issuer_source_aia_unittest/target_two_aia.pem View 1 2 3 4 5 2 chunks +56 lines, -54 lines 0 comments
M net/data/ssl/certificates/aia-cert.pem View 1 2 2 chunks +55 lines, -52 lines 0 comments
M net/data/ssl/certificates/aia-intermediate.der View 1 2 Binary file 0 comments
M net/data/ssl/certificates/aia-root.pem View 1 2 3 4 5 6 7 8 1 chunk +54 lines, -54 lines 0 comments
M net/data/ssl/certificates/explicit-policy-chain.pem View 1 2 3 4 5 6 7 8 4 chunks +156 lines, -154 lines 0 comments
M net/data/ssl/certificates/multi-root.keychain View 1 2 3 4 5 6 7 8 9 Binary file 0 comments
M net/data/ssl/certificates/multi-root-A-by-B.pem View 1 2 2 chunks +81 lines, -79 lines 0 comments
M net/data/ssl/certificates/multi-root-B-by-C.pem View 1 2 1 chunk +47 lines, -47 lines 0 comments
M net/data/ssl/certificates/multi-root-B-by-F.pem View 1 2 1 chunk +47 lines, -47 lines 0 comments
M net/data/ssl/certificates/multi-root-BFE.keychain View 1 2 3 4 5 6 7 8 9 Binary file 0 comments
M net/data/ssl/certificates/multi-root-C-by-D.pem View 1 2 1 chunk +47 lines, -47 lines 0 comments
M net/data/ssl/certificates/multi-root-C-by-E.pem View 1 2 1 chunk +47 lines, -47 lines 0 comments
M net/data/ssl/certificates/multi-root-D-by-D.pem View 1 2 1 chunk +48 lines, -48 lines 0 comments
M net/data/ssl/certificates/multi-root-E-by-E.pem View 1 2 1 chunk +48 lines, -48 lines 0 comments
M net/data/ssl/certificates/multi-root-F-by-E.pem View 1 2 1 chunk +47 lines, -47 lines 0 comments
M net/data/ssl/certificates/multi-root-chain1.pem View 1 2 4 chunks +198 lines, -196 lines 0 comments
M net/data/ssl/certificates/multi-root-chain2.pem View 1 2 4 chunks +198 lines, -196 lines 0 comments
M net/data/ssl/certificates/multi-root-crlset-C.raw View 1 2 Binary file 0 comments
M net/data/ssl/certificates/multi-root-crlset-CD-and-FE.raw View 1 2 Binary file 0 comments
M net/data/ssl/certificates/multi-root-crlset-D-and-E.raw View 1 2 Binary file 0 comments
M net/data/ssl/certificates/multi-root-crlset-E.raw View 1 2 Binary file 0 comments
M net/data/ssl/certificates/multi-root-crlset-unrelated.raw View 1 2 Binary file 0 comments
M net/data/ssl/certificates/reject_intranet_hosts.pem View 1 2 3 4 5 1 chunk +55 lines, -52 lines 0 comments
M net/data/ssl/scripts/aia-test.cnf View 1 2 2 chunks +2 lines, -0 lines 0 comments
M net/data/ssl/scripts/ee.cnf View 1 2 3 4 5 1 chunk +3 lines, -0 lines 0 comments
M net/data/ssl/scripts/generate-aia-certs.sh View 1 2 1 chunk +1 line, -0 lines 0 comments
M net/data/ssl/scripts/generate-policy-certs.sh View 1 2 1 chunk +1 line, -0 lines 0 comments
M net/data/ssl/scripts/generate-test-certs.sh View 1 2 3 4 5 1 chunk +1 line, -1 line 0 comments
M net/data/ssl/scripts/policy.cnf View 1 2 2 chunks +2 lines, -0 lines 0 comments
M net/data/ssl/scripts/redundant-ca.cnf View 1 2 1 chunk +1 line, -0 lines 0 comments
M net/quic/chromium/quic_network_transaction_unittest.cc View 5 chunks +14 lines, -19 lines 0 comments
M net/quic/chromium/quic_stream_factory_test.cc View 5 chunks +13 lines, -17 lines 0 comments
M net/quic/test_tools/mock_crypto_client_stream.cc View 1 chunk +1 line, -2 lines 0 comments
M net/spdy/spdy_session.cc View 1 chunk +1 line, -2 lines 0 comments
M net/ssl/ssl_config.h View 1 chunk +6 lines, -0 lines 0 comments
M net/ssl/ssl_config.cc View 2 chunks +3 lines, -0 lines 0 comments
M net/ssl/ssl_config_service.cc View 1 2 3 4 5 6 7 8 1 chunk +13 lines, -11 lines 0 comments
M net/ssl/ssl_config_service_unittest.cc View 1 2 3 4 5 6 2 chunks +5 lines, -0 lines 0 comments
M net/tools/testserver/minica.py View 1 2 3 4 5 6 7 8 9 10 11 12 13 14 4 chunks +25 lines, -3 lines 0 comments
M tools/metrics/histograms/histograms.xml View 1 2 3 2 chunks +2 lines, -1 line 0 comments

Messages

Total messages: 67 (46 generated)
Ryan Sleevi
Drew: As discussed over e-mail, this introduces the enterprise policy with a 1 year sunset ...
3 years, 9 months ago (2017-02-28 02:16:58 UTC) #2
Ilya Sherman
histograms.xml lgtm
3 years, 9 months ago (2017-02-28 02:52:14 UTC) #3
Ilya Sherman
On 2017/02/28 02:16:58, Ryan Sleevi (overloaded) wrote: > Ilya: histograms.xml review for the updated policy. ...
3 years, 9 months ago (2017-02-28 02:52:57 UTC) #4
mattm
https://codereview.chromium.org/2719273002/diff/1/net/cert/x509_certificate.cc File net/cert/x509_certificate.cc (right): https://codereview.chromium.org/2719273002/diff/1/net/cert/x509_certificate.cc#newcode525 net/cert/x509_certificate.cc:525: if (allow_common_name_fallback && cert_san_ip_addrs.empty() && These cases are a ...
3 years, 9 months ago (2017-02-28 18:50:48 UTC) #9
Ryan Sleevi
Matt: Thanks for the attention to detail. I've rebased this on the CLs I split ...
3 years, 9 months ago (2017-03-01 02:20:03 UTC) #13
Andrew T Wilson (Slow)
+emaxx since I'm OOO this week
3 years, 9 months ago (2017-03-01 16:54:05 UTC) #25
mattm
https://codereview.chromium.org/2719273002/diff/140001/net/cert/cert_verify_proc_mac.cc File net/cert/cert_verify_proc_mac.cc (right): https://codereview.chromium.org/2719273002/diff/140001/net/cert/cert_verify_proc_mac.cc#newcode1002 net/cert/cert_verify_proc_mac.cc:1002: verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID; Is moving this down significant? (Not ...
3 years, 9 months ago (2017-03-01 23:56:48 UTC) #26
Ryan Sleevi
https://codereview.chromium.org/2719273002/diff/140001/net/cert/cert_verify_proc_unittest.cc File net/cert/cert_verify_proc_unittest.cc (right): https://codereview.chromium.org/2719273002/diff/140001/net/cert/cert_verify_proc_unittest.cc#newcode1804 net/cert/cert_verify_proc_unittest.cc:1804: // Tests that commonName-fallback is handled correctly: On 2017/03/01 ...
3 years, 9 months ago (2017-03-02 00:15:31 UTC) #27
Ryan Sleevi
https://codereview.chromium.org/2719273002/diff/140001/net/cert/cert_verify_proc_mac.cc File net/cert/cert_verify_proc_mac.cc (right): https://codereview.chromium.org/2719273002/diff/140001/net/cert/cert_verify_proc_mac.cc#newcode1002 net/cert/cert_verify_proc_mac.cc:1002: verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID; On 2017/03/01 23:56:47, mattm wrote: > ...
3 years, 9 months ago (2017-03-02 00:18:55 UTC) #28
mattm
https://codereview.chromium.org/2719273002/diff/180001/components/policy/resources/policy_templates.json File components/policy/resources/policy_templates.json (right): https://codereview.chromium.org/2719273002/diff/180001/components/policy/resources/policy_templates.json#newcode4856 components/policy/resources/policy_templates.json:4856: 'supported_on': ['chrome.*:58-65', 'chrome_os:58-65', 'android:54-65'], should android be 58-65 also?
3 years, 9 months ago (2017-03-02 01:56:47 UTC) #31
mattm
lgtm, I'll leave that up to you
3 years, 9 months ago (2017-03-02 03:49:47 UTC) #34
emaxx
LGTM with a nit https://codereview.chromium.org/2719273002/diff/200001/components/policy/resources/policy_templates.json File components/policy/resources/policy_templates.json (right): https://codereview.chromium.org/2719273002/diff/200001/components/policy/resources/policy_templates.json#newcode4869 components/policy/resources/policy_templates.json:4869: If this policy is not ...
3 years, 9 months ago (2017-03-02 14:43:01 UTC) #39
davidben
components/ssl_config lgtm
3 years, 9 months ago (2017-03-03 02:24:29 UTC) #41
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2719273002/220001
3 years, 9 months ago (2017-03-03 02:28:23 UTC) #44
commit-bot: I haz the power
Try jobs failed on following builders: linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_chromeos_ozone_rel_ng/builds/333217)
3 years, 9 months ago (2017-03-03 03:59:06 UTC) #46
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2719273002/220001
3 years, 9 months ago (2017-03-03 04:00:21 UTC) #48
Ryan Sleevi
achuith: Can you approve the chrome/browser/chromeos/login change related to the unit tests david: Can you ...
3 years, 9 months ago (2017-03-03 04:49:44 UTC) #53
davidben
minica lgtm https://codereview.chromium.org/2719273002/diff/260001/net/tools/testserver/minica.py File net/tools/testserver/minica.py (right): https://codereview.chromium.org/2719273002/diff/260001/net/tools/testserver/minica.py#newcode255 net/tools/testserver/minica.py:255: asn1.Raw(asn1.TagAndLength(0x87, len(ip_addr)) + ip_addr)) Nit: The indent ...
3 years, 9 months ago (2017-03-03 06:14:57 UTC) #54
achuithb
On 2017/03/03 04:49:44, Ryan Sleevi (OOO until 3-7) wrote: > achuith: Can you approve the ...
3 years, 9 months ago (2017-03-03 11:04:51 UTC) #61
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2719273002/280001
3 years, 9 months ago (2017-03-04 02:56:38 UTC) #64
commit-bot: I haz the power
3 years, 9 months ago (2017-03-04 03:08:09 UTC) #67
Message was sent while issue was closed. 
Committed patchset #15 (id:280001) as
https://chromium.googlesource.com/chromium/src/+/0f9bfb00c432d594504502728b8a...

Powered by Google App Engine