Chromium Code Reviews Chromium Code Reviews
Issue 2719273002:
Disable commonName matching for certificates (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 467 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 478 // TODO(rsleevi): http://crbug.com/142974 - Allow preferences to fully | 478 // TODO(rsleevi): http://crbug.com/142974 - Allow preferences to fully |
| 479 // disable revocation checking. | 479 // disable revocation checking. |
| 480 if (flags & CertVerifier::VERIFY_EV_CERT) | 480 if (flags & CertVerifier::VERIFY_EV_CERT) |
| 481 flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY; | 481 flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY; |
| 482 | 482 |
| 483 int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set, | 483 int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set, |
| 484 additional_trust_anchors, verify_result); | 484 additional_trust_anchors, verify_result); |
| 485 | 485 |
| 486 ComputeSignatureHashAlgorithms(verify_result); | 486 ComputeSignatureHashAlgorithms(verify_result); |
| 487 | 487 |
| 488 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback", | 488 bool allow_common_name_fallback = |
| 489 verify_result->common_name_fallback_used); | 489 !verify_result->is_issued_by_known_root && |
| 490 if (!verify_result->is_issued_by_known_root) { | 490 (flags & CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS); |
| 491 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA", | 491 if (!cert->VerifyNameMatch(hostname, allow_common_name_fallback)) { |
| 492 verify_result->common_name_fallback_used); | 492 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 493 } | 493 } |
|
Ryan Sleevi
2017/02/28 02:16:58
Similarly, I'll be updating tests in CertVerifyPro
| |
| 494 | 494 |
| 495 CheckOCSP(ocsp_response, *verify_result->verified_cert, | 495 CheckOCSP(ocsp_response, *verify_result->verified_cert, |
| 496 &verify_result->ocsp_result); | 496 &verify_result->ocsp_result); |
| 497 | 497 |
| 498 // This check is done after VerifyInternal so that VerifyInternal can fill | 498 // This check is done after VerifyInternal so that VerifyInternal can fill |
| 499 // in the list of public key hashes. | 499 // in the list of public key hashes. |
| 500 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 500 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
| 501 verify_result->cert_status |= CERT_STATUS_REVOKED; | 501 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 502 rv = MapCertStatusToNetError(verify_result->cert_status); | 502 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 503 } | 503 } |
| (...skipping 329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 833 return true; | 833 return true; |
| 834 | 834 |
| 835 return false; | 835 return false; |
| 836 } | 836 } |
| 837 | 837 |
| 838 // static | 838 // static |
| 839 const base::Feature CertVerifyProc::kSHA1LegacyMode{ | 839 const base::Feature CertVerifyProc::kSHA1LegacyMode{ |
| 840 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; | 840 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; |
| 841 | 841 |
| 842 } // namespace net | 842 } // namespace net |
| OLD | NEW |
