Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(920)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 2735733003: Disable commonName matching for certificates (Closed)
Patch Set: Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/cert_verifier.h ('k') | net/cert/cert_verify_proc_android.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc.h" 5 #include "net/cert/cert_verify_proc.h"
6 6
7 #include <stdint.h> 7 #include <stdint.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 10
(...skipping 467 matching lines...) Expand 10 before | Expand all | Expand 10 after
478 // TODO(rsleevi): http://crbug.com/142974 - Allow preferences to fully 478 // TODO(rsleevi): http://crbug.com/142974 - Allow preferences to fully
479 // disable revocation checking. 479 // disable revocation checking.
480 if (flags & CertVerifier::VERIFY_EV_CERT) 480 if (flags & CertVerifier::VERIFY_EV_CERT)
481 flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY; 481 flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY;
482 482
483 int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set, 483 int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set,
484 additional_trust_anchors, verify_result); 484 additional_trust_anchors, verify_result);
485 485
486 ComputeSignatureHashAlgorithms(verify_result); 486 ComputeSignatureHashAlgorithms(verify_result);
487 487
488 if (!cert->VerifyNameMatch(hostname, 488 bool allow_common_name_fallback =
489 &verify_result->common_name_fallback_used)) { 489 !verify_result->is_issued_by_known_root &&
490 (flags & CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS);
491 if (!cert->VerifyNameMatch(hostname, allow_common_name_fallback)) {
490 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; 492 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
491 rv = MapCertStatusToNetError(verify_result->cert_status); 493 rv = MapCertStatusToNetError(verify_result->cert_status);
492 } 494 }
493 495
494 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback",
495 verify_result->common_name_fallback_used);
496 if (!verify_result->is_issued_by_known_root) {
497 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA",
498 verify_result->common_name_fallback_used);
499 }
500
501 CheckOCSP(ocsp_response, *verify_result->verified_cert, 496 CheckOCSP(ocsp_response, *verify_result->verified_cert,
502 &verify_result->ocsp_result); 497 &verify_result->ocsp_result);
503 498
504 // This check is done after VerifyInternal so that VerifyInternal can fill 499 // This check is done after VerifyInternal so that VerifyInternal can fill
505 // in the list of public key hashes. 500 // in the list of public key hashes.
506 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { 501 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
507 verify_result->cert_status |= CERT_STATUS_REVOKED; 502 verify_result->cert_status |= CERT_STATUS_REVOKED;
508 rv = MapCertStatusToNetError(verify_result->cert_status); 503 rv = MapCertStatusToNetError(verify_result->cert_status);
509 } 504 }
510 505
(...skipping 328 matching lines...) Expand 10 before | Expand all | Expand 10 after
839 return true; 834 return true;
840 835
841 return false; 836 return false;
842 } 837 }
843 838
844 // static 839 // static
845 const base::Feature CertVerifyProc::kSHA1LegacyMode{ 840 const base::Feature CertVerifyProc::kSHA1LegacyMode{
846 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; 841 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};
847 842
848 } // namespace net 843 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/cert_verifier.h ('k') | net/cert/cert_verify_proc_android.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698