Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(677)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 2927383002: Remove the StartCom/WoSign whitelist (Closed)
Patch Set: Remove EV and unneeded test files Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/BUILD.gn ('k') | net/cert/cert_verify_proc_blacklist.inc » ('j') | net/cert/cert_verify_proc_blacklist.inc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc.h" 5 #include "net/cert/cert_verify_proc.h"
6 6
7 #include <stdint.h> 7 #include <stdint.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 10
11 #include "base/metrics/histogram.h" 11 #include "base/metrics/histogram.h"
12 #include "base/metrics/histogram_macros.h" 12 #include "base/metrics/histogram_macros.h"
13 #include "base/sha1.h" 13 #include "base/sha1.h"
14 #include "base/strings/string_util.h" 14 #include "base/strings/string_util.h"
15 #include "base/strings/stringprintf.h" 15 #include "base/strings/stringprintf.h"
16 #include "base/time/time.h" 16 #include "base/time/time.h"
17 #include "build/build_config.h" 17 #include "build/build_config.h"
18 #include "net/base/net_errors.h" 18 #include "net/base/net_errors.h"
19 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" 19 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
20 #include "net/base/url_util.h" 20 #include "net/base/url_util.h"
21 #include "net/cert/asn1_util.h" 21 #include "net/cert/asn1_util.h"
22 #include "net/cert/cert_status_flags.h" 22 #include "net/cert/cert_status_flags.h"
23 #include "net/cert/cert_verifier.h" 23 #include "net/cert/cert_verifier.h"
24 #include "net/cert/cert_verify_proc_whitelist.h"
25 #include "net/cert/cert_verify_result.h" 24 #include "net/cert/cert_verify_result.h"
26 #include "net/cert/crl_set.h" 25 #include "net/cert/crl_set.h"
27 #include "net/cert/internal/parse_ocsp.h" 26 #include "net/cert/internal/parse_ocsp.h"
28 #include "net/cert/internal/signature_algorithm.h" 27 #include "net/cert/internal/signature_algorithm.h"
29 #include "net/cert/ocsp_revocation_status.h" 28 #include "net/cert/ocsp_revocation_status.h"
30 #include "net/cert/x509_certificate.h" 29 #include "net/cert/x509_certificate.h"
31 #include "net/der/encode_values.h" 30 #include "net/der/encode_values.h"
32 #include "url/url_canon.h" 31 #include "url/url_canon.h"
33 32
34 #if defined(USE_NSS_CERTS) 33 #if defined(USE_NSS_CERTS)
(...skipping 540 matching lines...) Expand 10 before | Expand all | Expand 10 after
575 std::vector<std::string> dns_names, ip_addrs; 574 std::vector<std::string> dns_names, ip_addrs;
576 cert->GetSubjectAltName(&dns_names, &ip_addrs); 575 cert->GetSubjectAltName(&dns_names, &ip_addrs);
577 if (HasNameConstraintsViolation(verify_result->public_key_hashes, 576 if (HasNameConstraintsViolation(verify_result->public_key_hashes,
578 cert->subject().common_name, 577 cert->subject().common_name,
579 dns_names, 578 dns_names,
580 ip_addrs)) { 579 ip_addrs)) {
581 verify_result->cert_status |= CERT_STATUS_NAME_CONSTRAINT_VIOLATION; 580 verify_result->cert_status |= CERT_STATUS_NAME_CONSTRAINT_VIOLATION;
582 rv = MapCertStatusToNetError(verify_result->cert_status); 581 rv = MapCertStatusToNetError(verify_result->cert_status);
583 } 582 }
584 583
585 if (IsNonWhitelistedCertificate(*verify_result->verified_cert,
586 verify_result->public_key_hashes, hostname)) {
587 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
588 rv = MapCertStatusToNetError(verify_result->cert_status);
589 }
590
591 // Check for weak keys in the entire verified chain. 584 // Check for weak keys in the entire verified chain.
592 bool weak_key = ExaminePublicKeys(verify_result->verified_cert, 585 bool weak_key = ExaminePublicKeys(verify_result->verified_cert,
593 verify_result->is_issued_by_known_root); 586 verify_result->is_issued_by_known_root);
594 587
595 if (weak_key) { 588 if (weak_key) {
596 verify_result->cert_status |= CERT_STATUS_WEAK_KEY; 589 verify_result->cert_status |= CERT_STATUS_WEAK_KEY;
597 // Avoid replacing a more serious error, such as an OS/library failure, 590 // Avoid replacing a more serious error, such as an OS/library failure,
598 // by ensuring that if verification failed, it failed with a certificate 591 // by ensuring that if verification failed, it failed with a certificate
599 // error. 592 // error.
600 if (rv == OK || IsCertificateError(rv)) 593 if (rv == OK || IsCertificateError(rv))
(...skipping 302 matching lines...) Expand 10 before | Expand all | Expand 10 after
903 return true; 896 return true;
904 897
905 return false; 898 return false;
906 } 899 }
907 900
908 // static 901 // static
909 const base::Feature CertVerifyProc::kSHA1LegacyMode{ 902 const base::Feature CertVerifyProc::kSHA1LegacyMode{
910 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; 903 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};
911 904
912 } // namespace net 905 } // namespace net
OLDNEW
« no previous file with comments | « net/BUILD.gn ('k') | net/cert/cert_verify_proc_blacklist.inc » ('j') | net/cert/cert_verify_proc_blacklist.inc » ('J')

Powered by Google App Engine
This is Rietveld 408576698