net/cert/cert_verify_proc.cc - Issue 2927383002: Remove the StartCom/WoSign whitelist

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 2927383002: Remove the StartCom/WoSign whitelist (Closed)

Patch Set: Headers Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8	8

9 #include <algorithm>	9 #include <algorithm>

10	10

11 #include "base/metrics/histogram.h"	11 #include "base/metrics/histogram.h"

12 #include "base/metrics/histogram_macros.h"	12 #include "base/metrics/histogram_macros.h"

13 #include "base/sha1.h"	13 #include "base/sha1.h"

14 #include "base/strings/string_util.h"	14 #include "base/strings/string_util.h"

15 #include "base/strings/stringprintf.h"	15 #include "base/strings/stringprintf.h"

16 #include "base/time/time.h"	16 #include "base/time/time.h"

17 #include "build/build_config.h"	17 #include "build/build_config.h"

	18 #include "crypto/sha2.h"

18 #include "net/base/net_errors.h"	19 #include "net/base/net_errors.h"

19 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"	20 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"

20 #include "net/base/url_util.h"	21 #include "net/base/url_util.h"

21 #include "net/cert/asn1_util.h"	22 #include "net/cert/asn1_util.h"

22 #include "net/cert/cert_status_flags.h"	23 #include "net/cert/cert_status_flags.h"

23 #include "net/cert/cert_verifier.h"	24 #include "net/cert/cert_verifier.h"

24 #include "net/cert/cert_verify_proc_whitelist.h"

25 #include "net/cert/cert_verify_result.h"	25 #include "net/cert/cert_verify_result.h"

26 #include "net/cert/crl_set.h"	26 #include "net/cert/crl_set.h"

27 #include "net/cert/internal/parse_ocsp.h"	27 #include "net/cert/internal/parse_ocsp.h"

28 #include "net/cert/internal/signature_algorithm.h"	28 #include "net/cert/internal/signature_algorithm.h"

29 #include "net/cert/ocsp_revocation_status.h"	29 #include "net/cert/ocsp_revocation_status.h"

30 #include "net/cert/x509_certificate.h"	30 #include "net/cert/x509_certificate.h"

31 #include "net/der/encode_values.h"	31 #include "net/der/encode_values.h"

32 #include "url/url_canon.h"	32 #include "url/url_canon.h"

33	33

34 #if defined(USE_NSS_CERTS)	34 #if defined(USE_NSS_CERTS)

(...skipping 540 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
575 std::vector<std::string> dns_names, ip_addrs;	575 std::vector<std::string> dns_names, ip_addrs;

576 cert->GetSubjectAltName(&dns_names, &ip_addrs);	576 cert->GetSubjectAltName(&dns_names, &ip_addrs);

577 if (HasNameConstraintsViolation(verify_result->public_key_hashes,	577 if (HasNameConstraintsViolation(verify_result->public_key_hashes,

578 cert->subject().common_name,	578 cert->subject().common_name,

579 dns_names,	579 dns_names,

580 ip_addrs)) {	580 ip_addrs)) {

581 verify_result->cert_status \|= CERT_STATUS_NAME_CONSTRAINT_VIOLATION;	581 verify_result->cert_status \|= CERT_STATUS_NAME_CONSTRAINT_VIOLATION;

582 rv = MapCertStatusToNetError(verify_result->cert_status);	582 rv = MapCertStatusToNetError(verify_result->cert_status);

583 }	583 }

584	584

585 if (IsNonWhitelistedCertificate(*verify_result->verified_cert,

586 verify_result->public_key_hashes, hostname)) {

587 verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;

588 rv = MapCertStatusToNetError(verify_result->cert_status);

589 }

590

591 // Check for weak keys in the entire verified chain.	585 // Check for weak keys in the entire verified chain.

592 bool weak_key = ExaminePublicKeys(verify_result->verified_cert,	586 bool weak_key = ExaminePublicKeys(verify_result->verified_cert,

593 verify_result->is_issued_by_known_root);	587 verify_result->is_issued_by_known_root);

594	588

595 if (weak_key) {	589 if (weak_key) {

596 verify_result->cert_status \|= CERT_STATUS_WEAK_KEY;	590 verify_result->cert_status \|= CERT_STATUS_WEAK_KEY;

597 // Avoid replacing a more serious error, such as an OS/library failure,	591 // Avoid replacing a more serious error, such as an OS/library failure,

598 // by ensuring that if verification failed, it failed with a certificate	592 // by ensuring that if verification failed, it failed with a certificate

599 // error.	593 // error.

600 if (rv == OK \|\| IsCertificateError(rv))	594 if (rv == OK \|\| IsCertificateError(rv))

(...skipping 302 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
903 return true;	897 return true;

904	898

905 return false;	899 return false;

906 }	900 }

907	901

908 // static	902 // static

909 const base::Feature CertVerifyProc::kSHA1LegacyMode{	903 const base::Feature CertVerifyProc::kSHA1LegacyMode{

910 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};	904 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};

911	905

912 } // namespace net	906 } // namespace net

OLD	NEW

« no previous file with comments | « net/BUILD.gn ('k') | net/cert/cert_verify_proc_blacklist.inc » ('j') | no next file with comments »