Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(76)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_android.cc

Issue 2951343002: Remove residual support for SHA-1 public key pins. (Closed)
Patch Set: Remove more code, use SHA-256 for the blacklist, and include the original FRST and India CCA certs. Created 3 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/cert_verify_proc.cc ('K') | « net/cert/cert_verify_proc.cc ('k') | net/cert/cert_verify_proc_builtin.cc » ('j') | net/cert/cert_verify_proc_builtin.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_android.h" 5 #include "net/cert/cert_verify_proc_android.h"
6 6
7 #include <string> 7 #include <string>
8 #include <vector> 8 #include <vector>
9 9
10 #include "base/lazy_instance.h" 10 #include "base/lazy_instance.h"
(...skipping 291 matching lines...) Expand 10 before | Expand all | Expand 10 after
302 } 302 }
303 303
304 // Extract the public key hashes. 304 // Extract the public key hashes.
305 for (size_t i = 0; i < verified_chain.size(); i++) { 305 for (size_t i = 0; i < verified_chain.size(); i++) {
306 base::StringPiece spki_bytes; 306 base::StringPiece spki_bytes;
307 if (!asn1::ExtractSPKIFromDERCert(verified_chain[i], &spki_bytes)) { 307 if (!asn1::ExtractSPKIFromDERCert(verified_chain[i], &spki_bytes)) {
308 verify_result->cert_status |= CERT_STATUS_INVALID; 308 verify_result->cert_status |= CERT_STATUS_INVALID;
309 continue; 309 continue;
310 } 310 }
311 311
312 HashValue sha1(HASH_VALUE_SHA1);
313 base::SHA1HashBytes(reinterpret_cast<const uint8_t*>(spki_bytes.data()),
314 spki_bytes.size(), sha1.data());
315 verify_result->public_key_hashes.push_back(sha1);
316
317 HashValue sha256(HASH_VALUE_SHA256); 312 HashValue sha256(HASH_VALUE_SHA256);
318 crypto::SHA256HashString(spki_bytes, sha256.data(), crypto::kSHA256Length); 313 crypto::SHA256HashString(spki_bytes, sha256.data(), crypto::kSHA256Length);
319 verify_result->public_key_hashes.push_back(sha256); 314 verify_result->public_key_hashes.push_back(sha256);
320 } 315 }
321 316
322 return true; 317 return true;
323 } 318 }
324 319
325 bool GetChainDEREncodedBytes(X509Certificate* cert, 320 bool GetChainDEREncodedBytes(X509Certificate* cert,
326 std::vector<std::string>* chain_bytes) { 321 std::vector<std::string>* chain_bytes) {
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after
395 return ERR_FAILED; 390 return ERR_FAILED;
396 } 391 }
397 392
398 if (IsCertStatusError(verify_result->cert_status)) 393 if (IsCertStatusError(verify_result->cert_status))
399 return MapCertStatusToNetError(verify_result->cert_status); 394 return MapCertStatusToNetError(verify_result->cert_status);
400 395
401 return OK; 396 return OK;
402 } 397 }
403 398
404 } // namespace net 399 } // namespace net
OLDNEW
« net/cert/cert_verify_proc.cc ('K') | « net/cert/cert_verify_proc.cc ('k') | net/cert/cert_verify_proc_builtin.cc » ('j') | net/cert/cert_verify_proc_builtin.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698