Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(68)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_nss.cc

Issue 2951343002: Remove residual support for SHA-1 public key pins. (Closed)
Patch Set: Remove more code, use SHA-256 for the blacklist, and include the original FRST and India CCA certs. Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/cert_verify_proc_builtin.cc ('K') | « net/cert/cert_verify_proc_mac.cc ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | net/data/ssl/blacklist/README.md » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_nss.h" 5 #include "net/cert/cert_verify_proc_nss.h"
6 6
7 #include <cert.h> 7 #include <cert.h>
8 #include <nss.h> 8 #include <nss.h>
9 #include <prerror.h> 9 #include <prerror.h>
10 #include <secerr.h> 10 #include <secerr.h>
(...skipping 597 matching lines...) Expand 10 before | Expand all | Expand 10 after
608 od.offset = SEC_OID_UNKNOWN; 608 od.offset = SEC_OID_UNKNOWN;
609 // NSS doesn't allow us to pass an empty description, so I use a hardcoded, 609 // NSS doesn't allow us to pass an empty description, so I use a hardcoded,
610 // default description here. The description doesn't need to be unique for 610 // default description here. The description doesn't need to be unique for
611 // each OID. 611 // each OID.
612 od.desc = "a certificate policy"; 612 od.desc = "a certificate policy";
613 od.mechanism = CKM_INVALID_MECHANISM; 613 od.mechanism = CKM_INVALID_MECHANISM;
614 od.supportedExtension = INVALID_CERT_EXTENSION; 614 od.supportedExtension = INVALID_CERT_EXTENSION;
615 return SECOID_AddEntry(&od); 615 return SECOID_AddEntry(&od);
616 } 616 }
617 617
618 HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
619 HashValue hash(HASH_VALUE_SHA1);
620 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
621 cert->derPublicKey.data, cert->derPublicKey.len);
622 DCHECK_EQ(SECSuccess, rv);
623 return hash;
624 }
625
626 HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) { 618 HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
627 HashValue hash(HASH_VALUE_SHA256); 619 HashValue hash(HASH_VALUE_SHA256);
628 SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(), 620 SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
629 cert->derPublicKey.data, cert->derPublicKey.len); 621 cert->derPublicKey.data, cert->derPublicKey.len);
630 DCHECK_EQ(rv, SECSuccess); 622 DCHECK_EQ(rv, SECSuccess);
631 return hash; 623 return hash;
632 } 624 }
633 625
634 void AppendPublicKeyHashes(CERTCertList* cert_list, 626 void AppendPublicKeyHashes(CERTCertList* cert_list,
635 CERTCertificate* root_cert, 627 CERTCertificate* root_cert,
636 HashValueVector* hashes) { 628 HashValueVector* hashes) {
637 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 629 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
638 !CERT_LIST_END(node, cert_list); 630 !CERT_LIST_END(node, cert_list);
639 node = CERT_LIST_NEXT(node)) { 631 node = CERT_LIST_NEXT(node)) {
640 hashes->push_back(CertPublicKeyHashSHA1(node->cert));
641 hashes->push_back(CertPublicKeyHashSHA256(node->cert)); 632 hashes->push_back(CertPublicKeyHashSHA256(node->cert));
642 } 633 }
643 if (root_cert) { 634 if (root_cert) {
644 hashes->push_back(CertPublicKeyHashSHA1(root_cert));
645 hashes->push_back(CertPublicKeyHashSHA256(root_cert)); 635 hashes->push_back(CertPublicKeyHashSHA256(root_cert));
646 } 636 }
647 } 637 }
648 638
649 // Returns true if |cert_handle| contains a policy OID that is an EV policy 639 // Returns true if |cert_handle| contains a policy OID that is an EV policy
650 // OID according to |metadata|, storing the resulting policy OID in 640 // OID according to |metadata|, storing the resulting policy OID in
651 // |*ev_policy_oid|. A true return is not sufficient to establish that a 641 // |*ev_policy_oid|. A true return is not sufficient to establish that a
652 // certificate is EV, but a false return is sufficient to establish the 642 // certificate is EV, but a false return is sufficient to establish the
653 // certificate cannot be EV. 643 // certificate cannot be EV.
654 bool IsEVCandidate(EVRootCAMetadata* metadata, 644 bool IsEVCandidate(EVRootCAMetadata* metadata,
(...skipping 298 matching lines...) Expand 10 before | Expand all | Expand 10 after
953 CRLSet* crl_set, 943 CRLSet* crl_set,
954 const CertificateList& additional_trust_anchors, 944 const CertificateList& additional_trust_anchors,
955 CertVerifyResult* verify_result) { 945 CertVerifyResult* verify_result) {
956 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, 946 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set,
957 additional_trust_anchors, 947 additional_trust_anchors,
958 NULL, // chain_verify_callback 948 NULL, // chain_verify_callback
959 verify_result); 949 verify_result);
960 } 950 }
961 951
962 } // namespace net 952 } // namespace net
OLDNEW
« net/cert/cert_verify_proc_builtin.cc ('K') | « net/cert/cert_verify_proc_mac.cc ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | net/data/ssl/blacklist/README.md » ('J')

Powered by Google App Engine
This is Rietveld 408576698