Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(9)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: extensions/browser/api/cast_channel/cast_socket.cc

Issue 694123002: Limit lifetime of self-signed certificate used for TLS on Cast channel (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Handle some mfoltz comments Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | extensions/common/api/cast_channel/logging.proto » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: extensions/browser/api/cast_channel/cast_socket.cc
diff --git a/extensions/browser/api/cast_channel/cast_socket.cc b/extensions/browser/api/cast_channel/cast_socket.cc
index c87492edbcacec9db1c17c99194eb036b55b254e..22adfdb2cdc3dc32f5c6be18f9440b35cf2dd510 100644
--- a/extensions/browser/api/cast_channel/cast_socket.cc
+++ b/extensions/browser/api/cast_channel/cast_socket.cc
@@ -15,6 +15,7 @@
#include "base/strings/string_number_conversions.h"
#include "base/strings/stringprintf.h"
#include "base/sys_byteorder.h"
+#include "base/time/time.h"
#include "extensions/browser/api/cast_channel/cast_auth_util.h"
#include "extensions/browser/api/cast_channel/cast_framer.h"
#include "extensions/browser/api/cast_channel/cast_message_util.h"
@@ -49,6 +50,18 @@ namespace {
// after 9 failed probes. So the total idle time before close is 10 *
// kTcpKeepAliveDelaySecs.
const int kTcpKeepAliveDelaySecs = 10;
+
+const int kMaxSelfSignedCertLifetimeInDays = 2;
+
+std::string FormatTimeForLogging(base::Time time) {
+ base::Time::Exploded exploded;
+ time.UTCExplode(&exploded);
+ return base::StringPrintf(
+ "%04d-%02d-%02d %02d:%02d:%02d.%03d UTC", exploded.year, exploded.month,
+ exploded.day_of_month, exploded.hour, exploded.minute, exploded.second,
+ exploded.millisecond);
+}
+
} // namespace
namespace extensions {
@@ -177,11 +190,25 @@ bool CastSocketImpl::ExtractPeerCert(std::string* cert) {
logger_->LogSocketEvent(channel_id_, proto::SSL_INFO_OBTAINED);
+ // Ensure that the peer cert (which is self-signed) doesn't have an excessive
+ // life-time (i.e. no more than 2 days).
+ base::Time expiry = ssl_info.cert->valid_expiry();
+ base::Time lifetimeLimit =
+ base::Time::Now() +
+ base::TimeDelta::FromDays(kMaxSelfSignedCertLifetimeInDays);
+ if (expiry.is_null() || expiry > lifetimeLimit) {
+ std::string details = FormatTimeForLogging(expiry);
+ details += " " + ip_endpoint().ToString();
+ LOG(ERROR) << "Peer cert has excessive lifetime. details=" << details;
+ logger_->LogSocketEventWithDetails(
+ channel_id_, proto::SSL_CERT_EXCESSIVE_LIFETIME, details);
+ return false;
+ }
+
bool result = net::X509Certificate::GetDEREncoded(
ssl_info.cert->os_cert_handle(), cert);
if (result) {
- VLOG_WITH_CONNECTION(1) << "Successfully extracted peer certificate: "
- << *cert;
+ VLOG_WITH_CONNECTION(1) << "Successfully extracted peer certificate";
}
logger_->LogSocketEventWithRv(
« no previous file with comments | « no previous file | extensions/common/api/cast_channel/logging.proto » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698