OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
| 7 #include <stdint.h> |
| 8 |
7 #include "base/basictypes.h" | 9 #include "base/basictypes.h" |
8 #include "base/metrics/histogram.h" | 10 #include "base/metrics/histogram.h" |
9 #include "base/sha1.h" | 11 #include "base/sha1.h" |
10 #include "base/strings/stringprintf.h" | 12 #include "base/strings/stringprintf.h" |
| 13 #include "base/time/time.h" |
11 #include "build/build_config.h" | 14 #include "build/build_config.h" |
12 #include "net/base/net_errors.h" | 15 #include "net/base/net_errors.h" |
13 #include "net/base/net_util.h" | 16 #include "net/base/net_util.h" |
14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 17 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
15 #include "net/cert/cert_status_flags.h" | 18 #include "net/cert/cert_status_flags.h" |
16 #include "net/cert/cert_verifier.h" | 19 #include "net/cert/cert_verifier.h" |
17 #include "net/cert/cert_verify_result.h" | 20 #include "net/cert/cert_verify_result.h" |
18 #include "net/cert/crl_set.h" | 21 #include "net/cert/crl_set.h" |
19 #include "net/cert/x509_certificate.h" | 22 #include "net/cert/x509_certificate.h" |
20 #include "url/url_canon.h" | 23 #include "url/url_canon.h" |
21 | 24 |
22 #if defined(USE_NSS) || defined(OS_IOS) | 25 #if defined(USE_NSS) || defined(OS_IOS) |
23 #include "net/cert/cert_verify_proc_nss.h" | 26 #include "net/cert/cert_verify_proc_nss.h" |
24 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) | 27 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) |
25 #include "net/cert/cert_verify_proc_openssl.h" | 28 #include "net/cert/cert_verify_proc_openssl.h" |
26 #elif defined(OS_ANDROID) | 29 #elif defined(OS_ANDROID) |
27 #include "net/cert/cert_verify_proc_android.h" | 30 #include "net/cert/cert_verify_proc_android.h" |
28 #elif defined(OS_MACOSX) | 31 #elif defined(OS_MACOSX) |
29 #include "net/cert/cert_verify_proc_mac.h" | 32 #include "net/cert/cert_verify_proc_mac.h" |
30 #elif defined(OS_WIN) | 33 #elif defined(OS_WIN) |
31 #include "net/cert/cert_verify_proc_win.h" | 34 #include "net/cert/cert_verify_proc_win.h" |
32 #else | 35 #else |
33 #error Implement certificate verification. | 36 #error Implement certificate verification. |
34 #endif | 37 #endif |
35 | 38 |
36 | |
37 namespace net { | 39 namespace net { |
38 | 40 |
39 namespace { | 41 namespace { |
40 | 42 |
41 // Constants used to build histogram names | 43 // Constants used to build histogram names |
42 const char kLeafCert[] = "Leaf"; | 44 const char kLeafCert[] = "Leaf"; |
43 const char kIntermediateCert[] = "Intermediate"; | 45 const char kIntermediateCert[] = "Intermediate"; |
44 const char kRootCert[] = "Root"; | 46 const char kRootCert[] = "Root"; |
45 // Matches the order of X509Certificate::PublicKeyType | 47 // Matches the order of X509Certificate::PublicKeyType |
46 const char* const kCertTypeStrings[] = { | 48 const char* const kCertTypeStrings[] = { |
(...skipping 222 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
269 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit | 271 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
270 // these to be issued until 1 November 2015, they represent a real risk for | 272 // these to be issued until 1 November 2015, they represent a real risk for |
271 // the deployment of gTLDs and are being phased out ahead of the hard | 273 // the deployment of gTLDs and are being phased out ahead of the hard |
272 // deadline. | 274 // deadline. |
273 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { | 275 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { |
274 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; | 276 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
275 // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For | 277 // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For |
276 // now treat it as a warning and do not map it to an error return value. | 278 // now treat it as a warning and do not map it to an error return value. |
277 } | 279 } |
278 | 280 |
| 281 // Flag certificates using too long validity periods. |
| 282 if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) { |
| 283 verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG; |
| 284 if (rv == OK) |
| 285 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 286 } |
| 287 |
279 return rv; | 288 return rv; |
280 } | 289 } |
281 | 290 |
282 // static | 291 // static |
283 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { | 292 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
284 static const unsigned kComodoSerialBytes = 16; | 293 static const unsigned kComodoSerialBytes = 16; |
285 static const uint8 kComodoSerials[][kComodoSerialBytes] = { | 294 static const uint8 kComodoSerials[][kComodoSerialBytes] = { |
286 // Not a real certificate. For testing only. | 295 // Not a real certificate. For testing only. |
287 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,
0x1c}, | 296 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,
0x1c}, |
288 | 297 |
(...skipping 318 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
607 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) | 616 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) |
608 return true; | 617 return true; |
609 } | 618 } |
610 } | 619 } |
611 } | 620 } |
612 } | 621 } |
613 | 622 |
614 return false; | 623 return false; |
615 } | 624 } |
616 | 625 |
| 626 // static |
| 627 bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) { |
| 628 const base::Time& start = cert.valid_start(); |
| 629 const base::Time& expiry = cert.valid_expiry(); |
| 630 if (start.is_max() || start.is_null() || expiry.is_max() || |
| 631 expiry.is_null() || start > expiry) { |
| 632 return true; |
| 633 } |
| 634 |
| 635 base::Time::Exploded exploded_start; |
| 636 base::Time::Exploded exploded_expiry; |
| 637 cert.valid_start().UTCExplode(&exploded_start); |
| 638 cert.valid_expiry().UTCExplode(&exploded_expiry); |
| 639 |
| 640 if (exploded_expiry.year - exploded_start.year > 10) |
| 641 return true; |
| 642 int month_diff = (exploded_expiry.year - exploded_start.year) * 12 + |
| 643 (exploded_expiry.month - exploded_start.month); |
| 644 |
| 645 // Add any remainder as a full month. |
| 646 if (exploded_expiry.day_of_month > exploded_start.day_of_month) |
| 647 ++month_diff; |
| 648 |
| 649 static const base::Time time_2015_04_01 = |
| 650 base::Time::FromInternalValue(INT64_C(1427871600000000)); |
| 651 static const base::Time time_2012_07_01 = |
| 652 base::Time::FromInternalValue(INT64_C(1341126000000000)); |
| 653 static const base::Time time_2019_07_01 = |
| 654 base::Time::FromInternalValue(INT64_C(1561964400000000)); |
| 655 |
| 656 if (start >= time_2015_04_01) |
| 657 return month_diff > 39; |
| 658 if (start >= time_2012_07_01) |
| 659 return month_diff > 60; |
| 660 return month_diff > 120 || expiry > time_2019_07_01; |
| 661 } |
| 662 |
617 } // namespace net | 663 } // namespace net |
OLD | NEW |