OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <stdint.h> | |
8 | |
7 #include "base/basictypes.h" | 9 #include "base/basictypes.h" |
8 #include "base/metrics/histogram.h" | 10 #include "base/metrics/histogram.h" |
9 #include "base/sha1.h" | 11 #include "base/sha1.h" |
10 #include "base/strings/stringprintf.h" | 12 #include "base/strings/stringprintf.h" |
13 #include "base/time/time.h" | |
11 #include "build/build_config.h" | 14 #include "build/build_config.h" |
12 #include "net/base/net_errors.h" | 15 #include "net/base/net_errors.h" |
13 #include "net/base/net_util.h" | 16 #include "net/base/net_util.h" |
14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 17 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
15 #include "net/cert/cert_status_flags.h" | 18 #include "net/cert/cert_status_flags.h" |
16 #include "net/cert/cert_verifier.h" | 19 #include "net/cert/cert_verifier.h" |
17 #include "net/cert/cert_verify_result.h" | 20 #include "net/cert/cert_verify_result.h" |
18 #include "net/cert/crl_set.h" | 21 #include "net/cert/crl_set.h" |
19 #include "net/cert/x509_certificate.h" | 22 #include "net/cert/x509_certificate.h" |
20 #include "url/url_canon.h" | 23 #include "url/url_canon.h" |
21 | 24 |
22 #if defined(USE_NSS) || defined(OS_IOS) | 25 #if defined(USE_NSS) || defined(OS_IOS) |
23 #include "net/cert/cert_verify_proc_nss.h" | 26 #include "net/cert/cert_verify_proc_nss.h" |
24 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) | 27 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) |
25 #include "net/cert/cert_verify_proc_openssl.h" | 28 #include "net/cert/cert_verify_proc_openssl.h" |
26 #elif defined(OS_ANDROID) | 29 #elif defined(OS_ANDROID) |
27 #include "net/cert/cert_verify_proc_android.h" | 30 #include "net/cert/cert_verify_proc_android.h" |
28 #elif defined(OS_MACOSX) | 31 #elif defined(OS_MACOSX) |
29 #include "net/cert/cert_verify_proc_mac.h" | 32 #include "net/cert/cert_verify_proc_mac.h" |
30 #elif defined(OS_WIN) | 33 #elif defined(OS_WIN) |
31 #include "net/cert/cert_verify_proc_win.h" | 34 #include "net/cert/cert_verify_proc_win.h" |
32 #else | 35 #else |
33 #error Implement certificate verification. | 36 #error Implement certificate verification. |
34 #endif | 37 #endif |
35 | 38 |
36 | |
37 namespace net { | 39 namespace net { |
38 | 40 |
39 namespace { | 41 namespace { |
40 | 42 |
41 // Constants used to build histogram names | 43 // Constants used to build histogram names |
42 const char kLeafCert[] = "Leaf"; | 44 const char kLeafCert[] = "Leaf"; |
43 const char kIntermediateCert[] = "Intermediate"; | 45 const char kIntermediateCert[] = "Intermediate"; |
44 const char kRootCert[] = "Root"; | 46 const char kRootCert[] = "Root"; |
45 // Matches the order of X509Certificate::PublicKeyType | 47 // Matches the order of X509Certificate::PublicKeyType |
46 const char* const kCertTypeStrings[] = { | 48 const char* const kCertTypeStrings[] = { |
(...skipping 222 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
269 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit | 271 // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
270 // these to be issued until 1 November 2015, they represent a real risk for | 272 // these to be issued until 1 November 2015, they represent a real risk for |
271 // the deployment of gTLDs and are being phased out ahead of the hard | 273 // the deployment of gTLDs and are being phased out ahead of the hard |
272 // deadline. | 274 // deadline. |
273 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { | 275 if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { |
274 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; | 276 verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
275 // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For | 277 // CERT_STATUS_NON_UNIQUE_NAME will eventually become a hard error. For |
276 // now treat it as a warning and do not map it to an error return value. | 278 // now treat it as a warning and do not map it to an error return value. |
277 } | 279 } |
278 | 280 |
281 // Flag certificates using too long validity periods. | |
282 if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) { | |
283 verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG; | |
284 if (rv == OK) | |
285 rv = MapCertStatusToNetError(verify_result->cert_status); | |
286 } | |
287 | |
279 return rv; | 288 return rv; |
280 } | 289 } |
281 | 290 |
282 // static | 291 // static |
283 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { | 292 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
284 static const unsigned kComodoSerialBytes = 16; | 293 static const unsigned kComodoSerialBytes = 16; |
285 static const uint8 kComodoSerials[][kComodoSerialBytes] = { | 294 static const uint8 kComodoSerials[][kComodoSerialBytes] = { |
286 // Not a real certificate. For testing only. | 295 // Not a real certificate. For testing only. |
287 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c}, | 296 {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd, 0x1c}, |
288 | 297 |
(...skipping 318 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
607 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) | 616 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) |
608 return true; | 617 return true; |
609 } | 618 } |
610 } | 619 } |
611 } | 620 } |
612 } | 621 } |
613 | 622 |
614 return false; | 623 return false; |
615 } | 624 } |
616 | 625 |
626 // static | |
627 bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) { | |
628 const base::Time& start = cert.valid_start(); | |
629 const base::Time& expiry = cert.valid_expiry(); | |
630 if (start.is_max() || start.is_null() || expiry.is_max() || | |
631 expiry.is_null() || start > expiry) { | |
632 return true; | |
633 } | |
634 | |
635 base::Time::Exploded exploded_start; | |
636 base::Time::Exploded exploded_expiry; | |
637 cert.valid_start().UTCExplode(&exploded_start); | |
638 cert.valid_expiry().UTCExplode(&exploded_expiry); | |
639 | |
640 if (exploded_expiry.year - exploded_start.year > 10) { | |
641 return true; | |
642 } | |
Ryan Sleevi
2014/11/26 12:25:36
no braces for one-liners (consistency in //net ube
palmer
2014/12/15 22:55:58
Done.
| |
643 int month_diff = (exploded_expiry.year - exploded_start.year) * 12 + | |
644 (exploded_expiry.month - exploded_start.month); | |
645 | |
646 // Add any remainder as a full month. | |
647 if (exploded_expiry.day_of_month > exploded_start.day_of_month) | |
648 ++month_diff; | |
649 | |
650 static const base::Time time_2012_07_01 = | |
651 base::Time::FromUTCExploded({ 2012, 7, 0, 1, 0, 0, 0, 0 }); | |
652 static const base::Time time_2015_04_01 = | |
653 base::Time::FromUTCExploded({ 2015, 4, 0, 1, 0, 0, 0, 0 }); | |
654 static const base::Time time_2019_07_01 = | |
655 base::Time::FromUTCExploded({ 2019, 7, 0, 1, 0, 0, 0, 0 }); | |
Ryan Sleevi
2014/11/26 12:25:36
Forces a lot of lib calls every time. That scared
palmer
2014/12/15 22:55:58
This code is much clearer. Our bug was (in part) d
| |
656 | |
657 // For certificates issued before the BRs took effect. | |
658 if (start < time_2012_07_01 && | |
659 (month_diff > 120 || expiry > time_2019_07_01)) { | |
660 return true; | |
661 } | |
662 | |
663 // For certificates issued after 1 July 2012: 60 months. | |
664 if (start >= time_2012_07_01 && month_diff > 60) { | |
665 return true; | |
666 } | |
Ryan Sleevi
2014/11/26 12:25:36
no brace
palmer
2014/12/15 22:55:58
Done.
| |
667 | |
668 // For certificates issued after 1 April 2015: 39 months. | |
669 if (start >= time_2015_04_01 && month_diff > 39) { | |
670 return true; | |
671 } | |
Ryan Sleevi
2014/11/26 12:25:36
no brace
palmer
2014/12/15 22:55:58
Done.
| |
672 | |
673 return false; | |
674 } | |
675 | |
617 } // namespace net | 676 } // namespace net |
OLD | NEW |