| Index: net/cert/cert_verify_proc.cc
|
| diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
|
| index 222ba47f51c98fcab412a52334146ee064d77696..d987e3dc04c079d67078a53df9e6a35e1161fb65 100644
|
| --- a/net/cert/cert_verify_proc.cc
|
| +++ b/net/cert/cert_verify_proc.cc
|
| @@ -4,10 +4,13 @@
|
|
|
| #include "net/cert/cert_verify_proc.h"
|
|
|
| +#include <stdint.h>
|
| +
|
| #include "base/basictypes.h"
|
| #include "base/metrics/histogram.h"
|
| #include "base/sha1.h"
|
| #include "base/strings/stringprintf.h"
|
| +#include "base/time/time.h"
|
| #include "build/build_config.h"
|
| #include "net/base/net_errors.h"
|
| #include "net/base/net_util.h"
|
| @@ -33,7 +36,6 @@
|
| #error Implement certificate verification.
|
| #endif
|
|
|
| -
|
| namespace net {
|
|
|
| namespace {
|
| @@ -276,6 +278,13 @@ int CertVerifyProc::Verify(X509Certificate* cert,
|
| // now treat it as a warning and do not map it to an error return value.
|
| }
|
|
|
| + // Flag certificates using too long validity periods.
|
| + if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) {
|
| + verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG;
|
| + if (rv == OK)
|
| + rv = MapCertStatusToNetError(verify_result->cert_status);
|
| + }
|
| +
|
| return rv;
|
| }
|
|
|
| @@ -614,4 +623,50 @@ bool CertVerifyProc::HasNameConstraintsViolation(
|
| return false;
|
| }
|
|
|
| +// static
|
| +bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
|
| + const base::Time& start = cert.valid_start();
|
| + const base::Time& expiry = cert.valid_expiry();
|
| + if (start.is_max() || start.is_null() || expiry.is_max() ||
|
| + expiry.is_null() || start > expiry) {
|
| + return true;
|
| + }
|
| +
|
| + base::Time::Exploded exploded_start;
|
| + base::Time::Exploded exploded_expiry;
|
| + cert.valid_start().UTCExplode(&exploded_start);
|
| + cert.valid_expiry().UTCExplode(&exploded_expiry);
|
| +
|
| + if (exploded_expiry.year - exploded_start.year > 10)
|
| + return true;
|
| +
|
| + int month_diff = (exploded_expiry.year - exploded_start.year) * 12 +
|
| + (exploded_expiry.month - exploded_start.month);
|
| +
|
| + // Add any remainder as a full month.
|
| + if (exploded_expiry.day_of_month > exploded_start.day_of_month)
|
| + ++month_diff;
|
| +
|
| + static const base::Time time_2012_07_01 =
|
| + base::Time::FromUTCExploded({2012, 7, 0, 1, 0, 0, 0, 0});
|
| + static const base::Time time_2015_04_01 =
|
| + base::Time::FromUTCExploded({2015, 4, 0, 1, 0, 0, 0, 0});
|
| + static const base::Time time_2019_07_01 =
|
| + base::Time::FromUTCExploded({2019, 7, 0, 1, 0, 0, 0, 0});
|
| +
|
| + // For certificates issued before the BRs took effect.
|
| + if (start < time_2012_07_01 && (month_diff > 120 || expiry > time_2019_07_01))
|
| + return true;
|
| +
|
| + // For certificates issued after 1 July 2012: 60 months.
|
| + if (start >= time_2012_07_01 && month_diff > 60)
|
| + return true;
|
| +
|
| + // For certificates issued after 1 April 2015: 39 months.
|
| + if (start >= time_2015_04_01 && month_diff > 39)
|
| + return true;
|
| +
|
| + return false;
|
| +}
|
| +
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 724543002:
Reject certificates that are valid for too long. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master