Remove legacy Cloudflare certificate handling from CertVerifyProc

The Certificate verifier needed to explicitly distrust Cloudflare certificates issued before April 2nd, 2014. Those certificates have now all expired and special distrust is no longer needed. Change-Id: I07d7bfea8496e61725cd5307a57dccf08c3b3536 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1552099 Commit-Queue: Adam Langley <agl@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Adam Langley <agl@chromium.org> Cr-Commit-Position: refs/heads/master@{#647782}

Remove legacy Cloudflare certificate handling from CertVerifyProc
The Certificate verifier needed to explicitly distrust Cloudflare certificates issued before April 2nd, 2014. Those certificates have now all expired and special distrust is no longer needed. Change-Id: I07d7bfea8496e61725cd5307a57dccf08c3b3536 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1552099 Commit-Queue: Adam Langley <agl@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Adam Langley <agl@chromium.org> Cr-Commit-Position: refs/heads/master@{#647782}
07854df9 · Eric Lawrence · Commit Bot · 5c451dfe · 07854df9 · 07854df9
Commit 07854df9 authored Apr 04, 2019 by Eric Lawrence Committed by Commit Bot Apr 04, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 30 deletions

net/cert/cert_verify_proc.cc net/cert/cert_verify_proc.cc +0 -27

net/cert/cert_verify_proc.h net/cert/cert_verify_proc.h +0 -3

No files found.
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -489,11 +489,6 @@ int CertVerifyProc::Verify(X509Certificate* cert,
  verify_result->Reset();
  verify_result->verified_cert = cert;

-  if (IsBlacklisted(cert)) {
-    verify_result->cert_status |= CERT_STATUS_REVOKED;
-    return ERR_CERT_REVOKED;
-  }
-
  DCHECK(crl_set);
  int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set,
                          additional_trust_anchors, verify_result);
@@ -612,28 +607,6 @@ int CertVerifyProc::Verify(X509Certificate* cert,
  return rv;
 }

-// static
-bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) {
-  // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus
-  // all certificates where the CN ends with ".cloudflare.com" with a prior
-  // issuance date are rejected.
-  //
-  // The old certs had a lifetime of five years, so this can be removed April
-  // 2nd, 2019.
-  const base::StringPiece cn(cert->subject().common_name);
-  static constexpr base::StringPiece kCloudflareCNSuffix(".cloudflare.com");
-  // April 2nd, 2014 UTC, expressed as seconds since the Unix Epoch.
-  static constexpr base::TimeDelta kCloudflareEpoch =
-      base::TimeDelta::FromSeconds(1396396800);
-
-  if (cn.ends_with(kCloudflareCNSuffix) &&
-      cert->valid_start() < (base::Time::UnixEpoch() + kCloudflareEpoch)) {
-    return true;
-  }
-
-  return false;
-}
-
 // CheckNameConstraints verifies that every name in |dns_names| is in one of
 // the domains specified by |domains|.
 static bool CheckNameConstraints(const std::vector<std::string>& dns_names,

--- a/net/cert/cert_verify_proc.h
+++ b/net/cert/cert_verify_proc.h
@@ -134,9 +134,6 @@ class NET_EXPORT CertVerifyProc
                             const CertificateList& additional_trust_anchors,
                             CertVerifyResult* verify_result) = 0;

-  // Returns true if |cert| is explicitly blacklisted.
-  static bool IsBlacklisted(X509Certificate* cert);
-
  // HasNameConstraintsViolation returns true iff one of |public_key_hashes|
  // (which are hashes of SubjectPublicKeyInfo structures) has name constraints
  // imposed on it and the names in |dns_names| are not permitted.