Limit lifetime of self-signed certificate used for TLS on Cast channel

BUG=428920 R=mfoltz@chromium.org Review URL: https://codereview.chromium.org/694123002 Cr-Commit-Position: refs/heads/master@{#308288}

Limit lifetime of self-signed certificate used for TLS on Cast channel
BUG=428920 R=mfoltz@chromium.org Review URL: https://codereview.chromium.org/694123002 Cr-Commit-Position: refs/heads/master@{#308288}
9d04deed · dougsteed · Commit bot · 1e043393 · 9d04deed · 9d04deed
Commit 9d04deed authored Dec 13, 2014 by dougsteed Committed by Commit bot Dec 13, 2014
Showing with 30 additions and 2 deletions

extensions/browser/api/cast_channel/cast_socket.cc extensions/browser/api/cast_channel/cast_socket.cc +29 -2

extensions/common/api/cast_channel/logging.proto extensions/common/api/cast_channel/logging.proto +1 -0

No files found.
--- a/extensions/browser/api/cast_channel/cast_socket.cc
+++ b/extensions/browser/api/cast_channel/cast_socket.cc
@@ -15,6 +15,7 @@
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "base/sys_byteorder.h"
+#include "base/time/time.h"
 #include "extensions/browser/api/cast_channel/cast_auth_util.h"
 #include "extensions/browser/api/cast_channel/cast_framer.h"
 #include "extensions/browser/api/cast_channel/cast_message_util.h"
@@ -49,6 +50,18 @@ namespace {
 // after 9 failed probes.  So the total idle time before close is 10 *
 // kTcpKeepAliveDelaySecs.
 const int kTcpKeepAliveDelaySecs = 10;
+const int kMaxSelfSignedCertLifetimeInDays = 2;
+std::string FormatTimeForLogging(base::Time time) {
+  base::Time::Exploded exploded;
+  time.UTCExplode(&exploded);
+  return base::StringPrintf(
+      "%04d-%02d-%02d %02d:%02d:%02d.%03d UTC", exploded.year, exploded.month,
+      exploded.day_of_month, exploded.hour, exploded.minute, exploded.second,
+      exploded.millisecond);
+}
 }  // namespace
 namespace extensions {
@@ -177,11 +190,25 @@ bool CastSocketImpl::ExtractPeerCert(std::string* cert) {
  logger_->LogSocketEvent(channel_id_, proto::SSL_INFO_OBTAINED);
+  // Ensure that the peer cert (which is self-signed) doesn't have an excessive
+  // life-time (i.e. no more than 2 days).
+  base::Time expiry = ssl_info.cert->valid_expiry();
+  base::Time lifetimeLimit =
+      base::Time::Now() +
+      base::TimeDelta::FromDays(kMaxSelfSignedCertLifetimeInDays);
+  if (expiry.is_null() || expiry > lifetimeLimit) {
+    std::string details = FormatTimeForLogging(expiry);
+    details += " " + ip_endpoint().ToString();
+    LOG(ERROR) << "Peer cert has excessive lifetime. details=" << details;
+    logger_->LogSocketEventWithDetails(
+        channel_id_, proto::SSL_CERT_EXCESSIVE_LIFETIME, details);
+    return false;
+  }
  bool result = net::X509Certificate::GetDEREncoded(
     ssl_info.cert->os_cert_handle(), cert);
  if (result) {
-    VLOG_WITH_CONNECTION(1) << "Successfully extracted peer certificate: "
+    VLOG_WITH_CONNECTION(1) << "Successfully extracted peer certificate";
-                            << *cert;
  }
  logger_->LogSocketEventWithRv(

--- a/extensions/common/api/cast_channel/logging.proto
+++ b/extensions/common/api/cast_channel/logging.proto
@@ -35,6 +35,7 @@ enum EventType {
  NOTIFY_ON_MESSAGE = 23;  // Message
  NOTIFY_ON_ERROR = 24;
  SOCKET_CLOSED = 25;
+  SSL_CERT_EXCESSIVE_LIFETIME = 26;
 }
 enum ChannelAuth {