Upstream version 7.36.149.0

[platform/framework/web/crosswalk.git] / src / net / cert / cert_verify_proc.cc

diff --git a/src/net/cert/cert_verify_proc.cc b/src/net/cert/cert_verify_proc.cc
index 8ee4069..4dd7560 100644 (file)
--- a/src/net/cert/cert_verify_proc.cc
+++ b/src/net/cert/cert_verify_proc.cc
@@ -4,6 +4,7 @@
 
 #include "net/cert/cert_verify_proc.h"
 
+#include "base/basictypes.h"
 #include "base/metrics/histogram.h"
 #include "base/sha1.h"
 #include "base/strings/stringprintf.h"
@@ -341,6 +342,25 @@ bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) {
     }
   }
 
+  // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus
+  // all certificates where the CN ends with ".cloudflare.com" with a prior
+  // issuance date are rejected.
+  //
+  // The old certs had a lifetime of five years, so this can be removed April
+  // 2nd, 2019.
+  const std::string& cn = cert->subject().common_name;
+  static const char kCloudFlareCNSuffix[] = ".cloudflare.com";
+  // kCloudFlareEpoch is the base::Time internal value for midnight at the
+  // beginning of April 2nd, 2014, UTC.
+  static const int64 kCloudFlareEpoch = INT64_C(13040870400000000);
+  if (cn.size() > arraysize(kCloudFlareCNSuffix) - 1 &&
+      cn.compare(cn.size() - (arraysize(kCloudFlareCNSuffix) - 1),
+                 arraysize(kCloudFlareCNSuffix) - 1,
+                 kCloudFlareCNSuffix) == 0 &&
+      cert->valid_start() < base::Time::FromInternalValue(kCloudFlareEpoch)) {
+    return true;
+  }
+
   return false;
 }
 
@@ -431,7 +451,7 @@ static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
   for (std::vector<std::string>::const_iterator i = dns_names.begin();
        i != dns_names.end(); ++i) {
     bool ok = false;
-    url_canon::CanonHostInfo host_info;
+    url::CanonHostInfo host_info;
     const std::string dns_name = CanonicalizeHost(*i, &host_info);
     if (host_info.IsIPAddress())
       continue;