From: Jan Engelhardt Date: Thu, 2 Apr 2015 12:44:23 +0200 Subject: Remove EV certificates The team chose to let EV certificates appear just like normal certificates. The web of trust is considered a failure in itself, so do not give users a false sense of extra security with EV certs. Instead, let them appear just like regular ones. --- net/cert/ev_root_ca_metadata.cc | 19 ++++++++++++++++++- net/cert/ev_root_ca_metadata.h | 4 +--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/net/cert/ev_root_ca_metadata.cc b/net/cert/ev_root_ca_metadata.cc --- a/net/cert/ev_root_ca_metadata.cc +++ b/net/cert/ev_root_ca_metadata.cc @@ -44,6 +44,16 @@ static const EVMetadata kEvRootCaMetadata[] = { // AC Camerfirma S.A. Chambers of Commerce Root - 2008 // https://www.camerfirma.com { + // need some dummy thing to make compiler happy, because + // arraysize() is implemented as a convoluted template rather than + // the traditional sizeof(x)/sizeof(*x) + { { { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff } }, + { + "0", + } + }, +#if 0 {{0x06, 0x3e, 0x4a, 0xfa, 0xc4, 0x91, 0xdf, 0xd3, 0x32, 0xf3, 0x08, 0x9b, 0x85, 0x42, 0xe9, 0x46, 0x17, 0xd8, 0x93, 0xd7, 0xfe, 0x94, 0x4e, 0x10, 0xa7, 0x93, 0x7e, 0xe2, 0x9d, 0x96, 0x93, 0xc0}}, @@ -590,7 +600,9 @@ static const EVMetadata kEvRootCaMetadata[] = { 0xd2, 0x09, 0xb7, 0x37, 0xcb, 0xe2, 0xc1, 0x8c, 0xfb, 0x2c, 0x10, 0xc0, 0xff, 0x0b, 0xcf, 0x0d, 0x32, 0x86, 0xfc, 0x1a, 0xa2}}, {"2.16.840.1.114404.1.1.2.4.1", ""}, - }}; + } +#endif +}; #endif // defined(PLATFORM_USES_CHROMIUM_EV_METADATA) } // namespace @@ -779,6 +791,11 @@ bool EVRootCAMetadata::RemoveEVCA(const SHA256HashValue& fingerprint) { // metadata. // +bool EVRootCAMetadata::IsCaBrowserForumEvOid(PolicyOID policy_oid) { + LOG(WARNING) << "Not implemented"; + return false; +} + bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { LOG(WARNING) << "Not implemented"; return false; diff --git a/net/cert/ev_root_ca_metadata.h b/net/cert/ev_root_ca_metadata.h --- a/net/cert/ev_root_ca_metadata.h +++ b/net/cert/ev_root_ca_metadata.h @@ -20,7 +20,7 @@ defined(OS_FUCHSIA) // When not defined, the EVRootCAMetadata singleton is a dumb placeholder // implementation that will fail all EV lookup operations. -#define PLATFORM_USES_CHROMIUM_EV_METADATA +//#define PLATFORM_USES_CHROMIUM_EV_METADATA #endif namespace base { @@ -62,12 +62,10 @@ class NET_EXPORT_PRIVATE EVRootCAMetadata { bool HasEVPolicyOIDGivenBytes(const SHA256HashValue& fingerprint, const der::Input& policy_oid) const; -#if defined(PLATFORM_USES_CHROMIUM_EV_METADATA) // Returns true if |policy_oid| is for 2.23.140.1.1 (CA/Browser Forum's // Extended Validation Policy). This is used as a hack by the // platform-specific CertVerifyProcs when doing EV verification. static bool IsCaBrowserForumEvOid(PolicyOID policy_oid); -#endif // AddEVCA adds an EV CA to the list of known EV CAs with the given policy. // |policy| is expressed as a string of dotted numbers. It returns true on -- 2.17.1