84 lines
3.2 KiB
Diff
84 lines
3.2 KiB
Diff
From: Jan Engelhardt <jengelh@inai.de>
|
|
Date: Thu, 2 Apr 2015 12:44:23 +0200
|
|
Subject: Remove EV certificates
|
|
|
|
The team chose to let EV certificates appear just like normal
|
|
certificates. The web of trust is considered a failure in itself, so
|
|
do not give users a false sense of extra security with EV certs.
|
|
Instead, let them appear just like regular ones.
|
|
---
|
|
net/cert/ev_root_ca_metadata.cc | 19 ++++++++++++++++++-
|
|
net/cert/ev_root_ca_metadata.h | 4 +---
|
|
2 files changed, 19 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/net/cert/ev_root_ca_metadata.cc b/net/cert/ev_root_ca_metadata.cc
|
|
--- a/net/cert/ev_root_ca_metadata.cc
|
|
+++ b/net/cert/ev_root_ca_metadata.cc
|
|
@@ -44,6 +44,16 @@ static const EVMetadata kEvRootCaMetadata[] = {
|
|
// AC Camerfirma S.A. Chambers of Commerce Root - 2008
|
|
// https://www.camerfirma.com
|
|
{
|
|
+ // need some dummy thing to make compiler happy, because
|
|
+ // arraysize() is implemented as a convoluted template rather than
|
|
+ // the traditional sizeof(x)/sizeof(*x)
|
|
+ { { { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff } },
|
|
+ {
|
|
+ "0",
|
|
+ }
|
|
+ },
|
|
+#if 0
|
|
{{0x06, 0x3e, 0x4a, 0xfa, 0xc4, 0x91, 0xdf, 0xd3, 0x32, 0xf3, 0x08,
|
|
0x9b, 0x85, 0x42, 0xe9, 0x46, 0x17, 0xd8, 0x93, 0xd7, 0xfe, 0x94,
|
|
0x4e, 0x10, 0xa7, 0x93, 0x7e, 0xe2, 0x9d, 0x96, 0x93, 0xc0}},
|
|
@@ -590,7 +600,9 @@ static const EVMetadata kEvRootCaMetadata[] = {
|
|
0xd2, 0x09, 0xb7, 0x37, 0xcb, 0xe2, 0xc1, 0x8c, 0xfb, 0x2c, 0x10,
|
|
0xc0, 0xff, 0x0b, 0xcf, 0x0d, 0x32, 0x86, 0xfc, 0x1a, 0xa2}},
|
|
{"2.16.840.1.114404.1.1.2.4.1", ""},
|
|
- }};
|
|
+ }
|
|
+#endif
|
|
+};
|
|
|
|
#endif // defined(PLATFORM_USES_CHROMIUM_EV_METADATA)
|
|
} // namespace
|
|
@@ -779,6 +791,11 @@ bool EVRootCAMetadata::RemoveEVCA(const SHA256HashValue& fingerprint) {
|
|
// metadata.
|
|
//
|
|
|
|
+bool EVRootCAMetadata::IsCaBrowserForumEvOid(PolicyOID policy_oid) {
|
|
+ LOG(WARNING) << "Not implemented";
|
|
+ return false;
|
|
+}
|
|
+
|
|
bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const {
|
|
LOG(WARNING) << "Not implemented";
|
|
return false;
|
|
diff --git a/net/cert/ev_root_ca_metadata.h b/net/cert/ev_root_ca_metadata.h
|
|
--- a/net/cert/ev_root_ca_metadata.h
|
|
+++ b/net/cert/ev_root_ca_metadata.h
|
|
@@ -20,7 +20,7 @@
|
|
defined(OS_FUCHSIA)
|
|
// When not defined, the EVRootCAMetadata singleton is a dumb placeholder
|
|
// implementation that will fail all EV lookup operations.
|
|
-#define PLATFORM_USES_CHROMIUM_EV_METADATA
|
|
+//#define PLATFORM_USES_CHROMIUM_EV_METADATA
|
|
#endif
|
|
|
|
namespace base {
|
|
@@ -62,12 +62,10 @@ class NET_EXPORT_PRIVATE EVRootCAMetadata {
|
|
bool HasEVPolicyOIDGivenBytes(const SHA256HashValue& fingerprint,
|
|
const der::Input& policy_oid) const;
|
|
|
|
-#if defined(PLATFORM_USES_CHROMIUM_EV_METADATA)
|
|
// Returns true if |policy_oid| is for 2.23.140.1.1 (CA/Browser Forum's
|
|
// Extended Validation Policy). This is used as a hack by the
|
|
// platform-specific CertVerifyProcs when doing EV verification.
|
|
static bool IsCaBrowserForumEvOid(PolicyOID policy_oid);
|
|
-#endif
|
|
|
|
// AddEVCA adds an EV CA to the list of known EV CAs with the given policy.
|
|
// |policy| is expressed as a string of dotted numbers. It returns true on
|
|
--
|
|
2.17.1
|
|
|