From: Jan Engelhardt Date: Thu, 2 Apr 2015 12:44:23 +0200 Subject: Remove EV certificates The team chose to let EV certificates appear just like normal certificates. The web of trust is considered a failure in itself, so do not give users a false sense of extra security with EV certs. Instead, let them appear just like regular ones. License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html Change-Id: Ia943a861dc5cc173c982c969e4864d5ab2930106 --- net/cert/ev_root_ca_metadata.cc | 19 ++++++++++++++++++- net/cert/ev_root_ca_metadata.h | 4 +--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/net/cert/ev_root_ca_metadata.cc b/net/cert/ev_root_ca_metadata.cc --- a/net/cert/ev_root_ca_metadata.cc +++ b/net/cert/ev_root_ca_metadata.cc @@ -40,7 +40,19 @@ struct EVMetadata { const base::StringPiece policy_oids[kMaxOIDsPerCA]; }; -#include "net/data/ssl/chrome_root_store/chrome-ev-roots-inc.cc" +static const EVMetadata kEvRootCaMetadata[] = { + // need some dummy data to make compiler happy, because + // arraysize() is implemented as a convoluted template rather than + // the traditional sizeof(x)/sizeof(*x) + { + {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, + { + "1.3.159.1.17.1", + "", + }, + } +}; #endif // defined(PLATFORM_USES_CHROMIUM_EV_METADATA) } // namespace @@ -225,6 +237,11 @@ bool EVRootCAMetadata::RemoveEVCA(const SHA256HashValue& fingerprint) { // metadata. // +bool EVRootCAMetadata::IsCaBrowserForumEvOid(PolicyOID policy_oid) { + LOG(WARNING) << "Not implemented"; + return false; +} + bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { LOG(WARNING) << "Not implemented"; return false; diff --git a/net/cert/ev_root_ca_metadata.h b/net/cert/ev_root_ca_metadata.h --- a/net/cert/ev_root_ca_metadata.h +++ b/net/cert/ev_root_ca_metadata.h @@ -20,7 +20,7 @@ BUILDFLAG(IS_FUCHSIA) // When not defined, the EVRootCAMetadata singleton is a dumb placeholder // implementation that will fail all EV lookup operations. -#define PLATFORM_USES_CHROMIUM_EV_METADATA +//#define PLATFORM_USES_CHROMIUM_EV_METADATA #endif namespace base { @@ -65,12 +65,10 @@ class NET_EXPORT_PRIVATE EVRootCAMetadata { bool HasEVPolicyOIDGivenBytes(const SHA256HashValue& fingerprint, const der::Input& policy_oid) const; -#if defined(PLATFORM_USES_CHROMIUM_EV_METADATA) // Returns true if |policy_oid| is for 2.23.140.1.1 (CA/Browser Forum's // Extended Validation Policy). This is used as a hack by the // platform-specific CertVerifyProcs when doing EV verification. static bool IsCaBrowserForumEvOid(PolicyOID policy_oid); -#endif // AddEVCA adds an EV CA to the list of known EV CAs with the given policy. // |policy| is expressed as a string of dotted numbers. It returns true on -- 2.40.1