net: add certificate pins for Twitter.

net/base/transport_security_state.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ssl.h>
 #include <openssl/ecdsa.h>
 #else  // !defined(USE_OPENSSL)
@@ skipping 877 matching lines @@
     "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
   static const char* kTorAcceptableCerts[] = {
     kCertRapidSSL,
     kCertDigiCertEVRoot,
     kCertTor1,
     kCertTor2,
     kCertTor3,
     0,
   };
 
+  static const char kCertVerisignClass1[] =
+    "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
+  static const char kCertVerisignClass3[] =
+    "sha1/4n972HfV354KP560yw4uqe/baXc=";
+  static const char kCertVerisignClass3_G4[] =
+    "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
+  static const char kCertVerisignClass4_G3[] =
+    "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
+  static const char kCertVerisignClass3_G3[] =
+    "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
+  static const char kCertVerisignClass1_G3[] =
+    "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
+  static const char kCertVerisignClass2_G3[] =
+    "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
+  static const char kCertVerisignClass3_G2[] =
+    "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
+  static const char kCertVerisignClass2_G2[] =
+    "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
+  static const char kCertVerisignClass3_G5[] =
+    "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
+  static const char kCertVerisignUniversal[] =
+    "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
+
+  static const char kCertTwitter1[] =
+    "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
+
+  static const char kCertEntrust2048[] =
+    "sha1/VeSB0RGAvtiJuQijMfmhJAkWuXA=";
+  static const char kCertEntrustEV[] =
+    "sha1/ukKwgYhTiB2GY71MwF4I/upuu3c=";
+  static const char kCertEntrustG2[] =
+    "sha1/qzDTr0vY8WtYae5FaSnahLhzlIg=";
+  static const char kCertEntrustSSL[] =
+    "sha1/8BdiE1U9s/8KAGv7UISX8+1i0Bo=";
+
+  static const char kCertGeoTrustGlobal[] =
+    "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
+  static const char kCertGeoTrustGlobal2[] =
+    "sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
+  static const char kCertGeoTrustUniversal[] =
+    "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
+  static const char kCertGeoTrustUniversal2[] =
+    "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
+  static const char kCertGeoTrustPrimary[] =
+    "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
+  static const char kCertGeoTrustPrimaryG2[] =
+    "sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
+  static const char kCertGeoTrustPrimaryG3[] =
+    "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
+
+  static const char kCertComodoAAACertificateServices[] =
+    "sha1/xDAoxdPjCAwQRIssd7okU5dgu/k=";
+  static const char kCertComodoAddTrustClass1CARoot[] =
+    "sha1/i9vXzKBoU0IW9MErJUT8Apyli0c=";
+  static const char kCertComodoAddTrustExternalCARoot[] =
+    "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=";
+  static const char kCertComodoAddTrustPublicCARoot[] =
+    "sha1/qFdl1ugyyMUZY3Namhd0OoHf7i4=";
+  static const char kCertComodoAddTrustQualifiedCARoot[] =
+    "sha1/vOS3IxJVmOVjQRkcUOS2R8J2Bdc=";
+  static const char kCertComodoCertificationAuthority[] =
+    "sha1/EeSR0cnkwOuazs9zVF3h8agwPsM=";
+  static const char kCertComodoSecureCertificateServices[] =
+    "sha1/PLQahC71XPIaPaVKyNG+OQh2N7w==";
+  static const char kCertComodoTrustedCertificateServices[] =
+    "sha1//nLI678ML7sOJhOTkzwsqY3cJJQ=";
+  static const char kCertComodoUTNDATACorpSGC[] =
+    "sha1/UzLRs89/+uDxoF2FTpLSnkUdtE8=";
+  static const char kCertComodoUTNUSERFirstClientAuthenticationandEmail[] =
+    "sha1/iYJnfcSdJnAAS7RQSHzePa4Ebn0=";
+  static const char kCertComodoUTNUSERFirstHardware[] =
+    "sha1/oXJfJhsomEOVXQc31YWWnUvSw0U=";
+  static const char kCertComodoUTNUSERFirstObject[] =
+    "sha1/2u1kdBScFDyr3ZmpvVsoTYs8ydg=";
+
+  static const char kCertGTECyberTrustGlobalRoot[] =
+    "sha1/WXkS3mF11m/EI7d3E3THlt5viHI=";
+
+  static const char* kTwitterAcceptableCerts1[] = {
+    kCertVerisignClass1,
+    kCertVerisignClass3,
+    kCertVerisignClass3_G4,
+    kCertVerisignClass4_G3,
+    kCertVerisignClass3_G3,
+    kCertVerisignClass1_G3,
+    kCertVerisignClass2_G3,
+    kCertVerisignClass3_G2,
+    kCertVerisignClass2_G2,
+    kCertVerisignClass3_G5,
+    kCertVerisignUniversal,
+    kCertGeoTrustGlobal,
+    kCertGeoTrustGlobal2,
+    kCertGeoTrustUniversal,
+    kCertGeoTrustUniversal2,
+    kCertGeoTrustPrimary,
+    kCertGeoTrustPrimaryG2,
+    kCertGeoTrustPrimaryG3,
+    kCertTwitter1,
+    0,
+  };
+
+  // kTwitterAcceptableCerts2 are the set of public keys valid for Twitter's
+  // CDNs, which includes all the keys from kTwitterAcceptableCerts1.

[Chris Palmer, 2011/09/29 21:06:56]

Nit: Maybe name them kTwitterComAcceptableCerts and kTwitterCDNAcceptableCerts,
so that the names are more immediately meaningful/distinguishable?

[agl, 2011/09/29 21:36:40]

Done.

+  static const char* kTwitterAcceptableCerts2[] = {
+    kCertVerisignClass1,
+    kCertVerisignClass3,
+    kCertVerisignClass3_G4,
+    kCertVerisignClass4_G3,
+    kCertVerisignClass3_G3,
+    kCertVerisignClass1_G3,
+    kCertVerisignClass2_G3,
+    kCertVerisignClass3_G2,
+    kCertVerisignClass2_G2,
+    kCertVerisignClass3_G5,
+    kCertVerisignUniversal,
+    kCertGeoTrustGlobal,
+    kCertGeoTrustGlobal2,
+    kCertGeoTrustUniversal,
+    kCertGeoTrustUniversal2,
+    kCertGeoTrustPrimary,
+    kCertGeoTrustPrimaryG2,
+    kCertGeoTrustPrimaryG3,
+    kCertTwitter1,
+
+    kCertEntrust2048,
+    kCertEntrustEV,
+    kCertEntrustG2,
+    kCertEntrustSSL,
+    kCertComodoAAACertificateServices,
+    kCertComodoAddTrustClass1CARoot,
+    kCertComodoAddTrustExternalCARoot,
+    kCertComodoAddTrustPublicCARoot,
+    kCertComodoAddTrustQualifiedCARoot,
+    kCertComodoCertificationAuthority,
+    kCertComodoSecureCertificateServices,
+    kCertComodoTrustedCertificateServices,
+    kCertComodoUTNDATACorpSGC,
+    kCertComodoUTNUSERFirstClientAuthenticationandEmail,
+    kCertComodoUTNUSERFirstHardware,
+    kCertComodoUTNUSERFirstObject,
+    kCertGTECyberTrustGlobalRoot,
+    0,
+  };
+
   // kTestAcceptableCerts doesn't actually match any public keys and is used
   // with "pinningtest.appspot.com", below, to test if pinning is active.
   static const char* kTestAcceptableCerts[] = {
     "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
   };
 
+#if defined(OS_CHROMEOS)

[Chris Palmer, 2011/09/29 21:06:56]

This is so Twitter can gradually test it with ChromeOS's smaller user base
before going all the way, right? Do we have an ETA on making it standard for all
Chromes?

[agl, 2011/09/29 21:36:40]

Right.
Not yet.

+  static const bool kTwitterHSTS = true;
+#else
+  static const bool kTwitterHSTS = false;
+#endif
+
   // In the medium term this list is likely to just be hardcoded here. This,
   // slightly odd, form removes the need for additional relocations records.
   static const struct HSTSPreload kPreloadedSTS[] = {
     // (*.)google.com, iff using SSL must use an acceptable certificate.
     {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
     {25, true, "\013pinningtest\007appspot\003com", false,
      kTestAcceptableCerts },
     // Now we force HTTPS for subtrees of google.com.
     {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
     {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
@@ skipping 79 matching lines @@
     {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
     {22, true, "\003www\014moneybookers\003com", true, 0 },
     {17, false, "\013ledgerscope\003net", true, 0 },
     {21, false, "\003www\013ledgerscope\003net", true, 0 },
     {10, false, "\004kyps\003net", true, 0 },
     {14, false, "\003www\004kyps\003net", true, 0 },
     {17, true, "\003app\007recurly\003com", true, 0 },
     {17, true, "\003api\007recurly\003com", true, 0 },
     {13, false, "\007greplin\003com", true, 0 },
     {17, false, "\003www\007greplin\003com", true, 0 },
-#if defined(OS_CHROMEOS)
-    {13, false, "\007twitter\003com", true, 0 },
-    {17, false, "\003www\007twitter\003com", true, 0 },
-    {17, false, "\003api\007twitter\003com", true, 0 },
-    {17, false, "\003dev\007twitter\003com", true, 0 },
-    {22, false, "\010business\007twitter\003com", true, 0 },
-#endif
+
+    {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+    {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+    {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+    {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+    {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+    {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+    {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+
+    {22, true, "\010platform\007twitter\003com", false, kTwitterAcceptableCerts2 },
+    {15, true, "\003si0\005twimg\003com", false, kTwitterAcceptableCerts2 },
+    {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterAcceptableCerts2 },
   };
   static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 
   static const struct HSTSPreload kPreloadedSNISTS[] = {
     // These SNI-only domains must always use HTTPS.
     {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
     {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
     {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
     {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
     // These SNI-only domains must use an acceptable certificate iff using
@@ skipping 70 matching lines @@
   }
 
   LOG(ERROR) << "Rejecting public key chain for domain " << domain
              << ". Validated chain: " << HashesToBase64String(hashes)
              << ", expected: " << HashesToBase64String(public_key_hashes);
 
   return false;
 }
 
 }  // namespace