Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(68)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/transport_security_state.cc

Issue 8084008: net: add certificate pins for Twitter. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/base/transport_security_state_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/transport_security_state.h" 5 #include "net/base/transport_security_state.h"
6 6
7 #if defined(USE_OPENSSL) 7 #if defined(USE_OPENSSL)
8 #include <openssl/ssl.h> 8 #include <openssl/ssl.h>
9 #include <openssl/ecdsa.h> 9 #include <openssl/ecdsa.h>
10 #else // !defined(USE_OPENSSL) 10 #else // !defined(USE_OPENSSL)
(...skipping 877 matching lines...) Expand 10 before | Expand all | Expand 10 after
888 "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y="; 888 "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
889 static const char* kTorAcceptableCerts[] = { 889 static const char* kTorAcceptableCerts[] = {
890 kCertRapidSSL, 890 kCertRapidSSL,
891 kCertDigiCertEVRoot, 891 kCertDigiCertEVRoot,
892 kCertTor1, 892 kCertTor1,
893 kCertTor2, 893 kCertTor2,
894 kCertTor3, 894 kCertTor3,
895 0, 895 0,
896 }; 896 };
897 897
898 static const char kCertVerisignClass1[] =
899 "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
900 static const char kCertVerisignClass3[] =
901 "sha1/4n972HfV354KP560yw4uqe/baXc=";
902 static const char kCertVerisignClass3_G4[] =
903 "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
904 static const char kCertVerisignClass4_G3[] =
905 "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
906 static const char kCertVerisignClass3_G3[] =
907 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
908 static const char kCertVerisignClass1_G3[] =
909 "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
910 static const char kCertVerisignClass2_G3[] =
911 "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
912 static const char kCertVerisignClass3_G2[] =
913 "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
914 static const char kCertVerisignClass2_G2[] =
915 "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
916 static const char kCertVerisignClass3_G5[] =
917 "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
918 static const char kCertVerisignUniversal[] =
919 "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
920
921 static const char kCertTwitter1[] =
922 "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
923
924 static const char kCertEntrust2048[] =
925 "sha1/VeSB0RGAvtiJuQijMfmhJAkWuXA=";
926 static const char kCertEntrustEV[] =
927 "sha1/ukKwgYhTiB2GY71MwF4I/upuu3c=";
928 static const char kCertEntrustG2[] =
929 "sha1/qzDTr0vY8WtYae5FaSnahLhzlIg=";
930 static const char kCertEntrustSSL[] =
931 "sha1/8BdiE1U9s/8KAGv7UISX8+1i0Bo=";
932
933 static const char kCertGeoTrustGlobal[] =
934 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
935 static const char kCertGeoTrustGlobal2[] =
936 "sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
937 static const char kCertGeoTrustUniversal[] =
938 "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
939 static const char kCertGeoTrustUniversal2[] =
940 "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
941 static const char kCertGeoTrustPrimary[] =
942 "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
943 static const char kCertGeoTrustPrimaryG2[] =
944 "sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
945 static const char kCertGeoTrustPrimaryG3[] =
946 "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
947
948 static const char kCertComodoAAACertificateServices[] =
949 "sha1/xDAoxdPjCAwQRIssd7okU5dgu/k=";
950 static const char kCertComodoAddTrustClass1CARoot[] =
951 "sha1/i9vXzKBoU0IW9MErJUT8Apyli0c=";
952 static const char kCertComodoAddTrustExternalCARoot[] =
953 "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=";
954 static const char kCertComodoAddTrustPublicCARoot[] =
955 "sha1/qFdl1ugyyMUZY3Namhd0OoHf7i4=";
956 static const char kCertComodoAddTrustQualifiedCARoot[] =
957 "sha1/vOS3IxJVmOVjQRkcUOS2R8J2Bdc=";
958 static const char kCertComodoCertificationAuthority[] =
959 "sha1/EeSR0cnkwOuazs9zVF3h8agwPsM=";
960 static const char kCertComodoSecureCertificateServices[] =
961 "sha1/PLQahC71XPIaPaVKyNG+OQh2N7w==";
962 static const char kCertComodoTrustedCertificateServices[] =
963 "sha1//nLI678ML7sOJhOTkzwsqY3cJJQ=";
964 static const char kCertComodoUTNDATACorpSGC[] =
965 "sha1/UzLRs89/+uDxoF2FTpLSnkUdtE8=";
966 static const char kCertComodoUTNUSERFirstClientAuthenticationandEmail[] =
967 "sha1/iYJnfcSdJnAAS7RQSHzePa4Ebn0=";
968 static const char kCertComodoUTNUSERFirstHardware[] =
969 "sha1/oXJfJhsomEOVXQc31YWWnUvSw0U=";
970 static const char kCertComodoUTNUSERFirstObject[] =
971 "sha1/2u1kdBScFDyr3ZmpvVsoTYs8ydg=";
972
973 static const char kCertGTECyberTrustGlobalRoot[] =
974 "sha1/WXkS3mF11m/EI7d3E3THlt5viHI=";
975
976 static const char* kTwitterComAcceptableCerts[] = {
977 kCertVerisignClass1,
978 kCertVerisignClass3,
979 kCertVerisignClass3_G4,
980 kCertVerisignClass4_G3,
981 kCertVerisignClass3_G3,
982 kCertVerisignClass1_G3,
983 kCertVerisignClass2_G3,
984 kCertVerisignClass3_G2,
985 kCertVerisignClass2_G2,
986 kCertVerisignClass3_G5,
987 kCertVerisignUniversal,
988 kCertGeoTrustGlobal,
989 kCertGeoTrustGlobal2,
990 kCertGeoTrustUniversal,
991 kCertGeoTrustUniversal2,
992 kCertGeoTrustPrimary,
993 kCertGeoTrustPrimaryG2,
994 kCertGeoTrustPrimaryG3,
995 kCertTwitter1,
996 0,
997 };
998
999 // kTwitterAcceptableCerts2 are the set of public keys valid for Twitter's
1000 // CDNs, which includes all the keys from kTwitterAcceptableCerts1.
1001 static const char* kTwitterCDNAcceptableCerts[] = {
1002 kCertVerisignClass1,
1003 kCertVerisignClass3,
1004 kCertVerisignClass3_G4,
1005 kCertVerisignClass4_G3,
1006 kCertVerisignClass3_G3,
1007 kCertVerisignClass1_G3,
1008 kCertVerisignClass2_G3,
1009 kCertVerisignClass3_G2,
1010 kCertVerisignClass2_G2,
1011 kCertVerisignClass3_G5,
1012 kCertVerisignUniversal,
1013 kCertGeoTrustGlobal,
1014 kCertGeoTrustGlobal2,
1015 kCertGeoTrustUniversal,
1016 kCertGeoTrustUniversal2,
1017 kCertGeoTrustPrimary,
1018 kCertGeoTrustPrimaryG2,
1019 kCertGeoTrustPrimaryG3,
1020 kCertTwitter1,
1021
1022 kCertEntrust2048,
1023 kCertEntrustEV,
1024 kCertEntrustG2,
1025 kCertEntrustSSL,
1026 kCertComodoAAACertificateServices,
1027 kCertComodoAddTrustClass1CARoot,
1028 kCertComodoAddTrustExternalCARoot,
1029 kCertComodoAddTrustPublicCARoot,
1030 kCertComodoAddTrustQualifiedCARoot,
1031 kCertComodoCertificationAuthority,
1032 kCertComodoSecureCertificateServices,
1033 kCertComodoTrustedCertificateServices,
1034 kCertComodoUTNDATACorpSGC,
1035 kCertComodoUTNUSERFirstClientAuthenticationandEmail,
1036 kCertComodoUTNUSERFirstHardware,
1037 kCertComodoUTNUSERFirstObject,
1038 kCertGTECyberTrustGlobalRoot,
1039 0,
1040 };
1041
898 // kTestAcceptableCerts doesn't actually match any public keys and is used 1042 // kTestAcceptableCerts doesn't actually match any public keys and is used
899 // with "pinningtest.appspot.com", below, to test if pinning is active. 1043 // with "pinningtest.appspot.com", below, to test if pinning is active.
900 static const char* kTestAcceptableCerts[] = { 1044 static const char* kTestAcceptableCerts[] = {
901 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", 1045 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
902 }; 1046 };
903 1047
1048 #if defined(OS_CHROMEOS)
1049 static const bool kTwitterHSTS = true;
1050 #else
1051 static const bool kTwitterHSTS = false;
1052 #endif
1053
904 // In the medium term this list is likely to just be hardcoded here. This, 1054 // In the medium term this list is likely to just be hardcoded here. This,
905 // slightly odd, form removes the need for additional relocations records. 1055 // slightly odd, form removes the need for additional relocations records.
906 static const struct HSTSPreload kPreloadedSTS[] = { 1056 static const struct HSTSPreload kPreloadedSTS[] = {
907 // (*.)google.com, iff using SSL must use an acceptable certificate. 1057 // (*.)google.com, iff using SSL must use an acceptable certificate.
908 {12, true, "\006google\003com", false, kGoogleAcceptableCerts }, 1058 {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
909 {25, true, "\013pinningtest\007appspot\003com", false, 1059 {25, true, "\013pinningtest\007appspot\003com", false,
910 kTestAcceptableCerts }, 1060 kTestAcceptableCerts },
911 // Now we force HTTPS for subtrees of google.com. 1061 // Now we force HTTPS for subtrees of google.com.
912 {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts }, 1062 {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
913 {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts }, 1063 {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after
993 {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts }, 1143 {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
994 {22, true, "\003www\014moneybookers\003com", true, 0 }, 1144 {22, true, "\003www\014moneybookers\003com", true, 0 },
995 {17, false, "\013ledgerscope\003net", true, 0 }, 1145 {17, false, "\013ledgerscope\003net", true, 0 },
996 {21, false, "\003www\013ledgerscope\003net", true, 0 }, 1146 {21, false, "\003www\013ledgerscope\003net", true, 0 },
997 {10, false, "\004kyps\003net", true, 0 }, 1147 {10, false, "\004kyps\003net", true, 0 },
998 {14, false, "\003www\004kyps\003net", true, 0 }, 1148 {14, false, "\003www\004kyps\003net", true, 0 },
999 {17, true, "\003app\007recurly\003com", true, 0 }, 1149 {17, true, "\003app\007recurly\003com", true, 0 },
1000 {17, true, "\003api\007recurly\003com", true, 0 }, 1150 {17, true, "\003api\007recurly\003com", true, 0 },
1001 {13, false, "\007greplin\003com", true, 0 }, 1151 {13, false, "\007greplin\003com", true, 0 },
1002 {17, false, "\003www\007greplin\003com", true, 0 }, 1152 {17, false, "\003www\007greplin\003com", true, 0 },
1003 #if defined(OS_CHROMEOS) 1153
1004 {13, false, "\007twitter\003com", true, 0 }, 1154 {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts } ,
1005 {17, false, "\003www\007twitter\003com", true, 0 }, 1155 {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC erts },
1006 {17, false, "\003api\007twitter\003com", true, 0 }, 1156 {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC erts },
1007 {17, false, "\003dev\007twitter\003com", true, 0 }, 1157 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptabl eCerts },
1008 {22, false, "\010business\007twitter\003com", true, 0 }, 1158 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptab leCerts },
1009 #endif 1159 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC erts },
1160 {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAccept ableCerts },
1161
1162 {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCer ts },
1163 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
1164 {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCe rts },
1010 }; 1165 };
1011 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); 1166 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
1012 1167
1013 static const struct HSTSPreload kPreloadedSNISTS[] = { 1168 static const struct HSTSPreload kPreloadedSNISTS[] = {
1014 // These SNI-only domains must always use HTTPS. 1169 // These SNI-only domains must always use HTTPS.
1015 {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts }, 1170 {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
1016 {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts }, 1171 {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
1017 {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts }, 1172 {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
1018 {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts }, 1173 {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
1019 // These SNI-only domains must use an acceptable certificate iff using 1174 // These SNI-only domains must use an acceptable certificate iff using
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after
1090 } 1245 }
1091 1246
1092 LOG(ERROR) << "Rejecting public key chain for domain " << domain 1247 LOG(ERROR) << "Rejecting public key chain for domain " << domain
1093 << ". Validated chain: " << HashesToBase64String(hashes) 1248 << ". Validated chain: " << HashesToBase64String(hashes)
1094 << ", expected: " << HashesToBase64String(public_key_hashes); 1249 << ", expected: " << HashesToBase64String(public_key_hashes);
1095 1250
1096 return false; 1251 return false;
1097 } 1252 }
1098 1253
1099 } // namespace 1254 } // namespace
OLDNEW
« no previous file with comments | « no previous file | net/base/transport_security_state_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698