Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(198)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/transport_security_state.cc

Issue 8084008: net: add certificate pins for Twitter. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 9 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/base/transport_security_state_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/transport_security_state.cc
diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc
index a0e187bedf6f116ffa80ac2299c1fff9acae91cb..c1bcfc23ef7977144bebb6c40c7a4a38d8bc2c33 100644
--- a/net/base/transport_security_state.cc
+++ b/net/base/transport_security_state.cc
@@ -895,12 +895,162 @@ bool TransportSecurityState::IsPreloadedSTS(
0,
};
+ static const char kCertVerisignClass1[] =
+ "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
+ static const char kCertVerisignClass3[] =
+ "sha1/4n972HfV354KP560yw4uqe/baXc=";
+ static const char kCertVerisignClass3_G4[] =
+ "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
+ static const char kCertVerisignClass4_G3[] =
+ "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
+ static const char kCertVerisignClass3_G3[] =
+ "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
+ static const char kCertVerisignClass1_G3[] =
+ "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
+ static const char kCertVerisignClass2_G3[] =
+ "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
+ static const char kCertVerisignClass3_G2[] =
+ "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
+ static const char kCertVerisignClass2_G2[] =
+ "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
+ static const char kCertVerisignClass3_G5[] =
+ "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
+ static const char kCertVerisignUniversal[] =
+ "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
+
+ static const char kCertTwitter1[] =
+ "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
+
+ static const char kCertEntrust2048[] =
+ "sha1/VeSB0RGAvtiJuQijMfmhJAkWuXA=";
+ static const char kCertEntrustEV[] =
+ "sha1/ukKwgYhTiB2GY71MwF4I/upuu3c=";
+ static const char kCertEntrustG2[] =
+ "sha1/qzDTr0vY8WtYae5FaSnahLhzlIg=";
+ static const char kCertEntrustSSL[] =
+ "sha1/8BdiE1U9s/8KAGv7UISX8+1i0Bo=";
+
+ static const char kCertGeoTrustGlobal[] =
+ "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
+ static const char kCertGeoTrustGlobal2[] =
+ "sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
+ static const char kCertGeoTrustUniversal[] =
+ "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
+ static const char kCertGeoTrustUniversal2[] =
+ "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
+ static const char kCertGeoTrustPrimary[] =
+ "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
+ static const char kCertGeoTrustPrimaryG2[] =
+ "sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
+ static const char kCertGeoTrustPrimaryG3[] =
+ "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
+
+ static const char kCertComodoAAACertificateServices[] =
+ "sha1/xDAoxdPjCAwQRIssd7okU5dgu/k=";
+ static const char kCertComodoAddTrustClass1CARoot[] =
+ "sha1/i9vXzKBoU0IW9MErJUT8Apyli0c=";
+ static const char kCertComodoAddTrustExternalCARoot[] =
+ "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=";
+ static const char kCertComodoAddTrustPublicCARoot[] =
+ "sha1/qFdl1ugyyMUZY3Namhd0OoHf7i4=";
+ static const char kCertComodoAddTrustQualifiedCARoot[] =
+ "sha1/vOS3IxJVmOVjQRkcUOS2R8J2Bdc=";
+ static const char kCertComodoCertificationAuthority[] =
+ "sha1/EeSR0cnkwOuazs9zVF3h8agwPsM=";
+ static const char kCertComodoSecureCertificateServices[] =
+ "sha1/PLQahC71XPIaPaVKyNG+OQh2N7w==";
+ static const char kCertComodoTrustedCertificateServices[] =
+ "sha1//nLI678ML7sOJhOTkzwsqY3cJJQ=";
+ static const char kCertComodoUTNDATACorpSGC[] =
+ "sha1/UzLRs89/+uDxoF2FTpLSnkUdtE8=";
+ static const char kCertComodoUTNUSERFirstClientAuthenticationandEmail[] =
+ "sha1/iYJnfcSdJnAAS7RQSHzePa4Ebn0=";
+ static const char kCertComodoUTNUSERFirstHardware[] =
+ "sha1/oXJfJhsomEOVXQc31YWWnUvSw0U=";
+ static const char kCertComodoUTNUSERFirstObject[] =
+ "sha1/2u1kdBScFDyr3ZmpvVsoTYs8ydg=";
+
+ static const char kCertGTECyberTrustGlobalRoot[] =
+ "sha1/WXkS3mF11m/EI7d3E3THlt5viHI=";
+
+ static const char* kTwitterAcceptableCerts1[] = {
+ kCertVerisignClass1,
+ kCertVerisignClass3,
+ kCertVerisignClass3_G4,
+ kCertVerisignClass4_G3,
+ kCertVerisignClass3_G3,
+ kCertVerisignClass1_G3,
+ kCertVerisignClass2_G3,
+ kCertVerisignClass3_G2,
+ kCertVerisignClass2_G2,
+ kCertVerisignClass3_G5,
+ kCertVerisignUniversal,
+ kCertGeoTrustGlobal,
+ kCertGeoTrustGlobal2,
+ kCertGeoTrustUniversal,
+ kCertGeoTrustUniversal2,
+ kCertGeoTrustPrimary,
+ kCertGeoTrustPrimaryG2,
+ kCertGeoTrustPrimaryG3,
+ kCertTwitter1,
+ 0,
+ };
+
+ // kTwitterAcceptableCerts2 are the set of public keys valid for Twitter's
+ // CDNs, which includes all the keys from kTwitterAcceptableCerts1.
Chris Palmer 2011/09/29 21:06:56 Nit: Maybe name them kTwitterComAcceptableCerts an
agl 2011/09/29 21:36:40 Done.
+ static const char* kTwitterAcceptableCerts2[] = {
+ kCertVerisignClass1,
+ kCertVerisignClass3,
+ kCertVerisignClass3_G4,
+ kCertVerisignClass4_G3,
+ kCertVerisignClass3_G3,
+ kCertVerisignClass1_G3,
+ kCertVerisignClass2_G3,
+ kCertVerisignClass3_G2,
+ kCertVerisignClass2_G2,
+ kCertVerisignClass3_G5,
+ kCertVerisignUniversal,
+ kCertGeoTrustGlobal,
+ kCertGeoTrustGlobal2,
+ kCertGeoTrustUniversal,
+ kCertGeoTrustUniversal2,
+ kCertGeoTrustPrimary,
+ kCertGeoTrustPrimaryG2,
+ kCertGeoTrustPrimaryG3,
+ kCertTwitter1,
+
+ kCertEntrust2048,
+ kCertEntrustEV,
+ kCertEntrustG2,
+ kCertEntrustSSL,
+ kCertComodoAAACertificateServices,
+ kCertComodoAddTrustClass1CARoot,
+ kCertComodoAddTrustExternalCARoot,
+ kCertComodoAddTrustPublicCARoot,
+ kCertComodoAddTrustQualifiedCARoot,
+ kCertComodoCertificationAuthority,
+ kCertComodoSecureCertificateServices,
+ kCertComodoTrustedCertificateServices,
+ kCertComodoUTNDATACorpSGC,
+ kCertComodoUTNUSERFirstClientAuthenticationandEmail,
+ kCertComodoUTNUSERFirstHardware,
+ kCertComodoUTNUSERFirstObject,
+ kCertGTECyberTrustGlobalRoot,
+ 0,
+ };
+
// kTestAcceptableCerts doesn't actually match any public keys and is used
// with "pinningtest.appspot.com", below, to test if pinning is active.
static const char* kTestAcceptableCerts[] = {
"sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
};
+#if defined(OS_CHROMEOS)
Chris Palmer 2011/09/29 21:06:56 This is so Twitter can gradually test it with Chro
agl 2011/09/29 21:36:40 Right.
+ static const bool kTwitterHSTS = true;
+#else
+ static const bool kTwitterHSTS = false;
+#endif
+
// In the medium term this list is likely to just be hardcoded here. This,
// slightly odd, form removes the need for additional relocations records.
static const struct HSTSPreload kPreloadedSTS[] = {
@@ -1000,13 +1150,18 @@ bool TransportSecurityState::IsPreloadedSTS(
{17, true, "\003api\007recurly\003com", true, 0 },
{13, false, "\007greplin\003com", true, 0 },
{17, false, "\003www\007greplin\003com", true, 0 },
-#if defined(OS_CHROMEOS)
- {13, false, "\007twitter\003com", true, 0 },
- {17, false, "\003www\007twitter\003com", true, 0 },
- {17, false, "\003api\007twitter\003com", true, 0 },
- {17, false, "\003dev\007twitter\003com", true, 0 },
- {22, false, "\010business\007twitter\003com", true, 0 },
-#endif
+
+ {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+ {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+ {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+ {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+ {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+ {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+ {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterAcceptableCerts1 },
+
+ {22, true, "\010platform\007twitter\003com", false, kTwitterAcceptableCerts2 },
+ {15, true, "\003si0\005twimg\003com", false, kTwitterAcceptableCerts2 },
+ {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterAcceptableCerts2 },
};
static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
« no previous file with comments | « no previous file | net/base/transport_security_state_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698