Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1309)

Side by Side Diff: net/base/transport_security_state.cc

Issue 8302019: Recommit fraudulent certificate reporting infrastructure. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/transport_security_state.h ('k') | net/base/transport_security_state_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/transport_security_state.h" 5 #include "net/base/transport_security_state.h"
6 6
7 #if defined(USE_OPENSSL) 7 #if defined(USE_OPENSSL)
8 #include <openssl/ecdsa.h> 8 #include <openssl/ecdsa.h>
9 #include <openssl/ssl.h> 9 #include <openssl/ssl.h>
10 #else // !defined(USE_OPENSSL) 10 #else // !defined(USE_OPENSSL)
(...skipping 826 matching lines...) Expand 10 before | Expand all | Expand 10 after
837 hash++; 837 hash++;
838 } 838 }
839 } 839 }
840 } 840 }
841 return true; 841 return true;
842 } 842 }
843 } 843 }
844 return false; 844 return false;
845 } 845 }
846 846
847 // IsPreloadedSTS returns true if the canonicalized hostname should always be 847 // These hashes are base64 encodings of SHA1 hashes for cert public keys.
848 // considered to have STS enabled. 848 static const char kCertPKHashVerisignClass3[] =
849 bool TransportSecurityState::IsPreloadedSTS( 849 "sha1/4n972HfV354KP560yw4uqe/baXc=";
850 const std::string& canonicalized_host, 850 static const char kCertPKHashVerisignClass3G3[] =
851 bool sni_available, 851 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
852 DomainState* out) { 852 static const char kCertPKHashGoogle1024[] =
853 DCHECK(CalledOnValidThread()); 853 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
854 static const char kCertPKHashGoogle2048[] =
855 "sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
856 static const char kCertPKHashEquifaxSecureCA[] =
857 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
858 static const char* const kGoogleAcceptableCerts[] = {
859 kCertPKHashVerisignClass3,
860 kCertPKHashVerisignClass3G3,
861 kCertPKHashGoogle1024,
862 kCertPKHashGoogle2048,
863 kCertPKHashEquifaxSecureCA,
864 NULL,
865 };
854 866
855 out->preloaded = true; 867 static const char kCertRapidSSL[] =
856 out->mode = DomainState::MODE_STRICT; 868 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
857 out->include_subdomains = false; 869 static const char kCertDigiCertEVRoot[] =
870 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
871 static const char kCertTor1[] =
872 "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
873 static const char kCertTor2[] =
874 "sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
875 static const char kCertTor3[] =
876 "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
877 static const char* const kTorAcceptableCerts[] = {
878 kCertRapidSSL,
879 kCertDigiCertEVRoot,
880 kCertTor1,
881 kCertTor2,
882 kCertTor3,
883 NULL,
884 };
858 885
859 // These hashes are base64 encodings of SHA1 hashes for cert public keys. 886 static const char kCertVerisignClass1[] =
860 static const char kCertPKHashVerisignClass3[] =
861 "sha1/4n972HfV354KP560yw4uqe/baXc=";
862 static const char kCertPKHashVerisignClass3G3[] =
863 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
864 static const char kCertPKHashGoogle1024[] =
865 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
866 static const char kCertPKHashGoogle2048[] =
867 "sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
868 static const char kCertPKHashEquifaxSecureCA[] =
869 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
870 static const char* const kGoogleAcceptableCerts[] = {
871 kCertPKHashVerisignClass3,
872 kCertPKHashVerisignClass3G3,
873 kCertPKHashGoogle1024,
874 kCertPKHashGoogle2048,
875 kCertPKHashEquifaxSecureCA,
876 0,
877 };
878
879 static const char kCertRapidSSL[] =
880 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
881 static const char kCertDigiCertEVRoot[] =
882 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
883 static const char kCertTor1[] =
884 "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
885 static const char kCertTor2[] =
886 "sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
887 static const char kCertTor3[] =
888 "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
889 static const char* const kTorAcceptableCerts[] = {
890 kCertRapidSSL,
891 kCertDigiCertEVRoot,
892 kCertTor1,
893 kCertTor2,
894 kCertTor3,
895 0,
896 };
897
898 static const char kCertVerisignClass1[] =
899 "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc="; 887 "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
900 static const char kCertVerisignClass3[] = 888 static const char kCertVerisignClass3[] =
901 "sha1/4n972HfV354KP560yw4uqe/baXc="; 889 "sha1/4n972HfV354KP560yw4uqe/baXc=";
902 static const char kCertVerisignClass3_G4[] = 890 static const char kCertVerisignClass3_G4[] =
903 "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA="; 891 "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
904 static const char kCertVerisignClass4_G3[] = 892 static const char kCertVerisignClass4_G3[] =
905 "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0="; 893 "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
906 static const char kCertVerisignClass3_G3[] = 894 static const char kCertVerisignClass3_G3[] =
907 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc="; 895 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
908 static const char kCertVerisignClass1_G3[] = 896 static const char kCertVerisignClass1_G3[] =
909 "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU="; 897 "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
910 static const char kCertVerisignClass2_G3[] = 898 static const char kCertVerisignClass2_G3[] =
911 "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM="; 899 "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
912 static const char kCertVerisignClass3_G2[] = 900 static const char kCertVerisignClass3_G2[] =
913 "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ="; 901 "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
914 static const char kCertVerisignClass2_G2[] = 902 static const char kCertVerisignClass2_G2[] =
915 "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw="; 903 "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
916 static const char kCertVerisignClass3_G5[] = 904 static const char kCertVerisignClass3_G5[] =
917 "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc="; 905 "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
918 static const char kCertVerisignUniversal[] = 906 static const char kCertVerisignUniversal[] =
919 "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0="; 907 "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
920 908
921 static const char kCertTwitter1[] = 909 static const char kCertTwitter1[] =
922 "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40="; 910 "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
923 911
924 static const char kCertGeoTrustGlobal[] = 912 static const char kCertGeoTrustGlobal[] =
925 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4="; 913 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
926 static const char kCertGeoTrustGlobal2[] = 914 static const char kCertGeoTrustGlobal2[] =
927 "sha1/cTg28gIxU0crbrplRqkQFVggBQk="; 915 "sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
928 static const char kCertGeoTrustUniversal[] = 916 static const char kCertGeoTrustUniversal[] =
929 "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI="; 917 "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
930 static const char kCertGeoTrustUniversal2[] = 918 static const char kCertGeoTrustUniversal2[] =
931 "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s="; 919 "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
932 static const char kCertGeoTrustPrimary[] = 920 static const char kCertGeoTrustPrimary[] =
933 "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo="; 921 "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
934 static const char kCertGeoTrustPrimaryG2[] = 922 static const char kCertGeoTrustPrimaryG2[] =
935 "sha1/vb6nG6txV/nkddlU0rcngBqCJoI="; 923 "sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
936 static const char kCertGeoTrustPrimaryG3[] = 924 static const char kCertGeoTrustPrimaryG3[] =
937 "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY="; 925 "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
938 926
939 static const char* const kTwitterComAcceptableCerts[] = { 927 static const char* const kTwitterComAcceptableCerts[] = {
940 kCertVerisignClass1, 928 kCertVerisignClass1,
941 kCertVerisignClass3, 929 kCertVerisignClass3,
942 kCertVerisignClass3_G4, 930 kCertVerisignClass3_G4,
943 kCertVerisignClass4_G3, 931 kCertVerisignClass4_G3,
944 kCertVerisignClass3_G3, 932 kCertVerisignClass3_G3,
945 kCertVerisignClass1_G3, 933 kCertVerisignClass1_G3,
946 kCertVerisignClass2_G3, 934 kCertVerisignClass2_G3,
947 kCertVerisignClass3_G2, 935 kCertVerisignClass3_G2,
948 kCertVerisignClass2_G2, 936 kCertVerisignClass2_G2,
949 kCertVerisignClass3_G5, 937 kCertVerisignClass3_G5,
950 kCertVerisignUniversal, 938 kCertVerisignUniversal,
951 kCertGeoTrustGlobal, 939 kCertGeoTrustGlobal,
952 kCertGeoTrustGlobal2, 940 kCertGeoTrustGlobal2,
953 kCertGeoTrustUniversal, 941 kCertGeoTrustUniversal,
954 kCertGeoTrustUniversal2, 942 kCertGeoTrustUniversal2,
955 kCertGeoTrustPrimary, 943 kCertGeoTrustPrimary,
956 kCertGeoTrustPrimaryG2, 944 kCertGeoTrustPrimaryG2,
957 kCertGeoTrustPrimaryG3, 945 kCertGeoTrustPrimaryG3,
958 kCertTwitter1, 946 kCertTwitter1,
959 0, 947 NULL,
960 }; 948 };
961 949
962 // kTestAcceptableCerts doesn't actually match any public keys and is used 950 // kTestAcceptableCerts doesn't actually match any public keys and is used
963 // with "pinningtest.appspot.com", below, to test if pinning is active. 951 // with "pinningtest.appspot.com", below, to test if pinning is active.
964 static const char* const kTestAcceptableCerts[] = { 952 static const char* const kTestAcceptableCerts[] = {
965 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", 953 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
966 }; 954 };
967 955
968 #if defined(OS_CHROMEOS) 956 #if defined(OS_CHROMEOS)
969 static const bool kTwitterHSTS = true; 957 static const bool kTwitterHSTS = true;
970 #else 958 #else
971 static const bool kTwitterHSTS = false; 959 static const bool kTwitterHSTS = false;
972 #endif 960 #endif
973 961
974 // In the medium term this list is likely to just be hardcoded here. This, 962 // In the medium term this list is likely to just be hardcoded here. This
975 // slightly odd, form removes the need for additional relocations records. 963 // slightly odd form removes the need for additional relocations records.
976 static const struct HSTSPreload kPreloadedSTS[] = { 964 static const struct HSTSPreload kPreloadedSTS[] = {
977 // (*.)google.com, iff using SSL must use an acceptable certificate. 965 // (*.)google.com, iff using SSL must use an acceptable certificate.
978 {12, true, "\006google\003com", false, kGoogleAcceptableCerts }, 966 {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
979 {25, true, "\013pinningtest\007appspot\003com", false, 967 {25, true, "\013pinningtest\007appspot\003com", false,
980 kTestAcceptableCerts }, 968 kTestAcceptableCerts },
981 // Now we force HTTPS for subtrees of google.com. 969 // Now we force HTTPS for subtrees of google.com.
982 {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts }, 970 {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
983 {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts }, 971 {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
984 {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts }, 972 {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
985 {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts }, 973 {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
986 {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts }, 974 {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
987 {25, true, "\014spreadsheets\006google\003com", true, 975 {25, true, "\014spreadsheets\006google\003com", true,
988 kGoogleAcceptableCerts }, 976 kGoogleAcceptableCerts },
989 {22, false, "\011appengine\006google\003com", true, 977 {22, false, "\011appengine\006google\003com", true,
990 kGoogleAcceptableCerts }, 978 kGoogleAcceptableCerts },
991 {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts }, 979 {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
992 {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts }, 980 {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
993 {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts }, 981 {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
994 {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts }, 982 {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
995 {23, true, "\012talkgadget\006google\003com", true, 983 {23, true, "\012talkgadget\006google\003com", true,
996 kGoogleAcceptableCerts }, 984 kGoogleAcceptableCerts },
997 {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts }, 985 {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
998 {29, true, "\020hostedtalkgadget\006google\003com", true, 986 {29, true, "\020hostedtalkgadget\006google\003com", true,
999 kGoogleAcceptableCerts }, 987 kGoogleAcceptableCerts },
1000 {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts }, 988 {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
1001 // Other Google-related domains that must use HTTPS. 989 // Other Google-related domains that must use HTTPS.
1002 {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts }, 990 {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
1003 {26, true, "\003ssl\020google-analytics\003com", true, 991 {26, true, "\003ssl\020google-analytics\003com", true,
1004 kGoogleAcceptableCerts }, 992 kGoogleAcceptableCerts },
1005 {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts }, 993 {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
1006 {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts }, 994 {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
1007 // Other Google-related domains that must use an acceptable certificate 995 // Other Google-related domains that must use an acceptable certificate
1008 // iff using SSL. 996 // iff using SSL.
1009 {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts }, 997 {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
1010 {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts }, 998 {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
1011 {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts }, 999 {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
1012 {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts }, 1000 {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
1013 {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts }, 1001 {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
1014 {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts }, 1002 {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
1015 {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts }, 1003 {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
1016 {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts }, 1004 {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
1017 {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts }, 1005 {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
1018 {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts }, 1006 {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
1019 // Exclude the learn.doubleclick.net subdomain because it uses a different 1007 // Exclude the learn.doubleclick.net subdomain because it uses a different
1020 // CA. 1008 // CA.
1021 {23, true, "\005learn\013doubleclick\003net", false, 0 }, 1009 {23, true, "\005learn\013doubleclick\003net", false, 0 },
1022 // Now we force HTTPS for other sites that have requested it. 1010 // Now we force HTTPS for other sites that have requested it.
1023 {16, false, "\003www\006paypal\003com", true, 0 }, 1011 {16, false, "\003www\006paypal\003com", true, 0 },
1024 {16, false, "\003www\006elanex\003biz", true, 0 }, 1012 {16, false, "\003www\006elanex\003biz", true, 0 },
1025 {12, true, "\006jottit\003com", true, 0 }, 1013 {12, true, "\006jottit\003com", true, 0 },
1026 {19, true, "\015sunshinepress\003org", true, 0 }, 1014 {19, true, "\015sunshinepress\003org", true, 0 },
1027 {21, false, "\003www\013noisebridge\003net", true, 0 }, 1015 {21, false, "\003www\013noisebridge\003net", true, 0 },
1028 {10, false, "\004neg9\003org", true, 0 }, 1016 {10, false, "\004neg9\003org", true, 0 },
1029 {12, true, "\006riseup\003net", true, 0 }, 1017 {12, true, "\006riseup\003net", true, 0 },
1030 {11, false, "\006factor\002cc", true, 0 }, 1018 {11, false, "\006factor\002cc", true, 0 },
1031 {22, false, "\007members\010mayfirst\003org", true, 0 }, 1019 {22, false, "\007members\010mayfirst\003org", true, 0 },
1032 {22, false, "\007support\010mayfirst\003org", true, 0 }, 1020 {22, false, "\007support\010mayfirst\003org", true, 0 },
1033 {17, false, "\002id\010mayfirst\003org", true, 0 }, 1021 {17, false, "\002id\010mayfirst\003org", true, 0 },
1034 {20, false, "\005lists\010mayfirst\003org", true, 0 }, 1022 {20, false, "\005lists\010mayfirst\003org", true, 0 },
1035 {19, true, "\015splendidbacon\003com", true, 0 }, 1023 {19, true, "\015splendidbacon\003com", true, 0 },
1036 {28, false, "\016aladdinschools\007appspot\003com", true, 0 }, 1024 {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
1037 {14, true, "\011ottospora\002nl", true, 0 }, 1025 {14, true, "\011ottospora\002nl", true, 0 },
1038 {25, false, "\003www\017paycheckrecords\003com", true, 0 }, 1026 {25, false, "\003www\017paycheckrecords\003com", true, 0 },
1039 {14, false, "\010lastpass\003com", true, 0 }, 1027 {14, false, "\010lastpass\003com", true, 0 },
1040 {18, false, "\003www\010lastpass\003com", true, 0 }, 1028 {18, false, "\003www\010lastpass\003com", true, 0 },
1041 {14, true, "\010keyerror\003com", true, 0 }, 1029 {14, true, "\010keyerror\003com", true, 0 },
1042 {13, false, "\010entropia\002de", true, 0 }, 1030 {13, false, "\010entropia\002de", true, 0 },
1043 {17, false, "\003www\010entropia\002de", true, 0 }, 1031 {17, false, "\003www\010entropia\002de", true, 0 },
1044 {11, true, "\005romab\003com", true, 0 }, 1032 {11, true, "\005romab\003com", true, 0 },
1045 {16, false, "\012logentries\003com", true, 0 }, 1033 {16, false, "\012logentries\003com", true, 0 },
1046 {20, false, "\003www\012logentries\003com", true, 0 }, 1034 {20, false, "\003www\012logentries\003com", true, 0 },
1047 {12, true, "\006stripe\003com", true, 0 }, 1035 {12, true, "\006stripe\003com", true, 0 },
1048 {27, true, "\025cloudsecurityalliance\003org", true, 0 }, 1036 {27, true, "\025cloudsecurityalliance\003org", true, 0 },
1049 {15, true, "\005login\004sapo\002pt", true, 0 }, 1037 {15, true, "\005login\004sapo\002pt", true, 0 },
1050 {19, true, "\015mattmccutchen\003net", true, 0 }, 1038 {19, true, "\015mattmccutchen\003net", true, 0 },
1051 {11, true, "\006betnet\002fr", true, 0 }, 1039 {11, true, "\006betnet\002fr", true, 0 },
1052 {13, true, "\010uprotect\002it", true, 0 }, 1040 {13, true, "\010uprotect\002it", true, 0 },
1053 {14, false, "\010squareup\003com", true, 0 }, 1041 {14, false, "\010squareup\003com", true, 0 },
1054 {9, true, "\004cert\002se", true, 0 }, 1042 {9, true, "\004cert\002se", true, 0 },
1055 {11, true, "\006crypto\002is", true, 0 }, 1043 {11, true, "\006crypto\002is", true, 0 },
1056 {20, true, "\005simon\007butcher\004name", true, 0 }, 1044 {20, true, "\005simon\007butcher\004name", true, 0 },
1057 {10, true, "\004linx\003net", true, 0 }, 1045 {10, true, "\004linx\003net", true, 0 },
1058 {13, false, "\007dropcam\003com", true, 0 }, 1046 {13, false, "\007dropcam\003com", true, 0 },
1059 {17, false, "\003www\007dropcam\003com", true, 0 }, 1047 {17, false, "\003www\007dropcam\003com", true, 0 },
1060 {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 }, 1048 {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
1061 {13, false, "\007epoxate\003com", true, 0 }, 1049 {13, false, "\007epoxate\003com", true, 0 },
1062 {16, false, "\012torproject\003org", true, kTorAcceptableCerts }, 1050 {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
1063 {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts }, 1051 {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
1064 {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts }, 1052 {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
1065 {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts }, 1053 {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
1066 {22, true, "\003www\014moneybookers\003com", true, 0 }, 1054 {22, true, "\003www\014moneybookers\003com", true, 0 },
1067 {17, false, "\013ledgerscope\003net", true, 0 }, 1055 {17, false, "\013ledgerscope\003net", true, 0 },
1068 {21, false, "\003www\013ledgerscope\003net", true, 0 }, 1056 {21, false, "\003www\013ledgerscope\003net", true, 0 },
1069 {10, false, "\004kyps\003net", true, 0 }, 1057 {10, false, "\004kyps\003net", true, 0 },
1070 {14, false, "\003www\004kyps\003net", true, 0 }, 1058 {14, false, "\003www\004kyps\003net", true, 0 },
1071 {17, true, "\003app\007recurly\003com", true, 0 }, 1059 {17, true, "\003app\007recurly\003com", true, 0 },
1072 {17, true, "\003api\007recurly\003com", true, 0 }, 1060 {17, true, "\003api\007recurly\003com", true, 0 },
1073 {13, false, "\007greplin\003com", true, 0 }, 1061 {13, false, "\007greplin\003com", true, 0 },
1074 {17, false, "\003www\007greplin\003com", true, 0 }, 1062 {17, false, "\003www\007greplin\003com", true, 0 },
1075 {27, true, "\006luneta\016nearbuysystems\003com", true, 0 }, 1063 {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
1076 {12, true, "\006ubertt\003org", true, 0 }, 1064 {12, true, "\006ubertt\003org", true, 0 },
1077 1065
1078 {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts } , 1066 {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
1079 {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC erts }, 1067 {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCer ts },
1080 {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC erts }, 1068 {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCer ts },
1081 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptabl eCerts }, 1069 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC erts },
1082 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptab leCerts }, 1070 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptable Certs },
1083 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC erts }, 1071 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCer ts },
1084 {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAccept ableCerts }, 1072 {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptab leCerts },
1085 1073
1086 #if 0 1074 #if 0
1087 // Twitter CDN pins disabled in order to track down pinning failures --agl 1075 // Twitter CDN pins disabled in order to track down pinning failures --agl
1088 {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCer ts }, 1076 {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
1089 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts }, 1077 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
1090 {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCe rts }, 1078 {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCert s },
1091 #endif 1079 #endif
1092 }; 1080 };
1093 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); 1081 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
1094 1082
1095 static const struct HSTSPreload kPreloadedSNISTS[] = { 1083 static const struct HSTSPreload kPreloadedSNISTS[] = {
1096 // These SNI-only domains must always use HTTPS. 1084 // These SNI-only domains must always use HTTPS.
1097 {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts }, 1085 {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
1098 {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts }, 1086 {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
1099 {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts }, 1087 {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
1100 {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts }, 1088 {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
1101 // These SNI-only domains must use an acceptable certificate iff using 1089 // These SNI-only domains must use an acceptable certificate iff using
1102 // HTTPS. 1090 // HTTPS.
1103 {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts }, 1091 {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
1104 // www. requires SNI. 1092 // www. requires SNI.
1105 {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts }, 1093 {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
1106 }; 1094 };
1107 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS); 1095 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
1096
1097 // Returns true if there is an HSTSPreload entry for the host in |entries|, and
1098 // if its |required_hashes| member is identical (by address) to |certs|.
1099 static bool ScanForHostAndCerts(
1100 const std::string& canonicalized_host,
1101 const struct HSTSPreload* entries,
1102 size_t num_entries,
1103 const char* const certs[]) {
1104 bool hit = false;
1105
1106 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
1107 for (size_t j = 0; j < num_entries; j++) {
1108 const struct HSTSPreload& entry = entries[j];
1109
1110 if (i != 0 && !entry.include_subdomains)
1111 continue;
1112
1113 if (entry.length == canonicalized_host.size() - i &&
1114 memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
1115 hit = entry.required_hashes == certs;
1116 // Return immediately upon exact match:
1117 if (i == 0)
1118 return hit;
1119 }
1120 }
1121 }
1122
1123 return hit;
1124 }
1125
1126 // static
1127 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
1128 bool sni_available) {
1129 std::string canonicalized_host = CanonicalizeHost(host);
1130
1131 if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
1132 kGoogleAcceptableCerts)) {
1133 return true;
1134 }
1135
1136 if (sni_available) {
1137 if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedS NISTS,
1138 kGoogleAcceptableCerts)) {
1139 return true;
1140 }
1141 }
1142
1143 return false;
1144 }
1145
1146
1147 // IsPreloadedSTS returns true if the canonicalized hostname should always be
1148 // considered to have STS enabled.
1149 bool TransportSecurityState::IsPreloadedSTS(
1150 const std::string& canonicalized_host,
1151 bool sni_available,
1152 DomainState* out) {
1153 DCHECK(CalledOnValidThread());
1154
1155 out->preloaded = true;
1156 out->mode = DomainState::MODE_STRICT;
1157 out->include_subdomains = false;
1108 1158
1109 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) { 1159 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
1110 std::string host_sub_chunk(&canonicalized_host[i], 1160 std::string host_sub_chunk(&canonicalized_host[i],
1111 canonicalized_host.size() - i); 1161 canonicalized_host.size() - i);
1112 out->domain = DNSDomainToString(host_sub_chunk); 1162 out->domain = DNSDomainToString(host_sub_chunk);
1113 std::string hashed_host(HashHost(host_sub_chunk)); 1163 std::string hashed_host(HashHost(host_sub_chunk));
1114 if (forced_hosts_.find(hashed_host) != forced_hosts_.end()) { 1164 if (forced_hosts_.find(hashed_host) != forced_hosts_.end()) {
1115 *out = forced_hosts_[hashed_host]; 1165 *out = forced_hosts_[hashed_host];
1116 out->domain = DNSDomainToString(host_sub_chunk); 1166 out->domain = DNSDomainToString(host_sub_chunk);
1117 out->preloaded = true; 1167 out->preloaded = true;
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after
1172 } 1222 }
1173 1223
1174 LOG(ERROR) << "Rejecting public key chain for domain " << domain 1224 LOG(ERROR) << "Rejecting public key chain for domain " << domain
1175 << ". Validated chain: " << HashesToBase64String(hashes) 1225 << ". Validated chain: " << HashesToBase64String(hashes)
1176 << ", expected: " << HashesToBase64String(public_key_hashes); 1226 << ", expected: " << HashesToBase64String(public_key_hashes);
1177 1227
1178 return false; 1228 return false;
1179 } 1229 }
1180 1230
1181 } // namespace 1231 } // namespace
OLDNEW
« no previous file with comments | « net/base/transport_security_state.h ('k') | net/base/transport_security_state_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698