Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1132)

Unified Diff: net/base/transport_security_state.cc

Issue 8302019: Recommit fraudulent certificate reporting infrastructure. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/base/transport_security_state.h ('k') | net/base/transport_security_state_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/transport_security_state.cc
===================================================================
--- net/base/transport_security_state.cc (revision 105626)
+++ net/base/transport_security_state.cc (working copy)
@@ -844,126 +844,114 @@
return false;
}
-// IsPreloadedSTS returns true if the canonicalized hostname should always be
-// considered to have STS enabled.
-bool TransportSecurityState::IsPreloadedSTS(
- const std::string& canonicalized_host,
- bool sni_available,
- DomainState* out) {
- DCHECK(CalledOnValidThread());
-
- out->preloaded = true;
- out->mode = DomainState::MODE_STRICT;
- out->include_subdomains = false;
-
- // These hashes are base64 encodings of SHA1 hashes for cert public keys.
- static const char kCertPKHashVerisignClass3[] =
+// These hashes are base64 encodings of SHA1 hashes for cert public keys.
+static const char kCertPKHashVerisignClass3[] =
"sha1/4n972HfV354KP560yw4uqe/baXc=";
- static const char kCertPKHashVerisignClass3G3[] =
+static const char kCertPKHashVerisignClass3G3[] =
"sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
- static const char kCertPKHashGoogle1024[] =
+static const char kCertPKHashGoogle1024[] =
"sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
- static const char kCertPKHashGoogle2048[] =
+static const char kCertPKHashGoogle2048[] =
"sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
- static const char kCertPKHashEquifaxSecureCA[] =
+static const char kCertPKHashEquifaxSecureCA[] =
"sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
- static const char* const kGoogleAcceptableCerts[] = {
- kCertPKHashVerisignClass3,
- kCertPKHashVerisignClass3G3,
- kCertPKHashGoogle1024,
- kCertPKHashGoogle2048,
- kCertPKHashEquifaxSecureCA,
- 0,
- };
+static const char* const kGoogleAcceptableCerts[] = {
+ kCertPKHashVerisignClass3,
+ kCertPKHashVerisignClass3G3,
+ kCertPKHashGoogle1024,
+ kCertPKHashGoogle2048,
+ kCertPKHashEquifaxSecureCA,
+ NULL,
+};
- static const char kCertRapidSSL[] =
+static const char kCertRapidSSL[] =
"sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
- static const char kCertDigiCertEVRoot[] =
+static const char kCertDigiCertEVRoot[] =
"sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
- static const char kCertTor1[] =
+static const char kCertTor1[] =
"sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
- static const char kCertTor2[] =
+static const char kCertTor2[] =
"sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
- static const char kCertTor3[] =
+static const char kCertTor3[] =
"sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
- static const char* const kTorAcceptableCerts[] = {
- kCertRapidSSL,
- kCertDigiCertEVRoot,
- kCertTor1,
- kCertTor2,
- kCertTor3,
- 0,
- };
+static const char* const kTorAcceptableCerts[] = {
+ kCertRapidSSL,
+ kCertDigiCertEVRoot,
+ kCertTor1,
+ kCertTor2,
+ kCertTor3,
+ NULL,
+};
- static const char kCertVerisignClass1[] =
+static const char kCertVerisignClass1[] =
"sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
- static const char kCertVerisignClass3[] =
+static const char kCertVerisignClass3[] =
"sha1/4n972HfV354KP560yw4uqe/baXc=";
- static const char kCertVerisignClass3_G4[] =
+static const char kCertVerisignClass3_G4[] =
"sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
- static const char kCertVerisignClass4_G3[] =
+static const char kCertVerisignClass4_G3[] =
"sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
- static const char kCertVerisignClass3_G3[] =
+static const char kCertVerisignClass3_G3[] =
"sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
- static const char kCertVerisignClass1_G3[] =
+static const char kCertVerisignClass1_G3[] =
"sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
- static const char kCertVerisignClass2_G3[] =
+static const char kCertVerisignClass2_G3[] =
"sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
- static const char kCertVerisignClass3_G2[] =
+static const char kCertVerisignClass3_G2[] =
"sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
- static const char kCertVerisignClass2_G2[] =
+static const char kCertVerisignClass2_G2[] =
"sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
- static const char kCertVerisignClass3_G5[] =
+static const char kCertVerisignClass3_G5[] =
"sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
- static const char kCertVerisignUniversal[] =
+static const char kCertVerisignUniversal[] =
"sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
- static const char kCertTwitter1[] =
+static const char kCertTwitter1[] =
"sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
- static const char kCertGeoTrustGlobal[] =
+static const char kCertGeoTrustGlobal[] =
"sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
- static const char kCertGeoTrustGlobal2[] =
+static const char kCertGeoTrustGlobal2[] =
"sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
- static const char kCertGeoTrustUniversal[] =
+static const char kCertGeoTrustUniversal[] =
"sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
- static const char kCertGeoTrustUniversal2[] =
+static const char kCertGeoTrustUniversal2[] =
"sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
- static const char kCertGeoTrustPrimary[] =
+static const char kCertGeoTrustPrimary[] =
"sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
- static const char kCertGeoTrustPrimaryG2[] =
+static const char kCertGeoTrustPrimaryG2[] =
"sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
- static const char kCertGeoTrustPrimaryG3[] =
+static const char kCertGeoTrustPrimaryG3[] =
"sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
- static const char* const kTwitterComAcceptableCerts[] = {
- kCertVerisignClass1,
- kCertVerisignClass3,
- kCertVerisignClass3_G4,
- kCertVerisignClass4_G3,
- kCertVerisignClass3_G3,
- kCertVerisignClass1_G3,
- kCertVerisignClass2_G3,
- kCertVerisignClass3_G2,
- kCertVerisignClass2_G2,
- kCertVerisignClass3_G5,
- kCertVerisignUniversal,
- kCertGeoTrustGlobal,
- kCertGeoTrustGlobal2,
- kCertGeoTrustUniversal,
- kCertGeoTrustUniversal2,
- kCertGeoTrustPrimary,
- kCertGeoTrustPrimaryG2,
- kCertGeoTrustPrimaryG3,
- kCertTwitter1,
- 0,
- };
+static const char* const kTwitterComAcceptableCerts[] = {
+ kCertVerisignClass1,
+ kCertVerisignClass3,
+ kCertVerisignClass3_G4,
+ kCertVerisignClass4_G3,
+ kCertVerisignClass3_G3,
+ kCertVerisignClass1_G3,
+ kCertVerisignClass2_G3,
+ kCertVerisignClass3_G2,
+ kCertVerisignClass2_G2,
+ kCertVerisignClass3_G5,
+ kCertVerisignUniversal,
+ kCertGeoTrustGlobal,
+ kCertGeoTrustGlobal2,
+ kCertGeoTrustUniversal,
+ kCertGeoTrustUniversal2,
+ kCertGeoTrustPrimary,
+ kCertGeoTrustPrimaryG2,
+ kCertGeoTrustPrimaryG3,
+ kCertTwitter1,
+ NULL,
+};
- // kTestAcceptableCerts doesn't actually match any public keys and is used
- // with "pinningtest.appspot.com", below, to test if pinning is active.
- static const char* const kTestAcceptableCerts[] = {
- "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
- };
+// kTestAcceptableCerts doesn't actually match any public keys and is used
+// with "pinningtest.appspot.com", below, to test if pinning is active.
+static const char* const kTestAcceptableCerts[] = {
+ "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+};
#if defined(OS_CHROMEOS)
static const bool kTwitterHSTS = true;
@@ -971,142 +959,204 @@
static const bool kTwitterHSTS = false;
#endif
- // In the medium term this list is likely to just be hardcoded here. This,
- // slightly odd, form removes the need for additional relocations records.
- static const struct HSTSPreload kPreloadedSTS[] = {
- // (*.)google.com, iff using SSL must use an acceptable certificate.
- {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
- {25, true, "\013pinningtest\007appspot\003com", false,
- kTestAcceptableCerts },
- // Now we force HTTPS for subtrees of google.com.
- {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
- {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
- {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
- {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
- {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
- {25, true, "\014spreadsheets\006google\003com", true,
- kGoogleAcceptableCerts },
- {22, false, "\011appengine\006google\003com", true,
- kGoogleAcceptableCerts },
- {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
- {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
- {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
- {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
- {23, true, "\012talkgadget\006google\003com", true,
- kGoogleAcceptableCerts },
- {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
- {29, true, "\020hostedtalkgadget\006google\003com", true,
- kGoogleAcceptableCerts },
- {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
- // Other Google-related domains that must use HTTPS.
- {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
- {26, true, "\003ssl\020google-analytics\003com", true,
- kGoogleAcceptableCerts },
- {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
- {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
- // Other Google-related domains that must use an acceptable certificate
- // iff using SSL.
- {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
- {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
- {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
- {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
- {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
- {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
- {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
- {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
- {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
- {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
- // Exclude the learn.doubleclick.net subdomain because it uses a different
- // CA.
- {23, true, "\005learn\013doubleclick\003net", false, 0 },
- // Now we force HTTPS for other sites that have requested it.
- {16, false, "\003www\006paypal\003com", true, 0 },
- {16, false, "\003www\006elanex\003biz", true, 0 },
- {12, true, "\006jottit\003com", true, 0 },
- {19, true, "\015sunshinepress\003org", true, 0 },
- {21, false, "\003www\013noisebridge\003net", true, 0 },
- {10, false, "\004neg9\003org", true, 0 },
- {12, true, "\006riseup\003net", true, 0 },
- {11, false, "\006factor\002cc", true, 0 },
- {22, false, "\007members\010mayfirst\003org", true, 0 },
- {22, false, "\007support\010mayfirst\003org", true, 0 },
- {17, false, "\002id\010mayfirst\003org", true, 0 },
- {20, false, "\005lists\010mayfirst\003org", true, 0 },
- {19, true, "\015splendidbacon\003com", true, 0 },
- {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
- {14, true, "\011ottospora\002nl", true, 0 },
- {25, false, "\003www\017paycheckrecords\003com", true, 0 },
- {14, false, "\010lastpass\003com", true, 0 },
- {18, false, "\003www\010lastpass\003com", true, 0 },
- {14, true, "\010keyerror\003com", true, 0 },
- {13, false, "\010entropia\002de", true, 0 },
- {17, false, "\003www\010entropia\002de", true, 0 },
- {11, true, "\005romab\003com", true, 0 },
- {16, false, "\012logentries\003com", true, 0 },
- {20, false, "\003www\012logentries\003com", true, 0 },
- {12, true, "\006stripe\003com", true, 0 },
- {27, true, "\025cloudsecurityalliance\003org", true, 0 },
- {15, true, "\005login\004sapo\002pt", true, 0 },
- {19, true, "\015mattmccutchen\003net", true, 0 },
- {11, true, "\006betnet\002fr", true, 0 },
- {13, true, "\010uprotect\002it", true, 0 },
- {14, false, "\010squareup\003com", true, 0 },
- {9, true, "\004cert\002se", true, 0 },
- {11, true, "\006crypto\002is", true, 0 },
- {20, true, "\005simon\007butcher\004name", true, 0 },
- {10, true, "\004linx\003net", true, 0 },
- {13, false, "\007dropcam\003com", true, 0 },
- {17, false, "\003www\007dropcam\003com", true, 0 },
- {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
- {13, false, "\007epoxate\003com", true, 0 },
- {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
- {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
- {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
- {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
- {22, true, "\003www\014moneybookers\003com", true, 0 },
- {17, false, "\013ledgerscope\003net", true, 0 },
- {21, false, "\003www\013ledgerscope\003net", true, 0 },
- {10, false, "\004kyps\003net", true, 0 },
- {14, false, "\003www\004kyps\003net", true, 0 },
- {17, true, "\003app\007recurly\003com", true, 0 },
- {17, true, "\003api\007recurly\003com", true, 0 },
- {13, false, "\007greplin\003com", true, 0 },
- {17, false, "\003www\007greplin\003com", true, 0 },
- {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
- {12, true, "\006ubertt\003org", true, 0 },
+// In the medium term this list is likely to just be hardcoded here. This
+// slightly odd form removes the need for additional relocations records.
+static const struct HSTSPreload kPreloadedSTS[] = {
+ // (*.)google.com, iff using SSL must use an acceptable certificate.
+ {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
+ {25, true, "\013pinningtest\007appspot\003com", false,
+ kTestAcceptableCerts },
+ // Now we force HTTPS for subtrees of google.com.
+ {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
+ {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
+ {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
+ {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
+ {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
+ {25, true, "\014spreadsheets\006google\003com", true,
+ kGoogleAcceptableCerts },
+ {22, false, "\011appengine\006google\003com", true,
+ kGoogleAcceptableCerts },
+ {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
+ {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
+ {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
+ {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
+ {23, true, "\012talkgadget\006google\003com", true,
+ kGoogleAcceptableCerts },
+ {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
+ {29, true, "\020hostedtalkgadget\006google\003com", true,
+ kGoogleAcceptableCerts },
+ {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
+ // Other Google-related domains that must use HTTPS.
+ {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
+ {26, true, "\003ssl\020google-analytics\003com", true,
+ kGoogleAcceptableCerts },
+ {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
+ {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
+ // Other Google-related domains that must use an acceptable certificate
+ // iff using SSL.
+ {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
+ {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
+ {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
+ {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
+ {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
+ {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
+ {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
+ {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
+ {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
+ {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
+ // Exclude the learn.doubleclick.net subdomain because it uses a different
+ // CA.
+ {23, true, "\005learn\013doubleclick\003net", false, 0 },
+ // Now we force HTTPS for other sites that have requested it.
+ {16, false, "\003www\006paypal\003com", true, 0 },
+ {16, false, "\003www\006elanex\003biz", true, 0 },
+ {12, true, "\006jottit\003com", true, 0 },
+ {19, true, "\015sunshinepress\003org", true, 0 },
+ {21, false, "\003www\013noisebridge\003net", true, 0 },
+ {10, false, "\004neg9\003org", true, 0 },
+ {12, true, "\006riseup\003net", true, 0 },
+ {11, false, "\006factor\002cc", true, 0 },
+ {22, false, "\007members\010mayfirst\003org", true, 0 },
+ {22, false, "\007support\010mayfirst\003org", true, 0 },
+ {17, false, "\002id\010mayfirst\003org", true, 0 },
+ {20, false, "\005lists\010mayfirst\003org", true, 0 },
+ {19, true, "\015splendidbacon\003com", true, 0 },
+ {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
+ {14, true, "\011ottospora\002nl", true, 0 },
+ {25, false, "\003www\017paycheckrecords\003com", true, 0 },
+ {14, false, "\010lastpass\003com", true, 0 },
+ {18, false, "\003www\010lastpass\003com", true, 0 },
+ {14, true, "\010keyerror\003com", true, 0 },
+ {13, false, "\010entropia\002de", true, 0 },
+ {17, false, "\003www\010entropia\002de", true, 0 },
+ {11, true, "\005romab\003com", true, 0 },
+ {16, false, "\012logentries\003com", true, 0 },
+ {20, false, "\003www\012logentries\003com", true, 0 },
+ {12, true, "\006stripe\003com", true, 0 },
+ {27, true, "\025cloudsecurityalliance\003org", true, 0 },
+ {15, true, "\005login\004sapo\002pt", true, 0 },
+ {19, true, "\015mattmccutchen\003net", true, 0 },
+ {11, true, "\006betnet\002fr", true, 0 },
+ {13, true, "\010uprotect\002it", true, 0 },
+ {14, false, "\010squareup\003com", true, 0 },
+ {9, true, "\004cert\002se", true, 0 },
+ {11, true, "\006crypto\002is", true, 0 },
+ {20, true, "\005simon\007butcher\004name", true, 0 },
+ {10, true, "\004linx\003net", true, 0 },
+ {13, false, "\007dropcam\003com", true, 0 },
+ {17, false, "\003www\007dropcam\003com", true, 0 },
+ {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
+ {13, false, "\007epoxate\003com", true, 0 },
+ {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
+ {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
+ {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
+ {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
+ {22, true, "\003www\014moneybookers\003com", true, 0 },
+ {17, false, "\013ledgerscope\003net", true, 0 },
+ {21, false, "\003www\013ledgerscope\003net", true, 0 },
+ {10, false, "\004kyps\003net", true, 0 },
+ {14, false, "\003www\004kyps\003net", true, 0 },
+ {17, true, "\003app\007recurly\003com", true, 0 },
+ {17, true, "\003api\007recurly\003com", true, 0 },
+ {13, false, "\007greplin\003com", true, 0 },
+ {17, false, "\003www\007greplin\003com", true, 0 },
+ {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
+ {12, true, "\006ubertt\003org", true, 0 },
- {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
- {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
- {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
- {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
- {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
- {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
- {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
#if 0
- // Twitter CDN pins disabled in order to track down pinning failures --agl
- {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
- {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
- {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
+ // Twitter CDN pins disabled in order to track down pinning failures --agl
+ {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
+ {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
+ {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
#endif
- };
- static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
+};
+static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
- static const struct HSTSPreload kPreloadedSNISTS[] = {
- // These SNI-only domains must always use HTTPS.
- {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
- {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
- {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
- {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
- // These SNI-only domains must use an acceptable certificate iff using
- // HTTPS.
- {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
- // www. requires SNI.
- {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
- };
- static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
+static const struct HSTSPreload kPreloadedSNISTS[] = {
+ // These SNI-only domains must always use HTTPS.
+ {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
+ {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
+ {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
+ {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
+ // These SNI-only domains must use an acceptable certificate iff using
+ // HTTPS.
+ {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
+ // www. requires SNI.
+ {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
+};
+static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
+// Returns true if there is an HSTSPreload entry for the host in |entries|, and
+// if its |required_hashes| member is identical (by address) to |certs|.
+static bool ScanForHostAndCerts(
+ const std::string& canonicalized_host,
+ const struct HSTSPreload* entries,
+ size_t num_entries,
+ const char* const certs[]) {
+ bool hit = false;
+
for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
+ for (size_t j = 0; j < num_entries; j++) {
+ const struct HSTSPreload& entry = entries[j];
+
+ if (i != 0 && !entry.include_subdomains)
+ continue;
+
+ if (entry.length == canonicalized_host.size() - i &&
+ memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
+ hit = entry.required_hashes == certs;
+ // Return immediately upon exact match:
+ if (i == 0)
+ return hit;
+ }
+ }
+ }
+
+ return hit;
+}
+
+// static
+bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
+ bool sni_available) {
+ std::string canonicalized_host = CanonicalizeHost(host);
+
+ if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
+ kGoogleAcceptableCerts)) {
+ return true;
+ }
+
+ if (sni_available) {
+ if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedSNISTS,
+ kGoogleAcceptableCerts)) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+
+// IsPreloadedSTS returns true if the canonicalized hostname should always be
+// considered to have STS enabled.
+bool TransportSecurityState::IsPreloadedSTS(
+ const std::string& canonicalized_host,
+ bool sni_available,
+ DomainState* out) {
+ DCHECK(CalledOnValidThread());
+
+ out->preloaded = true;
+ out->mode = DomainState::MODE_STRICT;
+ out->include_subdomains = false;
+
+ for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
std::string host_sub_chunk(&canonicalized_host[i],
canonicalized_host.size() - i);
out->domain = DNSDomainToString(host_sub_chunk);
« no previous file with comments | « net/base/transport_security_state.h ('k') | net/base/transport_security_state_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698