Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(297)

Side by Side Diff: net/base/transport_security_state.cc

Issue 8770048: net: reenable Twitter's public key pins with api.twitter.com using the CDN pins. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 9 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/public_key_hashes_check.go ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/transport_security_state.h" 5 #include "net/base/transport_security_state.h"
6 6
7 #if defined(USE_OPENSSL) 7 #if defined(USE_OPENSSL)
8 #include <openssl/ecdsa.h> 8 #include <openssl/ecdsa.h>
9 #include <openssl/ssl.h> 9 #include <openssl/ssl.h>
10 #else // !defined(USE_OPENSSL) 10 #else // !defined(USE_OPENSSL)
(...skipping 950 matching lines...) Expand 10 before | Expand all | Expand 10 after
961 kSPKIHash_GeoTrustPrimary_G2, 961 kSPKIHash_GeoTrustPrimary_G2,
962 kSPKIHash_GeoTrustPrimary_G3, 962 kSPKIHash_GeoTrustPrimary_G3,
963 kSPKIHash_Twitter1, 963 kSPKIHash_Twitter1,
964 NULL, 964 NULL,
965 }; 965 };
966 #define kTwitterComPins { \ 966 #define kTwitterComPins { \
967 kTwitterComAcceptableCerts, \ 967 kTwitterComAcceptableCerts, \
968 kNoRejectedPublicKeys, \ 968 kNoRejectedPublicKeys, \
969 } 969 }
970 970
971 // kTwitterAcceptableCerts2 are the set of public keys valid for Twitter's
972 // CDNs, which includes all the keys from kTwitterAcceptableCerts1.
973 static const char* const kTwitterCDNAcceptableCerts[] = {
974 kSPKIHash_VeriSignClass1,
975 kSPKIHash_VeriSignClass3,
976 kSPKIHash_VeriSignClass3_G4,
977 kSPKIHash_VeriSignClass4_G3,
978 kSPKIHash_VeriSignClass3_G3,
979 kSPKIHash_VeriSignClass1_G3,
980 kSPKIHash_VeriSignClass2_G3,
981 kSPKIHash_VeriSignClass3_G2,
982 kSPKIHash_VeriSignClass2_G2,
983 kSPKIHash_VeriSignClass3_G5,
984 kSPKIHash_VeriSignUniversal,
985 kSPKIHash_GeoTrustGlobal,
986 kSPKIHash_GeoTrustGlobal2,
987 kSPKIHash_GeoTrustUniversal,
988 kSPKIHash_GeoTrustUniversal2,
989 kSPKIHash_GeoTrustPrimary,
990 kSPKIHash_GeoTrustPrimary_G2,
991 kSPKIHash_GeoTrustPrimary_G3,
992 kSPKIHash_Twitter1,
993
994 kSPKIHash_Entrust_2048,
995 kSPKIHash_Entrust_EV,
996 kSPKIHash_Entrust_G2,
997 kSPKIHash_Entrust_SSL,
998 kSPKIHash_AAACertificateServices,
999 kSPKIHash_AddTrustClass1CARoot,
1000 kSPKIHash_AddTrustExternalCARoot,
1001 kSPKIHash_AddTrustPublicCARoot,
1002 kSPKIHash_AddTrustQualifiedCARoot,
1003 kSPKIHash_COMODOCertificationAuthority,
1004 kSPKIHash_SecureCertificateServices,
1005 kSPKIHash_TrustedCertificateServices,
1006 kSPKIHash_UTNDATACorpSGC,
1007 kSPKIHash_UTNUSERFirstClientAuthenticationandEmail,
1008 kSPKIHash_UTNUSERFirstHardware,
1009 kSPKIHash_UTNUSERFirstObject,
1010 kSPKIHash_GTECyberTrustGlobalRoot,
1011 NULL,
1012 };
1013 #define kTwitterCDNPins { \
1014 kTwitterCDNAcceptableCerts, \
1015 kNoRejectedPublicKeys, \
1016 }
1017
971 // kTestAcceptableCerts doesn't actually match any public keys and is used 1018 // kTestAcceptableCerts doesn't actually match any public keys and is used
972 // with "pinningtest.appspot.com", below, to test if pinning is active. 1019 // with "pinningtest.appspot.com", below, to test if pinning is active.
973 static const char* const kTestAcceptableCerts[] = { 1020 static const char* const kTestAcceptableCerts[] = {
974 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", 1021 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
975 NULL, 1022 NULL,
976 }; 1023 };
977 #define kTestPins { \ 1024 #define kTestPins { \
978 kTestAcceptableCerts, \ 1025 kTestAcceptableCerts, \
979 kNoRejectedPublicKeys, \ 1026 kNoRejectedPublicKeys, \
980 } 1027 }
(...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after
1125 {10, false, "\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED }, 1172 {10, false, "\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED },
1126 {14, false, "\003www\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED }, 1173 {14, false, "\003www\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED },
1127 {17, true, "\003app\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED }, 1174 {17, true, "\003app\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1128 {17, true, "\003api\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED }, 1175 {17, true, "\003api\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1129 {13, false, "\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED }, 1176 {13, false, "\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1130 {17, false, "\003www\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED }, 1177 {17, false, "\003www\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED },
1131 {27, true, "\006luneta\016nearbuysystems\003com", true, kNoPins, 1178 {27, true, "\006luneta\016nearbuysystems\003com", true, kNoPins,
1132 DOMAIN_NOT_PINNED }, 1179 DOMAIN_NOT_PINNED },
1133 {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED }, 1180 {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED },
1134 1181
1135 #if 0
1136 // Twitter pins disabled in order to track down pinning failures --agl 1182 // Twitter pins disabled in order to track down pinning failures --agl
1137 {13, false, "\007twitter\003com", kTwitterHSTS, 1183 {13, false, "\007twitter\003com", kTwitterHSTS,
1138 kTwitterComPins, DOMAIN_TWITTER_COM }, 1184 kTwitterComPins, DOMAIN_TWITTER_COM },
1139 {17, true, "\003www\007twitter\003com", kTwitterHSTS, 1185 {17, true, "\003www\007twitter\003com", kTwitterHSTS,
1140 kTwitterComPins, DOMAIN_TWITTER_COM }, 1186 kTwitterComPins, DOMAIN_TWITTER_COM },
1141 {17, true, "\003api\007twitter\003com", kTwitterHSTS, 1187 {17, true, "\003api\007twitter\003com", kTwitterHSTS,
1142 kTwitterComPins, DOMAIN_TWITTER_COM }, 1188 kTwitterCDNPins, DOMAIN_TWITTER_COM },
1143 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, 1189 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS,
1144 kTwitterComPins, DOMAIN_TWITTER_COM }, 1190 kTwitterComPins, DOMAIN_TWITTER_COM },
1145 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, 1191 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS,
1146 kTwitterComPins, DOMAIN_TWITTER_COM }, 1192 kTwitterComPins, DOMAIN_TWITTER_COM },
1147 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, 1193 {17, true, "\003dev\007twitter\003com", kTwitterHSTS,
1148 kTwitterComPins, DOMAIN_TWITTER_COM }, 1194 kTwitterComPins, DOMAIN_TWITTER_COM },
1149 {22, true, "\010business\007twitter\003com", kTwitterHSTS, 1195 {22, true, "\010business\007twitter\003com", kTwitterHSTS,
1150 kTwitterComPins, DOMAIN_TWITTER_COM }, 1196 kTwitterComPins, DOMAIN_TWITTER_COM },
1151 {22, true, "\010platform\007twitter\003com", false, 1197 {22, true, "\010platform\007twitter\003com", false,
1152 kTwitterCDNPins, DOMAIN_TWITTER_COM }, 1198 kTwitterCDNPins, DOMAIN_TWITTER_COM },
1153 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNPins, 1199 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNPins,
1154 DOMAIN_TWIMG_COM }, 1200 DOMAIN_TWIMG_COM },
1155 {23, true, "\010twimg0-a\010akamaihd\003net", false, 1201 {23, true, "\010twimg0-a\010akamaihd\003net", false,
1156 kTwitterCDNPins, DOMAIN_AKAMAIHD_NET }, 1202 kTwitterCDNPins, DOMAIN_AKAMAIHD_NET },
1157 #endif
1158 }; 1203 };
1159 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); 1204 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
1160 1205
1161 static const struct HSTSPreload kPreloadedSNISTS[] = { 1206 static const struct HSTSPreload kPreloadedSNISTS[] = {
1162 // These SNI-only domains must always use HTTPS. 1207 // These SNI-only domains must always use HTTPS.
1163 {11, false, "\005gmail\003com", true, kGooglePins, 1208 {11, false, "\005gmail\003com", true, kGooglePins,
1164 DOMAIN_GMAIL_COM }, 1209 DOMAIN_GMAIL_COM },
1165 {16, false, "\012googlemail\003com", true, kGooglePins, 1210 {16, false, "\012googlemail\003com", true, kGooglePins,
1166 DOMAIN_GOOGLEMAIL_COM }, 1211 DOMAIN_GOOGLEMAIL_COM },
1167 {15, false, "\003www\005gmail\003com", true, kGooglePins, 1212 {15, false, "\003www\005gmail\003com", true, kGooglePins,
(...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after
1353 const { 1398 const {
1354 return mode == MODE_STRICT; 1399 return mode == MODE_STRICT;
1355 } 1400 }
1356 1401
1357 bool TransportSecurityState::DomainState::ShouldMixedScriptingBeBlocked() 1402 bool TransportSecurityState::DomainState::ShouldMixedScriptingBeBlocked()
1358 const { 1403 const {
1359 return true; 1404 return true;
1360 } 1405 }
1361 1406
1362 } // namespace 1407 } // namespace
OLDNEW
« no previous file with comments | « net/base/public_key_hashes_check.go ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698