Chromium Code Reviews Chromium Code Reviews
Issue 2613833002:
Restrict the set of WoSign/StartCom certs to the Alexa Top 1M (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_whitelist.h" | 5 #include "net/cert/cert_verify_proc_whitelist.h" |
| 6 | 6 |
| 7 #include <cstdlib> | 7 #include <cstdlib> |
| 8 | 8 |
| 9 #include "base/logging.h" | |
|
svaldez
2017/01/26 20:54:48
Extra include?
| |
| 10 #include "net/base/lookup_string_in_fixed_set.h" | |
| 9 #include "net/cert/x509_certificate.h" | 11 #include "net/cert/x509_certificate.h" |
| 10 | 12 |
| 11 namespace net { | 13 namespace net { |
| 12 | 14 |
| 13 namespace { | 15 namespace { |
| 14 | 16 |
| 15 // clang-format off | 17 // clang-format off |
| 16 // SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned | 18 // SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned |
| 17 // or operated by WoSign, including that of StartCom. For the certificates, | 19 // or operated by WoSign, including that of StartCom. For the certificates, |
| 18 // see //net/data/ssl/wosign. | 20 // see //net/data/ssl/wosign. |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 48 }; | 50 }; |
| 49 // clang-format on | 51 // clang-format on |
| 50 | 52 |
| 51 // Comparator to compare a (SHA-256) HashValue with a uint8_t array containing | 53 // Comparator to compare a (SHA-256) HashValue with a uint8_t array containing |
| 52 // a raw SHA-256 hash. Return value follows memcmp semantics. | 54 // a raw SHA-256 hash. Return value follows memcmp semantics. |
| 53 int CompareHashValueToRawHash(const void* key, const void* element) { | 55 int CompareHashValueToRawHash(const void* key, const void* element) { |
| 54 const HashValue* search_key = reinterpret_cast<const HashValue*>(key); | 56 const HashValue* search_key = reinterpret_cast<const HashValue*>(key); |
| 55 return memcmp(search_key->data(), element, search_key->size()); | 57 return memcmp(search_key->data(), element, search_key->size()); |
| 56 } | 58 } |
| 57 | 59 |
| 60 namespace wosign { | |
| 61 #include "net/data/ssl/wosign/wosign_domains-inc.cc" | |
| 62 } // namespace | |
| 63 | |
| 58 } // namespace | 64 } // namespace |
| 59 | 65 |
| 60 bool IsNonWhitelistedCertificate(const X509Certificate& cert, | 66 bool IsNonWhitelistedCertificate(const X509Certificate& cert, |
| 61 const HashValueVector& public_key_hashes) { | 67 const HashValueVector& public_key_hashes, |
| 62 // 2016-10-21 00:00:00 UTC | 68 base::StringPiece hostname) { |
| 63 const base::Time last_wosign_cert = | |
| 64 base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000); | |
| 65 | |
| 66 for (const auto& hash : public_key_hashes) { | 69 for (const auto& hash : public_key_hashes) { |
| 67 if (hash.tag != HASH_VALUE_SHA256) | 70 if (hash.tag != HASH_VALUE_SHA256) |
| 68 continue; | 71 continue; |
| 69 | 72 |
| 70 // Check for WoSign/StartCom certificates. | 73 // Check for WoSign/StartCom certificates. |
| 71 if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys), | 74 if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys), |
| 72 crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr && | 75 crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr) { |
| 73 (cert.valid_start().is_null() || cert.valid_start().is_max() || | 76 // 2016-10-21 00:00:00 UTC |
| 74 cert.valid_start() > last_wosign_cert)) { | 77 const base::Time last_wosign_cert = |
| 75 return true; | 78 base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000); |
| 79 | |
| 80 // Don't allow new certificates. | |
| 81 if (cert.valid_start().is_null() || cert.valid_start().is_max() || | |
| 82 cert.valid_start() > last_wosign_cert) { | |
| 83 return true; | |
| 84 } | |
| 85 | |
| 86 // Don't allow certificates from non-whitelisted hosts. | |
| 87 return !IsWhitelistedHost(wosign::kDafsa, arraysize(wosign::kDafsa), | |
| 88 hostname); | |
| 76 } | 89 } |
| 77 } | 90 } |
| 78 return false; | 91 return false; |
| 79 } | 92 } |
| 80 | 93 |
| 94 bool IsWhitelistedHost(const unsigned char* graph, | |
| 95 size_t graph_length, | |
| 96 base::StringPiece host) { | |
| 97 if (host.empty()) | |
| 98 return false; | |
| 99 | |
| 100 size_t end = host.length(); | |
| 101 | |
| 102 // Skip trailing '.', if any. | |
| 103 if (host[end - 1] == '.') { | |
| 104 --end; | |
| 105 } | |
| 106 | |
| 107 // Reverse through each of the domain components, trying to see if the | |
| 108 // domain is on the whitelist. For example, the string | |
| 109 // "www.domain.example.com" would be processed by first searching | |
| 110 // for "com", then "example.com", then "domain.example.com". The | |
| 111 // loop will terminate when there are no more distinct label separators, | |
| 112 // and thus the final check for "www.domain.example.com". | |
| 113 size_t start = end; | |
| 114 while (start != 0 && | |
| 115 (start = host.rfind('.', start - 1)) != base::StringPiece::npos) { | |
| 116 const char* domain_str = host.data() + start + 1; | |
| 117 size_t domain_length = end - start - 1; | |
| 118 if (domain_length == 0) | |
| 119 return false; | |
| 120 if (LookupStringInFixedSet(graph, graph_length, domain_str, | |
| 121 domain_length) != kDafsaNotFound) { | |
| 122 return true; | |
| 123 } | |
| 124 } | |
| 125 | |
| 126 return LookupStringInFixedSet(graph, graph_length, host.data(), end) != | |
| 127 kDafsaNotFound; | |
| 128 } | |
| 129 | |
| 81 } // namespace net | 130 } // namespace net |
| OLD | NEW |
