OLD | NEW |
---|---|
1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_whitelist.h" | 5 #include "net/cert/cert_verify_proc_whitelist.h" |
6 | 6 |
7 #include <cstdlib> | 7 #include <cstdlib> |
8 | 8 |
9 #include "base/logging.h" | |
svaldez
2017/01/26 20:54:48
Extra include?
| |
10 #include "net/base/lookup_string_in_fixed_set.h" | |
9 #include "net/cert/x509_certificate.h" | 11 #include "net/cert/x509_certificate.h" |
10 | 12 |
11 namespace net { | 13 namespace net { |
12 | 14 |
13 namespace { | 15 namespace { |
14 | 16 |
15 // clang-format off | 17 // clang-format off |
16 // SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned | 18 // SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned |
17 // or operated by WoSign, including that of StartCom. For the certificates, | 19 // or operated by WoSign, including that of StartCom. For the certificates, |
18 // see //net/data/ssl/wosign. | 20 // see //net/data/ssl/wosign. |
(...skipping 29 matching lines...) Expand all Loading... | |
48 }; | 50 }; |
49 // clang-format on | 51 // clang-format on |
50 | 52 |
51 // Comparator to compare a (SHA-256) HashValue with a uint8_t array containing | 53 // Comparator to compare a (SHA-256) HashValue with a uint8_t array containing |
52 // a raw SHA-256 hash. Return value follows memcmp semantics. | 54 // a raw SHA-256 hash. Return value follows memcmp semantics. |
53 int CompareHashValueToRawHash(const void* key, const void* element) { | 55 int CompareHashValueToRawHash(const void* key, const void* element) { |
54 const HashValue* search_key = reinterpret_cast<const HashValue*>(key); | 56 const HashValue* search_key = reinterpret_cast<const HashValue*>(key); |
55 return memcmp(search_key->data(), element, search_key->size()); | 57 return memcmp(search_key->data(), element, search_key->size()); |
56 } | 58 } |
57 | 59 |
60 namespace wosign { | |
61 #include "net/data/ssl/wosign/wosign_domains-inc.cc" | |
62 } // namespace | |
63 | |
58 } // namespace | 64 } // namespace |
59 | 65 |
60 bool IsNonWhitelistedCertificate(const X509Certificate& cert, | 66 bool IsNonWhitelistedCertificate(const X509Certificate& cert, |
61 const HashValueVector& public_key_hashes) { | 67 const HashValueVector& public_key_hashes, |
62 // 2016-10-21 00:00:00 UTC | 68 base::StringPiece hostname) { |
63 const base::Time last_wosign_cert = | |
64 base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000); | |
65 | |
66 for (const auto& hash : public_key_hashes) { | 69 for (const auto& hash : public_key_hashes) { |
67 if (hash.tag != HASH_VALUE_SHA256) | 70 if (hash.tag != HASH_VALUE_SHA256) |
68 continue; | 71 continue; |
69 | 72 |
70 // Check for WoSign/StartCom certificates. | 73 // Check for WoSign/StartCom certificates. |
71 if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys), | 74 if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys), |
72 crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr && | 75 crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr) { |
73 (cert.valid_start().is_null() || cert.valid_start().is_max() || | 76 // 2016-10-21 00:00:00 UTC |
74 cert.valid_start() > last_wosign_cert)) { | 77 const base::Time last_wosign_cert = |
75 return true; | 78 base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000); |
79 | |
80 // Don't allow new certificates. | |
81 if (cert.valid_start().is_null() || cert.valid_start().is_max() || | |
82 cert.valid_start() > last_wosign_cert) { | |
83 return true; | |
84 } | |
85 | |
86 // Don't allow certificates from non-whitelisted hosts. | |
87 return !IsWhitelistedHost(wosign::kDafsa, arraysize(wosign::kDafsa), | |
88 hostname); | |
76 } | 89 } |
77 } | 90 } |
78 return false; | 91 return false; |
79 } | 92 } |
80 | 93 |
94 bool IsWhitelistedHost(const unsigned char* graph, | |
95 size_t graph_length, | |
96 base::StringPiece host) { | |
97 if (host.empty()) | |
98 return false; | |
99 | |
100 size_t end = host.length(); | |
101 | |
102 // Skip trailing '.', if any. | |
103 if (host[end - 1] == '.') { | |
104 --end; | |
105 } | |
106 | |
107 // Reverse through each of the domain components, trying to see if the | |
108 // domain is on the whitelist. For example, the string | |
109 // "www.domain.example.com" would be processed by first searching | |
110 // for "com", then "example.com", then "domain.example.com". The | |
111 // loop will terminate when there are no more distinct label separators, | |
112 // and thus the final check for "www.domain.example.com". | |
113 size_t start = end; | |
114 while (start != 0 && | |
115 (start = host.rfind('.', start - 1)) != base::StringPiece::npos) { | |
116 const char* domain_str = host.data() + start + 1; | |
117 size_t domain_length = end - start - 1; | |
118 if (domain_length == 0) | |
119 return false; | |
120 if (LookupStringInFixedSet(graph, graph_length, domain_str, | |
121 domain_length) != kDafsaNotFound) { | |
122 return true; | |
123 } | |
124 } | |
125 | |
126 return LookupStringInFixedSet(graph, graph_length, host.data(), end) != | |
127 kDafsaNotFound; | |
128 } | |
129 | |
81 } // namespace net | 130 } // namespace net |
OLD | NEW |