OLD | NEW |
1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_whitelist.h" | 5 #include "net/cert/cert_verify_proc_whitelist.h" |
6 | 6 |
7 #include <cstdlib> | 7 #include <cstdlib> |
8 | 8 |
| 9 #include "net/base/lookup_string_in_fixed_set.h" |
9 #include "net/cert/x509_certificate.h" | 10 #include "net/cert/x509_certificate.h" |
10 | 11 |
11 namespace net { | 12 namespace net { |
12 | 13 |
13 namespace { | 14 namespace { |
14 | 15 |
15 // clang-format off | 16 // clang-format off |
16 // SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned | 17 // SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned |
17 // or operated by WoSign, including that of StartCom. For the certificates, | 18 // or operated by WoSign, including that of StartCom. For the certificates, |
18 // see //net/data/ssl/wosign. | 19 // see //net/data/ssl/wosign. |
(...skipping 29 matching lines...) Expand all Loading... |
48 }; | 49 }; |
49 // clang-format on | 50 // clang-format on |
50 | 51 |
51 // Comparator to compare a (SHA-256) HashValue with a uint8_t array containing | 52 // Comparator to compare a (SHA-256) HashValue with a uint8_t array containing |
52 // a raw SHA-256 hash. Return value follows memcmp semantics. | 53 // a raw SHA-256 hash. Return value follows memcmp semantics. |
53 int CompareHashValueToRawHash(const void* key, const void* element) { | 54 int CompareHashValueToRawHash(const void* key, const void* element) { |
54 const HashValue* search_key = reinterpret_cast<const HashValue*>(key); | 55 const HashValue* search_key = reinterpret_cast<const HashValue*>(key); |
55 return memcmp(search_key->data(), element, search_key->size()); | 56 return memcmp(search_key->data(), element, search_key->size()); |
56 } | 57 } |
57 | 58 |
| 59 namespace wosign { |
| 60 #include "net/data/ssl/wosign/wosign_domains-inc.cc" |
| 61 } // namespace |
| 62 |
58 } // namespace | 63 } // namespace |
59 | 64 |
60 bool IsNonWhitelistedCertificate(const X509Certificate& cert, | 65 bool IsNonWhitelistedCertificate(const X509Certificate& cert, |
61 const HashValueVector& public_key_hashes) { | 66 const HashValueVector& public_key_hashes, |
62 // 2016-10-21 00:00:00 UTC | 67 base::StringPiece hostname) { |
63 const base::Time last_wosign_cert = | |
64 base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000); | |
65 | |
66 for (const auto& hash : public_key_hashes) { | 68 for (const auto& hash : public_key_hashes) { |
67 if (hash.tag != HASH_VALUE_SHA256) | 69 if (hash.tag != HASH_VALUE_SHA256) |
68 continue; | 70 continue; |
69 | 71 |
70 // Check for WoSign/StartCom certificates. | 72 // Check for WoSign/StartCom certificates. |
71 if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys), | 73 if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys), |
72 crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr && | 74 crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr) { |
73 (cert.valid_start().is_null() || cert.valid_start().is_max() || | 75 // 2016-10-21 00:00:00 UTC |
74 cert.valid_start() > last_wosign_cert)) { | 76 const base::Time last_wosign_cert = |
75 return true; | 77 base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000); |
| 78 |
| 79 // Don't allow new certificates. |
| 80 if (cert.valid_start().is_null() || cert.valid_start().is_max() || |
| 81 cert.valid_start() > last_wosign_cert) { |
| 82 return true; |
| 83 } |
| 84 |
| 85 // Don't allow certificates from non-whitelisted hosts. |
| 86 return !IsWhitelistedHost(wosign::kDafsa, arraysize(wosign::kDafsa), |
| 87 hostname); |
76 } | 88 } |
77 } | 89 } |
78 return false; | 90 return false; |
79 } | 91 } |
80 | 92 |
| 93 bool IsWhitelistedHost(const unsigned char* graph, |
| 94 size_t graph_length, |
| 95 base::StringPiece host) { |
| 96 if (host.empty()) |
| 97 return false; |
| 98 |
| 99 size_t end = host.length(); |
| 100 |
| 101 // Skip trailing '.', if any. |
| 102 if (host[end - 1] == '.') { |
| 103 --end; |
| 104 } |
| 105 |
| 106 // Reverse through each of the domain components, trying to see if the |
| 107 // domain is on the whitelist. For example, the string |
| 108 // "www.domain.example.com" would be processed by first searching |
| 109 // for "com", then "example.com", then "domain.example.com". The |
| 110 // loop will terminate when there are no more distinct label separators, |
| 111 // and thus the final check for "www.domain.example.com". |
| 112 size_t start = end; |
| 113 while (start != 0 && |
| 114 (start = host.rfind('.', start - 1)) != base::StringPiece::npos) { |
| 115 const char* domain_str = host.data() + start + 1; |
| 116 size_t domain_length = end - start - 1; |
| 117 if (domain_length == 0) |
| 118 return false; |
| 119 if (LookupStringInFixedSet(graph, graph_length, domain_str, |
| 120 domain_length) != kDafsaNotFound) { |
| 121 return true; |
| 122 } |
| 123 } |
| 124 |
| 125 return LookupStringInFixedSet(graph, graph_length, host.data(), end) != |
| 126 kDafsaNotFound; |
| 127 } |
| 128 |
81 } // namespace net | 129 } // namespace net |
OLD | NEW |