| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/cert_verify_proc_whitelist.h" | |
| 6 | |
| 7 #include <cstdlib> | |
| 8 | |
| 9 #include "net/base/lookup_string_in_fixed_set.h" | |
| 10 #include "net/cert/x509_certificate.h" | |
| 11 | |
| 12 namespace net { | |
| 13 | |
| 14 namespace { | |
| 15 | |
| 16 // clang-format off | |
| 17 // SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned | |
| 18 // or operated by WoSign, including that of StartCom. For the certificates, | |
| 19 // see //net/data/ssl/wosign. | |
| 20 const uint8_t kWosignKeys[][crypto::kSHA256Length] = { | |
| 21 { 0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a, | |
| 22 0x83, 0x0b, 0x0b, 0x95, 0xa5, 0x99, 0x68, 0xce, | |
| 23 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf, 0x51, 0x81, | |
| 24 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65 }, | |
| 25 { 0x38, 0x1a, 0x3f, 0xc7, 0xa8, 0xb0, 0x82, 0xfa, | |
| 26 0x28, 0x61, 0x3a, 0x4d, 0x07, 0xf2, 0xc7, 0x55, | |
| 27 0x3f, 0x4e, 0x19, 0x18, 0xee, 0x07, 0xca, 0xa9, | |
| 28 0xe8, 0xb7, 0xce, 0xde, 0x5a, 0x9c, 0xa0, 0x6a }, | |
| 29 { 0x7a, 0xed, 0xdd, 0xf3, 0x6b, 0x18, 0xf8, 0xac, | |
| 30 0xb7, 0x37, 0x9f, 0xe1, 0xce, 0x18, 0x32, 0x12, | |
| 31 0xb2, 0x35, 0x0d, 0x07, 0x88, 0xab, 0xe0, 0xe8, | |
| 32 0x24, 0x57, 0xbe, 0x9b, 0xad, 0xad, 0x6d, 0x54 }, | |
| 33 { 0x9d, 0x98, 0xa1, 0xfb, 0x60, 0x53, 0x8c, 0x4c, | |
| 34 0xc4, 0x85, 0x7f, 0xf1, 0xa8, 0xc8, 0x03, 0x4f, | |
| 35 0xaf, 0x6f, 0xc5, 0x92, 0x09, 0x3f, 0x61, 0x99, | |
| 36 0x94, 0xb2, 0xc8, 0x13, 0xd2, 0x50, 0xb8, 0x64 }, | |
| 37 { 0xd6, 0xa1, 0x84, 0x43, 0xd3, 0x48, 0xdb, 0x99, | |
| 38 0x4f, 0x93, 0x4c, 0xcd, 0x8e, 0x63, 0x5d, 0x83, | |
| 39 0x3a, 0x27, 0xac, 0x1e, 0x56, 0xf8, 0xaf, 0xaf, | |
| 40 0x7c, 0x97, 0xcb, 0x4f, 0x43, 0xea, 0xb6, 0x8b }, | |
| 41 { 0xdb, 0x15, 0xc0, 0x06, 0x2b, 0x52, 0x0f, 0x31, | |
| 42 0x8a, 0x19, 0xda, 0xcf, 0xec, 0xd6, 0x4f, 0x9e, | |
| 43 0x7a, 0x3f, 0xbe, 0x60, 0x9f, 0xd5, 0x86, 0x79, | |
| 44 0x6f, 0x20, 0xae, 0x02, 0x8e, 0x8e, 0x30, 0x58 }, | |
| 45 { 0xe4, 0x2f, 0x24, 0xbd, 0x4d, 0x37, 0xf4, 0xaa, | |
| 46 0x2e, 0x56, 0xb9, 0x79, 0xd8, 0x3d, 0x1e, 0x65, | |
| 47 0x21, 0x9f, 0xe0, 0xe9, 0xe3, 0xa3, 0x82, 0xa1, | |
| 48 0xb3, 0xcb, 0x66, 0xc9, 0x39, 0x55, 0xde, 0x75 }, | |
| 49 }; | |
| 50 // clang-format on | |
| 51 | |
| 52 // Comparator to compare a (SHA-256) HashValue with a uint8_t array containing | |
| 53 // a raw SHA-256 hash. Return value follows memcmp semantics. | |
| 54 int CompareHashValueToRawHash(const void* key, const void* element) { | |
| 55 const HashValue* search_key = reinterpret_cast<const HashValue*>(key); | |
| 56 return memcmp(search_key->data(), element, search_key->size()); | |
| 57 } | |
| 58 | |
| 59 namespace wosign { | |
| 60 #include "net/data/ssl/wosign/wosign_domains-inc.cc" | |
| 61 } // namespace wosign | |
| 62 | |
| 63 } // namespace | |
| 64 | |
| 65 bool IsNonWhitelistedCertificate(const X509Certificate& cert, | |
| 66 const HashValueVector& public_key_hashes, | |
| 67 base::StringPiece hostname) { | |
| 68 for (const auto& hash : public_key_hashes) { | |
| 69 if (hash.tag != HASH_VALUE_SHA256) | |
| 70 continue; | |
| 71 | |
| 72 // Check for WoSign/StartCom certificates. | |
| 73 if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys), | |
| 74 crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr) { | |
| 75 // 2016-10-21 00:00:00 UTC | |
| 76 const base::Time last_wosign_cert = | |
| 77 base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000); | |
| 78 | |
| 79 // Don't allow new certificates. | |
| 80 if (cert.valid_start().is_null() || cert.valid_start().is_max() || | |
| 81 cert.valid_start() > last_wosign_cert) { | |
| 82 return true; | |
| 83 } | |
| 84 | |
| 85 // Don't allow certificates from non-whitelisted hosts. | |
| 86 return !IsWhitelistedHost(wosign::kDafsa, arraysize(wosign::kDafsa), | |
| 87 hostname); | |
| 88 } | |
| 89 } | |
| 90 return false; | |
| 91 } | |
| 92 | |
| 93 bool IsWhitelistedHost(const unsigned char* graph, | |
| 94 size_t graph_length, | |
| 95 base::StringPiece host) { | |
| 96 if (host.empty()) | |
| 97 return false; | |
| 98 | |
| 99 size_t end = host.length(); | |
| 100 | |
| 101 // Skip trailing '.', if any. | |
| 102 if (host[end - 1] == '.') { | |
| 103 --end; | |
| 104 } | |
| 105 | |
| 106 // Reverse through each of the domain components, trying to see if the | |
| 107 // domain is on the whitelist. For example, the string | |
| 108 // "www.domain.example.com" would be processed by first searching | |
| 109 // for "com", then "example.com", then "domain.example.com". The | |
| 110 // loop will terminate when there are no more distinct label separators, | |
| 111 // and thus the final check for "www.domain.example.com". | |
| 112 size_t start = end; | |
| 113 while (start != 0 && | |
| 114 (start = host.rfind('.', start - 1)) != base::StringPiece::npos) { | |
| 115 const char* domain_str = host.data() + start + 1; | |
| 116 size_t domain_length = end - start - 1; | |
| 117 if (domain_length == 0) | |
| 118 return false; | |
| 119 if (LookupStringInFixedSet(graph, graph_length, domain_str, | |
| 120 domain_length) != kDafsaNotFound) { | |
| 121 return true; | |
| 122 } | |
| 123 } | |
| 124 | |
| 125 return LookupStringInFixedSet(graph, graph_length, host.data(), end) != | |
| 126 kDafsaNotFound; | |
| 127 } | |
| 128 | |
| 129 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2927383002:
Remove the StartCom/WoSign whitelist (Closed)
