net/http/transport_security_state.cc - Issue 2951343002: Remove residual support for SHA-1 public key pins.

Side by Side Diff: net/http/transport_security_state.cc

Issue 2951343002: Remove residual support for SHA-1 public key pins. (Closed)

Patch Set: Created 3 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/http/transport_security_state.h"	5 #include "net/http/transport_security_state.h"

6	6

7 #include <memory>	7 #include <memory>

8 #include <utility>	8 #include <utility>

9 #include <vector>	9 #include <vector>

10	10

11 #include "base/base64.h"	11 #include "base/base64.h"

12 #include "base/build_time.h"	12 #include "base/build_time.h"

13 #include "base/json/json_writer.h"	13 #include "base/json/json_writer.h"

14 #include "base/logging.h"	14 #include "base/logging.h"

15 #include "base/memory/ptr_util.h"	15 #include "base/memory/ptr_util.h"

16 #include "base/metrics/histogram_macros.h"	16 #include "base/metrics/histogram_macros.h"

17 #include "base/metrics/sparse_histogram.h"	17 #include "base/metrics/sparse_histogram.h"

18 #include "base/sha1.h"

19 #include "base/stl_util.h"	18 #include "base/stl_util.h"

20 #include "base/strings/string_number_conversions.h"	19 #include "base/strings/string_number_conversions.h"

21 #include "base/strings/string_util.h"	20 #include "base/strings/string_util.h"

22 #include "base/strings/stringprintf.h"	21 #include "base/strings/stringprintf.h"

23 #include "base/strings/utf_string_conversions.h"	22 #include "base/strings/utf_string_conversions.h"

24 #include "base/values.h"	23 #include "base/values.h"

25 #include "build/build_config.h"	24 #include "build/build_config.h"

26 #include "crypto/sha2.h"	25 #include "crypto/sha2.h"

27 #include "net/base/host_port_pair.h"	26 #include "net/base/host_port_pair.h"

28 #include "net/cert/ct_policy_status.h"	27 #include "net/cert/ct_policy_status.h"

(...skipping 117 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
146 std::move(served_certificate_chain_list));	145 std::move(served_certificate_chain_list));

147 report.Set("validated-certificate-chain",	146 report.Set("validated-certificate-chain",

148 std::move(validated_certificate_chain_list));	147 std::move(validated_certificate_chain_list));

149	148

150 std::unique_ptr<base::ListValue> known_pin_list(new base::ListValue());	149 std::unique_ptr<base::ListValue> known_pin_list(new base::ListValue());

151 for (const auto& hash_value : pkp_state.spki_hashes) {	150 for (const auto& hash_value : pkp_state.spki_hashes) {

152 std::string known_pin;	151 std::string known_pin;

153	152

154 switch (hash_value.tag) {	153 switch (hash_value.tag) {

155 case HASH_VALUE_SHA1:	154 case HASH_VALUE_SHA1:

156 known_pin += "pin-sha1=";	155 continue;
	davidben 2017/06/22 21:33:47 This is just removing a bit in the reporting side This is just removing a bit in the reporting side of things, right? It looks like we'd still enforce any SHA-1 pins we have lying around in the user's profile directory; there's still residual code in HashValue::FromString (used by the parser) and CertVerifyProc continues to produce SHA-1 hashes. We probably want to unwind all of that (which I'm all for doing) before taking this piece out. I bet we can even take HASH_VALUE_SHA1 out altogether. I see net/cert/internal/parse_ocsp.cc uses it, but not in any useful away as far as I can tell. (I can unwind that part if you like.) davidben 2017/06/22 21:51:43 Here's taking it out of parse_ocsp.cc: https://chr Show quoted text On 2017/06/22 21:33:47, davidben wrote: > This is just removing a bit in the reporting side of things, right? It looks > like we'd still enforce any SHA-1 pins we have lying around in the user's > profile directory; there's still residual code in HashValue::FromString (used by > the parser) and CertVerifyProc continues to produce SHA-1 hashes. > > We probably want to unwind all of that (which I'm all for doing) before taking > this piece out. I bet we can even take HASH_VALUE_SHA1 out altogether. I see > net/cert/internal/parse_ocsp.cc uses it, but not in any useful away as far as I > can tell. (I can unwind that part if you like.) Here's taking it out of parse_ocsp.cc: https://chromium-review.googlesource.com/545017 palmer 2017/06/26 21:32:59 Oh, OK, great. I didn't know if you'd want me to r Show quoted text On 2017/06/22 at 21:33:47, davidben wrote: > This is just removing a bit in the reporting side of things, right? It looks like we'd still enforce any SHA-1 pins we have lying around in the user's profile directory; there's still residual code in HashValue::FromString (used by the parser) and CertVerifyProc continues to produce SHA-1 hashes. > > We probably want to unwind all of that (which I'm all for doing) before taking this piece out. I bet we can even take HASH_VALUE_SHA1 out altogether. I see net/cert/internal/parse_ocsp.cc uses it, but not in any useful away as far as I can tell. (I can unwind that part if you like.) Oh, OK, great. I didn't know if you'd want me to remove it from CertVerifyProc, too; I saw it but hesitated to touch it. I'll put up another patchset with that removed.
157 break;

158 case HASH_VALUE_SHA256:	156 case HASH_VALUE_SHA256:

159 known_pin += "pin-sha256=";	157 known_pin += "pin-sha256=";

160 break;	158 break;

161 }	159 }

162	160

163 std::string base64_value;	161 std::string base64_value;

164 base::Base64Encode(	162 base::Base64Encode(

165 base::StringPiece(reinterpret_cast<const char*>(hash_value.data()),	163 base::StringPiece(reinterpret_cast<const char*>(hash_value.data()),

166 hash_value.size()),	164 hash_value.size()),

167 &base64_value);	165 &base64_value);

(...skipping 1677 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1845 TransportSecurityState::PKPStateIterator::PKPStateIterator(	1843 TransportSecurityState::PKPStateIterator::PKPStateIterator(

1846 const TransportSecurityState& state)	1844 const TransportSecurityState& state)

1847 : iterator_(state.enabled_pkp_hosts_.begin()),	1845 : iterator_(state.enabled_pkp_hosts_.begin()),

1848 end_(state.enabled_pkp_hosts_.end()) {	1846 end_(state.enabled_pkp_hosts_.end()) {

1849 }	1847 }

1850	1848

1851 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {	1849 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {

1852 }	1850 }

1853	1851

1854 } // namespace net	1852 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | net/http/transport_security_state_unittest.cc » ('j') | no next file with comments »