Chromium Code Reviews Chromium Code Reviews
Issue 2951343002:
Remove residual support for SHA-1 public key pins. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 729 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 740 break; | 740 break; |
| 741 } | 741 } |
| 742 | 742 |
| 743 if (!ok) | 743 if (!ok) |
| 744 return false; | 744 return false; |
| 745 } | 745 } |
| 746 | 746 |
| 747 return true; | 747 return true; |
| 748 } | 748 } |
| 749 | 749 |
| 750 // PublicKeyDomainLimitation contains a SHA1, SPKI hash and a pointer to an | 750 // PublicKeyDomainLimitation contains SHA-256(SPKI) and a pointer to an array of |
| 751 // array of fixed-length strings that contain the domains that the SPKI is | 751 // fixed-length strings that contain the domains that the SPKI is allowed to |
| 752 // allowed to issue for. | 752 // issue for. |
| 753 struct PublicKeyDomainLimitation { | 753 struct PublicKeyDomainLimitation { |
| 754 uint8_t public_key[base::kSHA1Length]; | 754 uint8_t public_key[crypto::kSHA256Length]; |
| 755 const char (*domains)[kMaxDomainLength]; | 755 const char (*domains)[kMaxDomainLength]; |
| 756 }; | 756 }; |
| 757 | 757 |
| 758 // static | 758 // static |
| 759 bool CertVerifyProc::HasNameConstraintsViolation( | 759 bool CertVerifyProc::HasNameConstraintsViolation( |
| 760 const HashValueVector& public_key_hashes, | 760 const HashValueVector& public_key_hashes, |
| 761 const std::string& common_name, | 761 const std::string& common_name, |
| 762 const std::vector<std::string>& dns_names, | 762 const std::vector<std::string>& dns_names, |
| 763 const std::vector<std::string>& ip_addrs) { | 763 const std::vector<std::string>& ip_addrs) { |
| 764 static const char kDomainsANSSI[][kMaxDomainLength] = { | 764 static const char kDomainsANSSI[][kMaxDomainLength] = { |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 790 }; | 790 }; |
| 791 | 791 |
| 792 static const char kDomainsTest[][kMaxDomainLength] = { | 792 static const char kDomainsTest[][kMaxDomainLength] = { |
| 793 "example.com", | 793 "example.com", |
| 794 "", | 794 "", |
| 795 }; | 795 }; |
| 796 | 796 |
| 797 static const PublicKeyDomainLimitation kLimits[] = { | 797 static const PublicKeyDomainLimitation kLimits[] = { |
| 798 // C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI, | 798 // C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI, |
| 799 // CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr | 799 // CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr |
| 800 // | |
| 801 // net/data/ssl/blacklist/b9bea7860a962ea3611dab97ab6da3e21c1068b97d55575e d0e11279c11c8932.pem | |
| 800 { | 802 { |
| 801 {0x79, 0x23, 0xd5, 0x8d, 0x0f, 0xe0, 0x3c, 0xe6, 0xab, 0xad, | 803 {0x86, 0xc1, 0x3a, 0x34, 0x08, 0xdd, 0x1a, 0xa7, 0x7e, 0xe8, 0xb6, |
| 802 0xae, 0x27, 0x1a, 0x6d, 0x94, 0xf4, 0x14, 0xd1, 0xa8, 0x73}, | 804 0x94, 0x7c, 0x03, 0x95, 0x87, 0x72, 0xf5, 0x31, 0x24, 0x8c, 0x16, |
|
davidben
2017/06/26 20:15:55
(confirmed the file matches)
| |
| 805 0x27, 0xbe, 0xfb, 0x2c, 0x4f, 0x4b, 0x04, 0xd0, 0x44, 0x96}, | |
|
davidben
2017/06/26 20:15:55
(confirmed)
| |
| 803 kDomainsANSSI, | 806 kDomainsANSSI, |
| 804 }, | 807 }, |
| 805 // C=IN, O=India PKI, CN=CCA India 2007 | 808 // C=IN, O=India PKI, CN=CCA India 2007 |
| 806 // Expires: July 4th 2015. | 809 // Expires: July 4th 2015. |
| 810 // | |
| 811 // net/data/ssl/blacklist/f375e2f77a108bacc4234894a9af308edeca1acd8fbde0e7 aaa9634e9daf7e1c.pem | |
| 807 { | 812 { |
| 808 {0xfe, 0xe3, 0x95, 0x21, 0x2d, 0x5f, 0xea, 0xfc, 0x7e, 0xdc, | 813 {0x7e, 0x6a, 0xcd, 0x85, 0x3c, 0xac, 0xc6, 0x93, 0x2e, 0x9b, 0x51, |
| 809 0xcf, 0x88, 0x3f, 0x1e, 0xc0, 0x58, 0x27, 0xd8, 0xb8, 0xe4}, | 814 0x9f, 0xda, 0xd1, 0xbe, 0xb5, 0x15, 0xed, 0x2a, 0x2d, 0x00, 0x25, |
|
davidben
2017/06/26 20:15:55
(confirmed the file matches)
| |
| 815 0xcf, 0xd3, 0x98, 0xc3, 0xac, 0x1f, 0x0d, 0xbb, 0x75, 0x4b}, | |
|
davidben
2017/06/26 20:15:55
(confirmed)
| |
| 810 kDomainsIndiaCCA, | 816 kDomainsIndiaCCA, |
| 811 }, | 817 }, |
| 812 // C=IN, O=India PKI, CN=CCA India 2011 | 818 // C=IN, O=India PKI, CN=CCA India 2011 |
| 813 // Expires: March 11 2016. | 819 // Expires: March 11 2016. |
| 820 // | |
| 821 // net/data/ssl/blacklist/2d66a702ae81ba03af8cff55ab318afa919039d9f31b4d64 388680f81311b65a.pem | |
| 814 { | 822 { |
| 815 {0xf1, 0x42, 0xf6, 0xa2, 0x7d, 0x29, 0x3e, 0xa8, 0xf9, 0x64, | 823 {0x42, 0xa7, 0x09, 0x84, 0xff, 0xd3, 0x99, 0xc4, 0xea, 0xf0, 0xe7, |
| 816 0x52, 0x56, 0xed, 0x07, 0xa8, 0x63, 0xf2, 0xdb, 0x1c, 0xdf}, | 824 0x02, 0xa4, 0x4b, 0xef, 0x2a, 0xd8, 0xa7, 0x9b, 0x8b, 0xf4, 0x64, |
|
davidben
2017/06/26 20:15:56
(confirmed the file matches)
| |
| 825 0x8f, 0x6b, 0xb2, 0x10, 0xe1, 0x23, 0xfd, 0x07, 0x57, 0x93}, | |
|
davidben
2017/06/26 20:15:55
(confirmed)
| |
| 817 kDomainsIndiaCCA, | 826 kDomainsIndiaCCA, |
| 818 }, | 827 }, |
| 819 // C=IN, O=India PKI, CN=CCA India 2014 | 828 // C=IN, O=India PKI, CN=CCA India 2014 |
| 820 // Expires: March 5 2024. | 829 // Expires: March 5 2024. |
| 830 // | |
| 831 // net/data/ssl/blacklist/60109bc6c38328598a112c7a25e38b0f23e5a7511cb815fb 64e0c4ff05db7df7.pem | |
| 821 { | 832 { |
| 822 {0x36, 0x8c, 0x4a, 0x1e, 0x2d, 0xb7, 0x81, 0xe8, 0x6b, 0xed, | 833 {0x9c, 0xf4, 0x70, 0x4f, 0x3e, 0xe5, 0xa5, 0x98, 0x94, 0xb1, 0x6b, |
| 823 0x5a, 0x0a, 0x42, 0xb8, 0xc5, 0xcf, 0x6d, 0xb3, 0x57, 0xe1}, | 834 0xf0, 0x0c, 0xfe, 0x73, 0xd5, 0x88, 0xda, 0xe2, 0x69, 0xf5, 0x1d, |
|
davidben
2017/06/26 20:15:55
(confirmed the file matches)
| |
| 835 0xe6, 0x6a, 0x4b, 0xa7, 0x74, 0x46, 0xee, 0x2b, 0xd1, 0xf7}, | |
|
davidben
2017/06/26 20:15:56
(confirmed)
| |
| 824 kDomainsIndiaCCA, | 836 kDomainsIndiaCCA, |
| 825 }, | 837 }, |
| 826 // Not a real certificate - just for testing. This is the SPKI hash of | 838 // Not a real certificate - just for testing. |
| 827 // the keys used in net/data/ssl/certificates/name_constraint_*.pem. | 839 // net/data/ssl/certificates/name_constraint_*.pem |
| 828 { | 840 { |
| 829 {0x7b, 0x29, 0x02, 0xb7, 0x17, 0x63, 0x7f, 0xef, 0x53, 0x70, | 841 {0x8e, 0x9b, 0x14, 0x9f, 0x01, 0x45, 0x4c, 0xee, 0xde, 0xfa, 0x5e, |
| 830 0xff, 0x9d, 0x95, 0xee, 0x11, 0x64, 0xe7, 0x2e, 0x59, 0xf2}, | 842 0x73, 0x40, 0x36, 0x21, 0xba, 0xd9, 0x1f, 0xee, 0xe0, 0x3e, 0x74, |
| 843 0x25, 0x6c, 0x59, 0xf4, 0x6f, 0xbf, 0x45, 0x03, 0x5f, 0x8d}, | |
| 831 kDomainsTest, | 844 kDomainsTest, |
| 832 }, | 845 }, |
| 833 }; | 846 }; |
| 834 | 847 |
| 835 for (unsigned i = 0; i < arraysize(kLimits); ++i) { | 848 for (unsigned i = 0; i < arraysize(kLimits); ++i) { |
| 836 for (HashValueVector::const_iterator j = public_key_hashes.begin(); | 849 for (HashValueVector::const_iterator j = public_key_hashes.begin(); |
| 837 j != public_key_hashes.end(); ++j) { | 850 j != public_key_hashes.end(); ++j) { |
| 838 if (j->tag == HASH_VALUE_SHA1 && | 851 if (j->tag == HASH_VALUE_SHA256 && |
| 839 memcmp(j->data(), kLimits[i].public_key, base::kSHA1Length) == 0) { | 852 memcmp(j->data(), kLimits[i].public_key, crypto::kSHA256Length) == |
| 853 0) { | |
| 840 if (dns_names.empty() && ip_addrs.empty()) { | 854 if (dns_names.empty() && ip_addrs.empty()) { |
| 841 std::vector<std::string> dns_names; | 855 std::vector<std::string> dns_names; |
| 842 dns_names.push_back(common_name); | 856 dns_names.push_back(common_name); |
| 843 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) | 857 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) |
| 844 return true; | 858 return true; |
| 845 } else { | 859 } else { |
| 846 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) | 860 if (!CheckNameConstraints(dns_names, kLimits[i].domains)) |
| 847 return true; | 861 return true; |
| 848 } | 862 } |
| 849 } | 863 } |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 897 return true; | 911 return true; |
| 898 | 912 |
| 899 return false; | 913 return false; |
| 900 } | 914 } |
| 901 | 915 |
| 902 // static | 916 // static |
| 903 const base::Feature CertVerifyProc::kSHA1LegacyMode{ | 917 const base::Feature CertVerifyProc::kSHA1LegacyMode{ |
| 904 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; | 918 "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT}; |
| 905 | 919 |
| 906 } // namespace net | 920 } // namespace net |
| OLD | NEW |
