Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(160)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc.cc

Issue 2951343002: Remove residual support for SHA-1 public key pins. (Closed)
Patch Set: Remove more code, use SHA-256 for the blacklist, and include the original FRST and India CCA certs. Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/hash_value.cc ('K') | « net/base/hash_value.cc ('k') | net/cert/cert_verify_proc_android.cc » ('j') | net/cert/cert_verify_proc_builtin.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc.cc
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index 4b1afadae749f590f7bd68ebfa3112cf0f32744e..38e6bff07c55d46a48e4d866d8fbd167e7875cc5 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -747,11 +747,11 @@ static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
return true;
}
-// PublicKeyDomainLimitation contains a SHA1, SPKI hash and a pointer to an
-// array of fixed-length strings that contain the domains that the SPKI is
-// allowed to issue for.
+// PublicKeyDomainLimitation contains SHA-256(SPKI) and a pointer to an array of
+// fixed-length strings that contain the domains that the SPKI is allowed to
+// issue for.
struct PublicKeyDomainLimitation {
- uint8_t public_key[base::kSHA1Length];
+ uint8_t public_key[crypto::kSHA256Length];
const char (*domains)[kMaxDomainLength];
};
@@ -797,37 +797,50 @@ bool CertVerifyProc::HasNameConstraintsViolation(
static const PublicKeyDomainLimitation kLimits[] = {
// C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI,
// CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+ //
+ // net/data/ssl/blacklist/b9bea7860a962ea3611dab97ab6da3e21c1068b97d55575ed0e11279c11c8932.pem
{
- {0x79, 0x23, 0xd5, 0x8d, 0x0f, 0xe0, 0x3c, 0xe6, 0xab, 0xad,
- 0xae, 0x27, 0x1a, 0x6d, 0x94, 0xf4, 0x14, 0xd1, 0xa8, 0x73},
davidben 2017/06/26 20:15:55 (confirmed the file matches)
+ {0x86, 0xc1, 0x3a, 0x34, 0x08, 0xdd, 0x1a, 0xa7, 0x7e, 0xe8, 0xb6,
+ 0x94, 0x7c, 0x03, 0x95, 0x87, 0x72, 0xf5, 0x31, 0x24, 0x8c, 0x16,
+ 0x27, 0xbe, 0xfb, 0x2c, 0x4f, 0x4b, 0x04, 0xd0, 0x44, 0x96},
davidben 2017/06/26 20:15:55 (confirmed)
kDomainsANSSI,
},
// C=IN, O=India PKI, CN=CCA India 2007
// Expires: July 4th 2015.
+ //
+ // net/data/ssl/blacklist/f375e2f77a108bacc4234894a9af308edeca1acd8fbde0e7aaa9634e9daf7e1c.pem
{
- {0xfe, 0xe3, 0x95, 0x21, 0x2d, 0x5f, 0xea, 0xfc, 0x7e, 0xdc,
- 0xcf, 0x88, 0x3f, 0x1e, 0xc0, 0x58, 0x27, 0xd8, 0xb8, 0xe4},
davidben 2017/06/26 20:15:55 (confirmed the file matches)
+ {0x7e, 0x6a, 0xcd, 0x85, 0x3c, 0xac, 0xc6, 0x93, 0x2e, 0x9b, 0x51,
+ 0x9f, 0xda, 0xd1, 0xbe, 0xb5, 0x15, 0xed, 0x2a, 0x2d, 0x00, 0x25,
+ 0xcf, 0xd3, 0x98, 0xc3, 0xac, 0x1f, 0x0d, 0xbb, 0x75, 0x4b},
davidben 2017/06/26 20:15:55 (confirmed)
kDomainsIndiaCCA,
},
// C=IN, O=India PKI, CN=CCA India 2011
// Expires: March 11 2016.
+ //
+ // net/data/ssl/blacklist/2d66a702ae81ba03af8cff55ab318afa919039d9f31b4d64388680f81311b65a.pem
{
- {0xf1, 0x42, 0xf6, 0xa2, 0x7d, 0x29, 0x3e, 0xa8, 0xf9, 0x64,
- 0x52, 0x56, 0xed, 0x07, 0xa8, 0x63, 0xf2, 0xdb, 0x1c, 0xdf},
davidben 2017/06/26 20:15:56 (confirmed the file matches)
+ {0x42, 0xa7, 0x09, 0x84, 0xff, 0xd3, 0x99, 0xc4, 0xea, 0xf0, 0xe7,
+ 0x02, 0xa4, 0x4b, 0xef, 0x2a, 0xd8, 0xa7, 0x9b, 0x8b, 0xf4, 0x64,
+ 0x8f, 0x6b, 0xb2, 0x10, 0xe1, 0x23, 0xfd, 0x07, 0x57, 0x93},
davidben 2017/06/26 20:15:55 (confirmed)
kDomainsIndiaCCA,
},
// C=IN, O=India PKI, CN=CCA India 2014
// Expires: March 5 2024.
+ //
+ // net/data/ssl/blacklist/60109bc6c38328598a112c7a25e38b0f23e5a7511cb815fb64e0c4ff05db7df7.pem
{
- {0x36, 0x8c, 0x4a, 0x1e, 0x2d, 0xb7, 0x81, 0xe8, 0x6b, 0xed,
- 0x5a, 0x0a, 0x42, 0xb8, 0xc5, 0xcf, 0x6d, 0xb3, 0x57, 0xe1},
davidben 2017/06/26 20:15:55 (confirmed the file matches)
+ {0x9c, 0xf4, 0x70, 0x4f, 0x3e, 0xe5, 0xa5, 0x98, 0x94, 0xb1, 0x6b,
+ 0xf0, 0x0c, 0xfe, 0x73, 0xd5, 0x88, 0xda, 0xe2, 0x69, 0xf5, 0x1d,
+ 0xe6, 0x6a, 0x4b, 0xa7, 0x74, 0x46, 0xee, 0x2b, 0xd1, 0xf7},
davidben 2017/06/26 20:15:56 (confirmed)
kDomainsIndiaCCA,
},
- // Not a real certificate - just for testing. This is the SPKI hash of
- // the keys used in net/data/ssl/certificates/name_constraint_*.pem.
+ // Not a real certificate - just for testing.
+ // net/data/ssl/certificates/name_constraint_*.pem
{
- {0x7b, 0x29, 0x02, 0xb7, 0x17, 0x63, 0x7f, 0xef, 0x53, 0x70,
- 0xff, 0x9d, 0x95, 0xee, 0x11, 0x64, 0xe7, 0x2e, 0x59, 0xf2},
+ {0x8e, 0x9b, 0x14, 0x9f, 0x01, 0x45, 0x4c, 0xee, 0xde, 0xfa, 0x5e,
+ 0x73, 0x40, 0x36, 0x21, 0xba, 0xd9, 0x1f, 0xee, 0xe0, 0x3e, 0x74,
+ 0x25, 0x6c, 0x59, 0xf4, 0x6f, 0xbf, 0x45, 0x03, 0x5f, 0x8d},
kDomainsTest,
},
};
@@ -835,8 +848,9 @@ bool CertVerifyProc::HasNameConstraintsViolation(
for (unsigned i = 0; i < arraysize(kLimits); ++i) {
for (HashValueVector::const_iterator j = public_key_hashes.begin();
j != public_key_hashes.end(); ++j) {
- if (j->tag == HASH_VALUE_SHA1 &&
- memcmp(j->data(), kLimits[i].public_key, base::kSHA1Length) == 0) {
+ if (j->tag == HASH_VALUE_SHA256 &&
+ memcmp(j->data(), kLimits[i].public_key, crypto::kSHA256Length) ==
+ 0) {
if (dns_names.empty() && ip_addrs.empty()) {
std::vector<std::string> dns_names;
dns_names.push_back(common_name);
« net/base/hash_value.cc ('K') | « net/base/hash_value.cc ('k') | net/cert/cert_verify_proc_android.cc » ('j') | net/cert/cert_verify_proc_builtin.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698