OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
6 | 6 |
7 #include "base/base64.h" | 7 #include "base/base64.h" |
8 #include "base/json/json_reader.h" | 8 #include "base/json/json_reader.h" |
9 #include "base/json/json_writer.h" | 9 #include "base/json/json_writer.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
(...skipping 551 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
562 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; | 562 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; |
563 static const char* kGoogleAcceptableCerts[] = { | 563 static const char* kGoogleAcceptableCerts[] = { |
564 kCertPKHashVerisignClass3, | 564 kCertPKHashVerisignClass3, |
565 kCertPKHashVerisignClass3G3, | 565 kCertPKHashVerisignClass3G3, |
566 kCertPKHashGoogle1024, | 566 kCertPKHashGoogle1024, |
567 kCertPKHashGoogle2048, | 567 kCertPKHashGoogle2048, |
568 kCertPKHashEquifaxSecureCA, | 568 kCertPKHashEquifaxSecureCA, |
569 0, | 569 0, |
570 }; | 570 }; |
571 | 571 |
| 572 static const char kCertRapidSSL[] = |
| 573 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI="; |
| 574 static const char kCertDigiCertEVRoot[] = |
| 575 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM="; |
| 576 static const char kCertTor1[] = |
| 577 "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y="; |
| 578 static const char kCertTor2[] = |
| 579 "sha1/lia43lPolzSPVIq34Dw57uYcLD8="; |
| 580 static const char kCertTor3[] = |
| 581 "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y="; |
| 582 static const char* kTorAcceptableCerts[] = { |
| 583 kCertRapidSSL, |
| 584 kCertDigiCertEVRoot, |
| 585 kCertTor1, |
| 586 kCertTor2, |
| 587 kCertTor3, |
| 588 0, |
| 589 }; |
| 590 |
572 // kTestAcceptableCerts doesn't actually match any public keys and is used | 591 // kTestAcceptableCerts doesn't actually match any public keys and is used |
573 // with "pinningtest.appspot.com", below, to test if pinning is active. | 592 // with "pinningtest.appspot.com", below, to test if pinning is active. |
574 static const char* kTestAcceptableCerts[] = { | 593 static const char* kTestAcceptableCerts[] = { |
575 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", | 594 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", |
576 }; | 595 }; |
577 | 596 |
578 // In the medium term this list is likely to just be hardcoded here. This, | 597 // In the medium term this list is likely to just be hardcoded here. This, |
579 // slightly odd, form removes the need for additional relocations records. | 598 // slightly odd, form removes the need for additional relocations records. |
580 static const struct HSTSPreload kPreloadedSTS[] = { | 599 static const struct HSTSPreload kPreloadedSTS[] = { |
581 // (*.)google.com, iff using SSL must use an acceptable certificate. | 600 // (*.)google.com, iff using SSL must use an acceptable certificate. |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
653 {11, true, "\006betnet\002fr", true, 0 }, | 672 {11, true, "\006betnet\002fr", true, 0 }, |
654 {13, true, "\010uprotect\002it", true, 0 }, | 673 {13, true, "\010uprotect\002it", true, 0 }, |
655 {14, false, "\010squareup\003com", true, 0 }, | 674 {14, false, "\010squareup\003com", true, 0 }, |
656 {9, true, "\004cert\002se", true, 0 }, | 675 {9, true, "\004cert\002se", true, 0 }, |
657 {11, true, "\006crypto\002is", true, 0 }, | 676 {11, true, "\006crypto\002is", true, 0 }, |
658 {20, true, "\005simon\007butcher\004name", true, 0 }, | 677 {20, true, "\005simon\007butcher\004name", true, 0 }, |
659 {10, true, "\004linx\003net", true, 0 }, | 678 {10, true, "\004linx\003net", true, 0 }, |
660 {13, true, "\007dropcam\003com", true, 0 }, | 679 {13, true, "\007dropcam\003com", true, 0 }, |
661 {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 }, | 680 {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 }, |
662 {13, false, "\007epoxate\003com", true, 0 }, | 681 {13, false, "\007epoxate\003com", true, 0 }, |
| 682 {16, false, "\012torproject\003org", true, kTorAcceptableCerts }, |
| 683 {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts }, |
| 684 {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts }, |
| 685 {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts }, |
663 #if defined(OS_CHROMEOS) | 686 #if defined(OS_CHROMEOS) |
664 {13, false, "\007twitter\003com", true, 0 }, | 687 {13, false, "\007twitter\003com", true, 0 }, |
665 {17, false, "\003www\007twitter\003com", true, 0 }, | 688 {17, false, "\003www\007twitter\003com", true, 0 }, |
666 {17, false, "\003api\007twitter\003com", true, 0 }, | 689 {17, false, "\003api\007twitter\003com", true, 0 }, |
667 {17, false, "\003dev\007twitter\003com", true, 0 }, | 690 {17, false, "\003dev\007twitter\003com", true, 0 }, |
668 {22, false, "\010business\007twitter\003com", true, 0 }, | 691 {22, false, "\010business\007twitter\003com", true, 0 }, |
669 #endif | 692 #endif |
670 }; | 693 }; |
671 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); | 694 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); |
672 | 695 |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
750 } | 773 } |
751 | 774 |
752 LOG(ERROR) << "Rejecting public key chain for domain " << domain | 775 LOG(ERROR) << "Rejecting public key chain for domain " << domain |
753 << ". Validated chain: " << HashesToBase64String(hashes) | 776 << ". Validated chain: " << HashesToBase64String(hashes) |
754 << ", expected: " << HashesToBase64String(public_key_hashes); | 777 << ", expected: " << HashesToBase64String(public_key_hashes); |
755 | 778 |
756 return false; | 779 return false; |
757 } | 780 } |
758 | 781 |
759 } // namespace | 782 } // namespace |
OLD | NEW |