net: add HSTS and cert pinning for Tor.

net/base/transport_security_state.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/transport_security_state.h"
 
 #include "base/base64.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
 #include "base/logging.h"
@@ skipping 551 matching lines @@
       "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
   static const char* kGoogleAcceptableCerts[] = {
     kCertPKHashVerisignClass3,
     kCertPKHashVerisignClass3G3,
     kCertPKHashGoogle1024,
     kCertPKHashGoogle2048,
     kCertPKHashEquifaxSecureCA,
     0,
   };
 
+  static const char kCertRapidSSL[] =
+    "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
+  static const char kCertDigiCertEVRoot[] =
+    "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
+  static const char kCertTor1[] =
+    "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
+  static const char kCertTor2[] =
+    "sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
+  static const char kCertTor3[] =
+    "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
+  static const char* kTorAcceptableCerts[] = {
+    kCertRapidSSL,
+    kCertDigiCertEVRoot,
+    kCertTor1,
+    kCertTor2,
+    kCertTor3,
+    0,
+  };
+
   // kTestAcceptableCerts doesn't actually match any public keys and is used
   // with "pinningtest.appspot.com", below, to test if pinning is active.
   static const char* kTestAcceptableCerts[] = {
     "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
   };
 
   // In the medium term this list is likely to just be hardcoded here. This,
   // slightly odd, form removes the need for additional relocations records.
   static const struct HSTSPreload kPreloadedSTS[] = {
     // (*.)google.com, iff using SSL must use an acceptable certificate.
@@ skipping 71 matching lines @@
     {11, true, "\006betnet\002fr", true, 0 },
     {13, true, "\010uprotect\002it", true, 0 },
     {14, false, "\010squareup\003com", true, 0 },
     {9, true, "\004cert\002se", true, 0 },
     {11, true, "\006crypto\002is", true, 0 },
     {20, true, "\005simon\007butcher\004name", true, 0 },
     {10, true, "\004linx\003net", true, 0 },
     {13, true, "\007dropcam\003com", true, 0 },
     {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
     {13, false, "\007epoxate\003com", true, 0 },
+    {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
+    {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
+    {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
+    {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
 #if defined(OS_CHROMEOS)
     {13, false, "\007twitter\003com", true, 0 },
     {17, false, "\003www\007twitter\003com", true, 0 },
     {17, false, "\003api\007twitter\003com", true, 0 },
     {17, false, "\003dev\007twitter\003com", true, 0 },
     {22, false, "\010business\007twitter\003com", true, 0 },
 #endif
   };
   static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 
@@ skipping 77 matching lines @@
   }
 
   LOG(ERROR) << "Rejecting public key chain for domain " << domain
              << ". Validated chain: " << HashesToBase64String(hashes)
              << ", expected: " << HashesToBase64String(public_key_hashes);
 
   return false;
 }
 
 }  // namespace