diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-15 17:18:40 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-15 17:18:40 +0000 |
| commit | ce905b74e4da1ad3401830564214d77667adc29c (patch) | |
| tree | d128c932834bcf69cb4d21b7ec160e0cfef8d4ce /net | |
| parent | 49d7c1d4d4f18163386bed1bdbba1f7d1f8fb8de (diff) | |
| download | chromium_src-ce905b74e4da1ad3401830564214d77667adc29c.zip chromium_src-ce905b74e4da1ad3401830564214d77667adc29c.tar.gz chromium_src-ce905b74e4da1ad3401830564214d77667adc29c.tar.bz2 | |
Add certificate pinning for crypto.cat.
BUG=None
Review URL: https://codereview.chromium.org/11358199
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@167944 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/transport_security_state.cc | 2 | ||||
| -rw-r--r-- | net/base/transport_security_state_static.certs | 46 | ||||
| -rw-r--r-- | net/base/transport_security_state_static.h | 15 | ||||
| -rw-r--r-- | net/base/transport_security_state_static.json | 9 |
4 files changed, 70 insertions, 2 deletions
diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc index e943e50..469be1d 100644 --- a/net/base/transport_security_state.cc +++ b/net/base/transport_security_state.cc @@ -851,6 +851,8 @@ enum SecondLevelDomainName { DOMAIN_CHROMIUM_ORG, + DOMAIN_CRYPTO_CAT, + // Boundary value for UMA_HISTOGRAM_ENUMERATION: DOMAIN_NUM_EVENTS }; diff --git a/net/base/transport_security_state_static.certs b/net/base/transport_security_state_static.certs index 20a4901..346b48f 100644 --- a/net/base/transport_security_state_static.certs +++ b/net/base/transport_security_state_static.certs @@ -1161,3 +1161,49 @@ WSh4olGd0Eqc5ZNemI/L7z/K/uCvpMlbbkBYpZItvV1lVcW/fARB2aS1gOmUYAIQ OGoICNdTHC2Tr8kTe9RsxDrE+4CsuzpOVHrNTrM+7fH8EU6f9fMUvLmxMc72qi+l +MPpZqmyIJ3E+LgDYqeF0RhjWw== -----END CERTIFICATE----- + +CryptoCat1 +-----BEGIN CERTIFICATE----- +MIIHtTCCBp2gAwIBAgIQBQJvUvveB1Ep7CH9FkuAMjANBgkqhkiG9w0BAQUFADBm +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBDQS0zMB4XDTEyMTEwOTAwMDAwMFoXDTE1MDExMjEyMDAwMFowczELMAkGA1UE +BhMCQ0ExDzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxFzAVBgNV +BAoTDk5hZGltIEtvYmVpc3NpMRIwEAYDVQQLEwlDcnlwdG9jYXQxEzARBgNVBAMT +CmNyeXB0by5jYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDS1vdN +oZ+gNyjs3RnyQ0ZfQ8aGeRvnzYBZsZawwmRN/aSzdYhwxENAKr1wUnJk7aiXhYWq +Z+ME/GUI8/89LHyHImQtVxTVRgfDSQSeciP7fplJGDNTz9+IOS849doom2sTsolH +WJtJ/ggSDX4igDc+6/c3D1rz34gAGspQ1XK2TZEcPvN6+IW9a+BUqYMfyRZmoft6 +YfDDf8S36weyyIASoRc9nB02wvOJ/7ME8sbExXbUEjQBr/HFcI3IwElft32zLsVu +NWdYz0TsFHG5tPhHSGQ/QI85uON4TJthlu3T0lV//T5nME2hijRcMo4C/yD+JK5Y +4h0tLCHrce4xx4au4EPF2YoGO8IEPVlQLJb5Yz92vQaAA15NnDSCVlb4Tfe6zwsf +7qBBobM9A1ZTKDtQiZZLHIACmJ4EfENtSFE+On3y31vvkaWXRROgo1Z0ECNBynb4 +ubPTlR2ZlAeE7Qp3b3GdMmnIP8QPn6tSxqYEveLwqOhXD/Upa5qxjnbbwQk1SRpA +Pbvz5waGzA/9UXLwcgJguqh3cLIuKmOysCG6qiSkpfzSdeCDa4vheLJl+rUbS0DV +abcRkRUmzRvNCeYYlTe6I0gHRC1UPef8aj2ppinw+9dWiQVxhjjIhw8JyGjM5Qg9 +NH5lDyXEuoS7f/VOTOOhAHvHSl5Ec/iXYU7PpQIDAQABo4IDUDCCA0wwHwYDVR0j +BBgwFoAUUOpzidsp+xCPnuUBINTeeZlIg/cwHQYDVR0OBBYEFPtM/u402qRHQsv4 +C3aUc3BKnofhMCUGA1UdEQQeMByCCmNyeXB0by5jYXSCDnd3dy5jcnlwdG8uY2F0 +MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw +YQYDVR0fBFowWDAqoCigJoYkaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL2NhMy1n +MTYuY3JsMCqgKKAmhiRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vY2EzLWcxNi5j +cmwwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwBATCCAaQwOgYIKwYBBQUH +AgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5o +dG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0 +AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1 +AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABp +AGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBl +AGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBo +AGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAg +AGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAg +AGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wewYIKwYBBQUHAQEEbzBtMCQGCCsG +AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0 +dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VD +QS0zLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQBlJ+AAe5Il +9Tj9ZD7Equ9JjdbKi5srhjEDtDXtvl/2ga8Bjbh2qs0Qb18DtfpdTdIPuDF2KKjW +kIQabl4h8s5NcQ/U7+AssAyKZGjiHs40G0iAlHpMeo/YzzEVqfoG+AT6c8caL4b0 +M2FnRee23OuKUdPixln3iShViViKt29NqDliIu4/IaeB7WkgJgljtIPNPZVoNqXa +TvwjIDhO+wtc3qXjtO1zej3+GBmGz7RcZckturc2pZe3NRWQ7wO8ZzWShWU/ii3z +2PftKlqZo3WAeJoUCPtQNsLnBFGvdUx2rUZwMhdgPuGeV4kEULAtu8M74xR5/Opz +nRGP22zr1K4q +-----END CERTIFICATE----- diff --git a/net/base/transport_security_state_static.h b/net/base/transport_security_state_static.h index 6a72549..f9e8e62 100644 --- a/net/base/transport_security_state_static.h +++ b/net/base/transport_security_state_static.h @@ -163,6 +163,9 @@ static const char kSPKIHash_Tor2web[] = static const char kSPKIHash_AlphaSSL_G2[] = "sha1/5STpjjF9yPytkFN8kecNpHCTkF8="; +static const char kSPKIHash_CryptoCat1[] = + "sha1/TIfOhSz0wE1nqeDsUQx/OxSz6ck="; + // The following is static data describing the hosts that are hardcoded with // certificate pins or HSTS information. @@ -294,6 +297,16 @@ static const char* const kTor2webAcceptableCerts[] = { kNoRejectedPublicKeys, \ } +static const char* const kCryptoCatAcceptableCerts[] = { + kSPKIHash_DigiCertEVRoot, + kSPKIHash_CryptoCat1, + NULL, +}; +#define kCryptoCatPins { \ + kCryptoCatAcceptableCerts, \ + kNoRejectedPublicKeys, \ +} + #define kNoPins {\ NULL, NULL, \ } @@ -624,7 +637,7 @@ static const struct HSTSPreload kPreloadedSTS[] = { {30, false, "\003www\011developer\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED }, {24, false, "\007sandbox\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED }, {28, false, "\003www\007sandbox\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED }, - {12, true, "\006crypto\003cat", true, kNoPins, DOMAIN_NOT_PINNED }, + {12, true, "\006crypto\003cat", true, kCryptoCatPins, DOMAIN_CRYPTO_CAT }, {25, true, "\014bigshinylock\006minazo\003net", true, kNoPins, DOMAIN_NOT_PINNED }, {10, true, "\005crate\002io", true, kNoPins, DOMAIN_NOT_PINNED }, {13, false, "\007twitter\003com", true, kTwitterComPins, DOMAIN_TWITTER_COM }, diff --git a/net/base/transport_security_state_static.json b/net/base/transport_security_state_static.json index 2e44bcb..59f686e 100644 --- a/net/base/transport_security_state_static.json +++ b/net/base/transport_security_state_static.json @@ -137,6 +137,13 @@ "AlphaSSL_G2", "Tor2web" ] + }, + { + "name": "cryptoCat", + "static_spki_hashes": [ + "DigiCertEVRoot", + "CryptoCat1" + ] } ], @@ -487,7 +494,7 @@ { "name": "www.developer.mydigipass.com", "mode": "force-https" }, { "name": "sandbox.mydigipass.com", "mode": "force-https" }, { "name": "www.sandbox.mydigipass.com", "mode": "force-https" }, - { "name": "crypto.cat", "include_subdomains": true, "mode": "force-https" }, + { "name": "crypto.cat", "include_subdomains": true, "mode": "force-https", "pins": "cryptoCat" }, { "name": "bigshinylock.minazo.net", "include_subdomains": true, "mode": "force-https" }, { "name": "crate.io", "include_subdomains": true, "mode": "force-https" }, { "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" }, |