diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-07 21:08:40 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-07 21:08:40 +0000 |
| commit | 7179d2f456e41eca799a6c2070fca9ad123e0b65 (patch) | |
| tree | a5e6e799d98ad9e80a2db783ab5d0823b1fda68b /net | |
| parent | ada01b945465efd456813c51ff9090f43337d49c (diff) | |
| download | chromium_src-7179d2f456e41eca799a6c2070fca9ad123e0b65.zip chromium_src-7179d2f456e41eca799a6c2070fca9ad123e0b65.tar.gz chromium_src-7179d2f456e41eca799a6c2070fca9ad123e0b65.tar.bz2 | |
net: add certificate pins for Tor
http://codereview.chromium.org/7818002
TEST=Navigate to https://www.torproject.org and check that it loads.
BUG=none
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@100015 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/transport_security_state.cc | 23 | ||||
| -rw-r--r-- | net/base/transport_security_state_unittest.cc | 21 |
2 files changed, 44 insertions, 0 deletions
diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc index 1cb5e13..8996d4e 100644 --- a/net/base/transport_security_state.cc +++ b/net/base/transport_security_state.cc @@ -569,6 +569,25 @@ bool TransportSecurityState::IsPreloadedSTS( 0, }; + static const char kCertRapidSSL[] = + "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI="; + static const char kCertDigiCertEVRoot[] = + "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM="; + static const char kCertTor1[] = + "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y="; + static const char kCertTor2[] = + "sha1/lia43lPolzSPVIq34Dw57uYcLD8="; + static const char kCertTor3[] = + "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y="; + static const char* kTorAcceptableCerts[] = { + kCertRapidSSL, + kCertDigiCertEVRoot, + kCertTor1, + kCertTor2, + kCertTor3, + 0, + }; + // kTestAcceptableCerts doesn't actually match any public keys and is used // with "pinningtest.appspot.com", below, to test if pinning is active. static const char* kTestAcceptableCerts[] = { @@ -661,6 +680,10 @@ bool TransportSecurityState::IsPreloadedSTS( {13, true, "\007dropcam\003com", true, 0 }, {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 }, {13, false, "\007epoxate\003com", true, 0 }, + {16, false, "\012torproject\003org", true, kTorAcceptableCerts }, + {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts }, + {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts }, + {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts }, #if defined(OS_CHROMEOS) {13, false, "\007twitter\003com", true, 0 }, {17, false, "\003www\007twitter\003com", true, 0 }, diff --git a/net/base/transport_security_state_unittest.cc b/net/base/transport_security_state_unittest.cc index fb2f1fe..afea1ab 100644 --- a/net/base/transport_security_state_unittest.cc +++ b/net/base/transport_security_state_unittest.cc @@ -664,6 +664,27 @@ TEST_F(TransportSecurityStateTest, Preloaded) { EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "foo.epoxate.com", false)); + + EXPECT_TRUE(state->IsEnabledForHost(&domain_state, + "torproject.org", + false)); + EXPECT_TRUE(domain_state.public_key_hashes.size() != 0); + EXPECT_TRUE(state->IsEnabledForHost(&domain_state, + "www.torproject.org", + false)); + EXPECT_TRUE(domain_state.public_key_hashes.size() != 0); + EXPECT_TRUE(state->IsEnabledForHost(&domain_state, + "check.torproject.org", + false)); + EXPECT_TRUE(domain_state.public_key_hashes.size() != 0); + EXPECT_TRUE(state->IsEnabledForHost(&domain_state, + "blog.torproject.org", + false)); + EXPECT_TRUE(domain_state.public_key_hashes.size() != 0); + + EXPECT_FALSE(state->IsEnabledForHost(&domain_state, + "foo.torproject.org", + false)); } TEST_F(TransportSecurityStateTest, LongNames) { |