summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authoragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2011-10-04 18:29:29 +0000
committeragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2011-10-04 18:29:29 +0000
commit7ccf34ee3f0167398a87f9bd37b35047d190144e (patch)
tree23c010ec7ac1822e3afa6e6ec436d0f3d7c17899 /net
parent5eb73f21ab807926ef19891b1de8368710d12d5d (diff)
downloadchromium_src-7ccf34ee3f0167398a87f9bd37b35047d190144e.zip
chromium_src-7ccf34ee3f0167398a87f9bd37b35047d190144e.tar.gz
chromium_src-7ccf34ee3f0167398a87f9bd37b35047d190144e.tar.bz2
net: add certificate pins for Twitter.
(Note some lines exceed 80 chars here. Readability suffers by linebreaking so I'm sticking with it.) BUG=none TEST=twitter.com still works Review URL: http://codereview.chromium.org/8084008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@103945 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/base/transport_security_state.cc180
-rw-r--r--net/base/transport_security_state_unittest.cc24
2 files changed, 189 insertions, 15 deletions
diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc
index ced7383..240a732 100644
--- a/net/base/transport_security_state.cc
+++ b/net/base/transport_security_state.cc
@@ -812,7 +812,7 @@ struct HSTSPreload {
bool include_subdomains;
char dns_name[30];
bool https_required;
- const char** required_hashes;
+ const char* const* required_hashes;
};
static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
@@ -830,10 +830,10 @@ static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
if (!entries[j].https_required)
out->mode = TransportSecurityState::DomainState::MODE_NONE;
if (entries[j].required_hashes) {
- const char** hash = entries[j].required_hashes;
+ const char* const* hash = entries[j].required_hashes;
while (*hash) {
bool ok = AddHash(*hash, &out->public_key_hashes);
- DCHECK(ok);
+ DCHECK(ok) << " failed to parse " << *hash;
hash++;
}
}
@@ -867,7 +867,7 @@ bool TransportSecurityState::IsPreloadedSTS(
"sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
static const char kCertPKHashEquifaxSecureCA[] =
"sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
- static const char* kGoogleAcceptableCerts[] = {
+ static const char* const kGoogleAcceptableCerts[] = {
kCertPKHashVerisignClass3,
kCertPKHashVerisignClass3G3,
kCertPKHashGoogle1024,
@@ -886,7 +886,7 @@ bool TransportSecurityState::IsPreloadedSTS(
"sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
static const char kCertTor3[] =
"sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
- static const char* kTorAcceptableCerts[] = {
+ static const char* const kTorAcceptableCerts[] = {
kCertRapidSSL,
kCertDigiCertEVRoot,
kCertTor1,
@@ -895,12 +895,162 @@ bool TransportSecurityState::IsPreloadedSTS(
0,
};
+ static const char kCertVerisignClass1[] =
+ "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
+ static const char kCertVerisignClass3[] =
+ "sha1/4n972HfV354KP560yw4uqe/baXc=";
+ static const char kCertVerisignClass3_G4[] =
+ "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
+ static const char kCertVerisignClass4_G3[] =
+ "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
+ static const char kCertVerisignClass3_G3[] =
+ "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
+ static const char kCertVerisignClass1_G3[] =
+ "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
+ static const char kCertVerisignClass2_G3[] =
+ "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
+ static const char kCertVerisignClass3_G2[] =
+ "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
+ static const char kCertVerisignClass2_G2[] =
+ "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
+ static const char kCertVerisignClass3_G5[] =
+ "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
+ static const char kCertVerisignUniversal[] =
+ "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
+
+ static const char kCertTwitter1[] =
+ "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
+
+ static const char kCertEntrust2048[] =
+ "sha1/VeSB0RGAvtiJuQijMfmhJAkWuXA=";
+ static const char kCertEntrustEV[] =
+ "sha1/ukKwgYhTiB2GY71MwF4I/upuu3c=";
+ static const char kCertEntrustG2[] =
+ "sha1/qzDTr0vY8WtYae5FaSnahLhzlIg=";
+ static const char kCertEntrustSSL[] =
+ "sha1/8BdiE1U9s/8KAGv7UISX8+1i0Bo=";
+
+ static const char kCertGeoTrustGlobal[] =
+ "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
+ static const char kCertGeoTrustGlobal2[] =
+ "sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
+ static const char kCertGeoTrustUniversal[] =
+ "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
+ static const char kCertGeoTrustUniversal2[] =
+ "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
+ static const char kCertGeoTrustPrimary[] =
+ "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
+ static const char kCertGeoTrustPrimaryG2[] =
+ "sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
+ static const char kCertGeoTrustPrimaryG3[] =
+ "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
+
+ static const char kCertComodoAAACertificateServices[] =
+ "sha1/xDAoxdPjCAwQRIssd7okU5dgu/k=";
+ static const char kCertComodoAddTrustClass1CARoot[] =
+ "sha1/i9vXzKBoU0IW9MErJUT8Apyli0c=";
+ static const char kCertComodoAddTrustExternalCARoot[] =
+ "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=";
+ static const char kCertComodoAddTrustPublicCARoot[] =
+ "sha1/qFdl1ugyyMUZY3Namhd0OoHf7i4=";
+ static const char kCertComodoAddTrustQualifiedCARoot[] =
+ "sha1/vOS3IxJVmOVjQRkcUOS2R8J2Bdc=";
+ static const char kCertComodoCertificationAuthority[] =
+ "sha1/EeSR0cnkwOuazs9zVF3h8agwPsM=";
+ static const char kCertComodoSecureCertificateServices[] =
+ "sha1/PLQahC71XPIaPaVKyNG+OQh2N7w=";
+ static const char kCertComodoTrustedCertificateServices[] =
+ "sha1//nLI678ML7sOJhOTkzwsqY3cJJQ=";
+ static const char kCertComodoUTNDATACorpSGC[] =
+ "sha1/UzLRs89/+uDxoF2FTpLSnkUdtE8=";
+ static const char kCertComodoUTNUSERFirstClientAuthenticationandEmail[] =
+ "sha1/iYJnfcSdJnAAS7RQSHzePa4Ebn0=";
+ static const char kCertComodoUTNUSERFirstHardware[] =
+ "sha1/oXJfJhsomEOVXQc31YWWnUvSw0U=";
+ static const char kCertComodoUTNUSERFirstObject[] =
+ "sha1/2u1kdBScFDyr3ZmpvVsoTYs8ydg=";
+
+ static const char kCertGTECyberTrustGlobalRoot[] =
+ "sha1/WXkS3mF11m/EI7d3E3THlt5viHI=";
+
+ static const char* const kTwitterComAcceptableCerts[] = {
+ kCertVerisignClass1,
+ kCertVerisignClass3,
+ kCertVerisignClass3_G4,
+ kCertVerisignClass4_G3,
+ kCertVerisignClass3_G3,
+ kCertVerisignClass1_G3,
+ kCertVerisignClass2_G3,
+ kCertVerisignClass3_G2,
+ kCertVerisignClass2_G2,
+ kCertVerisignClass3_G5,
+ kCertVerisignUniversal,
+ kCertGeoTrustGlobal,
+ kCertGeoTrustGlobal2,
+ kCertGeoTrustUniversal,
+ kCertGeoTrustUniversal2,
+ kCertGeoTrustPrimary,
+ kCertGeoTrustPrimaryG2,
+ kCertGeoTrustPrimaryG3,
+ kCertTwitter1,
+ 0,
+ };
+
+ // kTwitterAcceptableCerts2 are the set of public keys valid for Twitter's
+ // CDNs, which includes all the keys from kTwitterAcceptableCerts1.
+ static const char* const kTwitterCDNAcceptableCerts[] = {
+ kCertVerisignClass1,
+ kCertVerisignClass3,
+ kCertVerisignClass3_G4,
+ kCertVerisignClass4_G3,
+ kCertVerisignClass3_G3,
+ kCertVerisignClass1_G3,
+ kCertVerisignClass2_G3,
+ kCertVerisignClass3_G2,
+ kCertVerisignClass2_G2,
+ kCertVerisignClass3_G5,
+ kCertVerisignUniversal,
+ kCertGeoTrustGlobal,
+ kCertGeoTrustGlobal2,
+ kCertGeoTrustUniversal,
+ kCertGeoTrustUniversal2,
+ kCertGeoTrustPrimary,
+ kCertGeoTrustPrimaryG2,
+ kCertGeoTrustPrimaryG3,
+ kCertTwitter1,
+
+ kCertEntrust2048,
+ kCertEntrustEV,
+ kCertEntrustG2,
+ kCertEntrustSSL,
+ kCertComodoAAACertificateServices,
+ kCertComodoAddTrustClass1CARoot,
+ kCertComodoAddTrustExternalCARoot,
+ kCertComodoAddTrustPublicCARoot,
+ kCertComodoAddTrustQualifiedCARoot,
+ kCertComodoCertificationAuthority,
+ kCertComodoSecureCertificateServices,
+ kCertComodoTrustedCertificateServices,
+ kCertComodoUTNDATACorpSGC,
+ kCertComodoUTNUSERFirstClientAuthenticationandEmail,
+ kCertComodoUTNUSERFirstHardware,
+ kCertComodoUTNUSERFirstObject,
+ kCertGTECyberTrustGlobalRoot,
+ 0,
+ };
+
// kTestAcceptableCerts doesn't actually match any public keys and is used
// with "pinningtest.appspot.com", below, to test if pinning is active.
- static const char* kTestAcceptableCerts[] = {
+ static const char* const kTestAcceptableCerts[] = {
"sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
};
+#if defined(OS_CHROMEOS)
+ static const bool kTwitterHSTS = true;
+#else
+ static const bool kTwitterHSTS = false;
+#endif
+
// In the medium term this list is likely to just be hardcoded here. This,
// slightly odd, form removes the need for additional relocations records.
static const struct HSTSPreload kPreloadedSTS[] = {
@@ -1001,13 +1151,17 @@ bool TransportSecurityState::IsPreloadedSTS(
{13, false, "\007greplin\003com", true, 0 },
{17, false, "\003www\007greplin\003com", true, 0 },
{27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
-#if defined(OS_CHROMEOS)
- {13, false, "\007twitter\003com", true, 0 },
- {17, false, "\003www\007twitter\003com", true, 0 },
- {17, false, "\003api\007twitter\003com", true, 0 },
- {17, false, "\003dev\007twitter\003com", true, 0 },
- {22, false, "\010business\007twitter\003com", true, 0 },
-#endif
+ {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+ {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+
+ {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
+ {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
+ {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
};
static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
diff --git a/net/base/transport_security_state_unittest.cc b/net/base/transport_security_state_unittest.cc
index fd87e38..2181cea 100644
--- a/net/base/transport_security_state_unittest.cc
+++ b/net/base/transport_security_state_unittest.cc
@@ -706,13 +706,22 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
"foo.greplin.com",
false));
-
EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
"luneta.nearbuysystems.com",
false));
EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
"foo.luneta.nearbuysystems.com",
false));
+
+#if defined(OS_CHROMEOS)
+ EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
+ "twitter.com",
+ false));
+#else
+ EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
+ "twitter.com",
+ false));
+#endif
}
TEST_F(TransportSecurityStateTest, LongNames) {
@@ -767,7 +776,6 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
// This essential checks that a built-in list does exist.
EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
EXPECT_FALSE(state.HasPinsForHost(&domain_state, "www.paypal.com", true));
- EXPECT_FALSE(state.HasPinsForHost(&domain_state, "twitter.com", true));
EXPECT_TRUE(state.HasPinsForHost(&domain_state, "docs.google.com", true));
EXPECT_TRUE(state.HasPinsForHost(&domain_state, "1.docs.google.com", true));
@@ -810,6 +818,18 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
EXPECT_TRUE(state.HasPinsForHost(&domain_state,
"ssl.google-analytics.com",
true));
+
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "twitter.com", true));
+ EXPECT_FALSE(state.HasPinsForHost(&domain_state, "foo.twitter.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "www.twitter.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "api.twitter.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "oauth.twitter.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "mobile.twitter.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "dev.twitter.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "business.twitter.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "platform.twitter.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "si0.twimg.com", true));
+ EXPECT_TRUE(state.HasPinsForHost(&domain_state, "twimg0-a.akamaihd.net", true));
}
TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {