From abc08b6c6c8d5a48b79263a85a7abc5ee47c7ea1 Mon Sep 17 00:00:00 2001 From: "agl@chromium.org" Date: Mon, 3 Feb 2014 21:32:11 +0000 Subject: net: block three, retired, Symantec intermediates. See https://bugzilla.mozilla.org/show_bug.cgi?id=966060 BUG=none Review URL: https://codereview.chromium.org/152973003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@248578 0039d316-1c4b-4281-b951-d872f2087c98 --- net/cert/cert_verify_proc.cc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc index 798d902..04f330f 100644 --- a/net/cert/cert_verify_proc.cc +++ b/net/cert/cert_verify_proc.cc @@ -348,7 +348,7 @@ bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { // NOTE: This implementation assumes and enforces that the hashes are SHA1. bool CertVerifyProc::IsPublicKeyBlacklisted( const HashValueVector& public_key_hashes) { - static const unsigned kNumHashes = 11; + static const unsigned kNumHashes = 14; static const uint8 kHashes[kNumHashes][base::kSHA1Length] = { // Subject: CN=DigiNotar Root CA // Issuer: CN=Entrust.net x2 and self-signed @@ -397,6 +397,15 @@ bool CertVerifyProc::IsPublicKeyBlacklisted( // Expires: Jul 18 10:05:28 2014 GMT {0x3e, 0xcf, 0x4b, 0xbb, 0xe4, 0x60, 0x96, 0xd5, 0x14, 0xbb, 0x53, 0x9b, 0xb9, 0x13, 0xd7, 0x7a, 0xa4, 0xef, 0x31, 0xbf}, + // Three retired intermediate certificates from Symantec. No compromise; + // just for robustness. All expire May 17 23:59:59 2018. + // See https://bugzilla.mozilla.org/show_bug.cgi?id=966060 + {0x68, 0x5e, 0xec, 0x0a, 0x39, 0xf6, 0x68, 0xae, 0x8f, 0xd8, + 0x96, 0x4f, 0x98, 0x74, 0x76, 0xb4, 0x50, 0x4f, 0xd2, 0xbe}, + {0x0e, 0x50, 0x2d, 0x4d, 0xd1, 0xe1, 0x60, 0x36, 0x8a, 0x31, + 0xf0, 0x6a, 0x81, 0x04, 0x31, 0xba, 0x6f, 0x72, 0xc0, 0x41}, + {0x93, 0xd1, 0x53, 0x22, 0x29, 0xcc, 0x2a, 0xbd, 0x21, 0xdf, + 0xf5, 0x97, 0xee, 0x32, 0x0f, 0xe4, 0x24, 0x6f, 0x3d, 0x0c}, }; for (unsigned i = 0; i < kNumHashes; i++) { -- cgit v1.1