net/cert/cert_verify_proc_whitelist.cc - chromium/src - Git at Google

 // Copyright (c) 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "net/cert/cert_verify_proc_whitelist.h"

 #include <cstdlib>

 #include "net/base/lookup_string_in_fixed_set.h"
 #include "net/cert/x509_certificate.h"

 namespace net {

 namespace {

 // clang-format off
 // SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned
 // or operated by WoSign, including that of StartCom. For the certificates,
 // see //net/data/ssl/wosign.
 const uint8_t kWosignKeys[][crypto::kSHA256Length] = {
     { 0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a,
       0x83, 0x0b, 0x0b, 0x95, 0xa5, 0x99, 0x68, 0xce,
       0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf, 0x51, 0x81,
       0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65 },
     { 0x38, 0x1a, 0x3f, 0xc7, 0xa8, 0xb0, 0x82, 0xfa,
       0x28, 0x61, 0x3a, 0x4d, 0x07, 0xf2, 0xc7, 0x55,
       0x3f, 0x4e, 0x19, 0x18, 0xee, 0x07, 0xca, 0xa9,
       0xe8, 0xb7, 0xce, 0xde, 0x5a, 0x9c, 0xa0, 0x6a },
     { 0x7a, 0xed, 0xdd, 0xf3, 0x6b, 0x18, 0xf8, 0xac,
       0xb7, 0x37, 0x9f, 0xe1, 0xce, 0x18, 0x32, 0x12,
       0xb2, 0x35, 0x0d, 0x07, 0x88, 0xab, 0xe0, 0xe8,
       0x24, 0x57, 0xbe, 0x9b, 0xad, 0xad, 0x6d, 0x54 },
     { 0x9d, 0x98, 0xa1, 0xfb, 0x60, 0x53, 0x8c, 0x4c,
       0xc4, 0x85, 0x7f, 0xf1, 0xa8, 0xc8, 0x03, 0x4f,
       0xaf, 0x6f, 0xc5, 0x92, 0x09, 0x3f, 0x61, 0x99,
       0x94, 0xb2, 0xc8, 0x13, 0xd2, 0x50, 0xb8, 0x64 },
     { 0xd6, 0xa1, 0x84, 0x43, 0xd3, 0x48, 0xdb, 0x99,
       0x4f, 0x93, 0x4c, 0xcd, 0x8e, 0x63, 0x5d, 0x83,
       0x3a, 0x27, 0xac, 0x1e, 0x56, 0xf8, 0xaf, 0xaf,
       0x7c, 0x97, 0xcb, 0x4f, 0x43, 0xea, 0xb6, 0x8b },
     { 0xdb, 0x15, 0xc0, 0x06, 0x2b, 0x52, 0x0f, 0x31,
       0x8a, 0x19, 0xda, 0xcf, 0xec, 0xd6, 0x4f, 0x9e,
       0x7a, 0x3f, 0xbe, 0x60, 0x9f, 0xd5, 0x86, 0x79,
       0x6f, 0x20, 0xae, 0x02, 0x8e, 0x8e, 0x30, 0x58 },
     { 0xe4, 0x2f, 0x24, 0xbd, 0x4d, 0x37, 0xf4, 0xaa,
       0x2e, 0x56, 0xb9, 0x79, 0xd8, 0x3d, 0x1e, 0x65,
       0x21, 0x9f, 0xe0, 0xe9, 0xe3, 0xa3, 0x82, 0xa1,
       0xb3, 0xcb, 0x66, 0xc9, 0x39, 0x55, 0xde, 0x75 },
 };
 // clang-format on

 // Comparator to compare a (SHA-256) HashValue with a uint8_t array containing
 // a raw SHA-256 hash. Return value follows memcmp semantics.
 int CompareHashValueToRawHash(const void* key, const void* element) {
   const HashValue* search_key = reinterpret_cast<const HashValue*>(key);
   return memcmp(search_key->data(), element, search_key->size());
 }

 namespace wosign {
 #include "net/data/ssl/wosign/wosign_domains-inc.cc"
 }  // namespace

 }  // namespace

 bool IsNonWhitelistedCertificate(const X509Certificate& cert,
                                  const HashValueVector& public_key_hashes,
                                  base::StringPiece hostname) {
   for (const auto& hash : public_key_hashes) {
     if (hash.tag != HASH_VALUE_SHA256)
       continue;

     // Check for WoSign/StartCom certificates.
     if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys),
                 crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr) {
       // 2016-10-21 00:00:00 UTC
       const base::Time last_wosign_cert =
           base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000);

       // Don't allow new certificates.
       if (cert.valid_start().is_null() || cert.valid_start().is_max() ||
           cert.valid_start() > last_wosign_cert) {
         return true;
       }

       // Don't allow certificates from non-whitelisted hosts.
       return !IsWhitelistedHost(wosign::kDafsa, arraysize(wosign::kDafsa),
                                 hostname);
     }
   }
   return false;
 }

 bool IsWhitelistedHost(const unsigned char* graph,
                        size_t graph_length,
                        base::StringPiece host) {
   if (host.empty())
     return false;

   size_t end = host.length();

   // Skip trailing '.', if any.
   if (host[end - 1] == '.') {
     --end;
   }

   // Reverse through each of the domain components, trying to see if the
   // domain is on the whitelist. For example, the string
   // "www.domain.example.com" would be processed by first searching
   // for "com", then "example.com", then "domain.example.com". The
   // loop will terminate when there are no more distinct label separators,
   // and thus the final check for "www.domain.example.com".
   size_t start = end;
   while (start != 0 &&
          (start = host.rfind('.', start - 1)) != base::StringPiece::npos) {
     const char* domain_str = host.data() + start + 1;
     size_t domain_length = end - start - 1;
     if (domain_length == 0)
       return false;
     if (LookupStringInFixedSet(graph, graph_length, domain_str,
                                domain_length) != kDafsaNotFound) {
       return true;
     }
   }

   return LookupStringInFixedSet(graph, graph_length, host.data(), end) !=
          kDafsaNotFound;
 }

 }  // namespace net
	// Copyright (c) 2015 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "net/cert/cert_verify_proc_whitelist.h"

	#include <cstdlib>

	#include "net/base/lookup_string_in_fixed_set.h"
	#include "net/cert/x509_certificate.h"

	namespace net {

	namespace {

	// clang-format off
	// SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned
	// or operated by WoSign, including that of StartCom. For the certificates,
	// see //net/data/ssl/wosign.
	const uint8_t kWosignKeys[][crypto::kSHA256Length] = {
	{ 0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a,
	0x83, 0x0b, 0x0b, 0x95, 0xa5, 0x99, 0x68, 0xce,
	0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf, 0x51, 0x81,
	0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65 },
	{ 0x38, 0x1a, 0x3f, 0xc7, 0xa8, 0xb0, 0x82, 0xfa,
	0x28, 0x61, 0x3a, 0x4d, 0x07, 0xf2, 0xc7, 0x55,
	0x3f, 0x4e, 0x19, 0x18, 0xee, 0x07, 0xca, 0xa9,
	0xe8, 0xb7, 0xce, 0xde, 0x5a, 0x9c, 0xa0, 0x6a },
	{ 0x7a, 0xed, 0xdd, 0xf3, 0x6b, 0x18, 0xf8, 0xac,
	0xb7, 0x37, 0x9f, 0xe1, 0xce, 0x18, 0x32, 0x12,
	0xb2, 0x35, 0x0d, 0x07, 0x88, 0xab, 0xe0, 0xe8,
	0x24, 0x57, 0xbe, 0x9b, 0xad, 0xad, 0x6d, 0x54 },
	{ 0x9d, 0x98, 0xa1, 0xfb, 0x60, 0x53, 0x8c, 0x4c,
	0xc4, 0x85, 0x7f, 0xf1, 0xa8, 0xc8, 0x03, 0x4f,
	0xaf, 0x6f, 0xc5, 0x92, 0x09, 0x3f, 0x61, 0x99,
	0x94, 0xb2, 0xc8, 0x13, 0xd2, 0x50, 0xb8, 0x64 },
	{ 0xd6, 0xa1, 0x84, 0x43, 0xd3, 0x48, 0xdb, 0x99,
	0x4f, 0x93, 0x4c, 0xcd, 0x8e, 0x63, 0x5d, 0x83,
	0x3a, 0x27, 0xac, 0x1e, 0x56, 0xf8, 0xaf, 0xaf,
	0x7c, 0x97, 0xcb, 0x4f, 0x43, 0xea, 0xb6, 0x8b },
	{ 0xdb, 0x15, 0xc0, 0x06, 0x2b, 0x52, 0x0f, 0x31,
	0x8a, 0x19, 0xda, 0xcf, 0xec, 0xd6, 0x4f, 0x9e,
	0x7a, 0x3f, 0xbe, 0x60, 0x9f, 0xd5, 0x86, 0x79,
	0x6f, 0x20, 0xae, 0x02, 0x8e, 0x8e, 0x30, 0x58 },
	{ 0xe4, 0x2f, 0x24, 0xbd, 0x4d, 0x37, 0xf4, 0xaa,
	0x2e, 0x56, 0xb9, 0x79, 0xd8, 0x3d, 0x1e, 0x65,
	0x21, 0x9f, 0xe0, 0xe9, 0xe3, 0xa3, 0x82, 0xa1,
	0xb3, 0xcb, 0x66, 0xc9, 0x39, 0x55, 0xde, 0x75 },
	};
	// clang-format on

	// Comparator to compare a (SHA-256) HashValue with a uint8_t array containing
	// a raw SHA-256 hash. Return value follows memcmp semantics.
	int CompareHashValueToRawHash(const void* key, const void* element) {
	const HashValue* search_key = reinterpret_cast<const HashValue*>(key);
	return memcmp(search_key->data(), element, search_key->size());
	}

	namespace wosign {
	#include "net/data/ssl/wosign/wosign_domains-inc.cc"
	} // namespace

	} // namespace

	bool IsNonWhitelistedCertificate(const X509Certificate& cert,
	const HashValueVector& public_key_hashes,
	base::StringPiece hostname) {
	for (const auto& hash : public_key_hashes) {
	if (hash.tag != HASH_VALUE_SHA256)
	continue;

	// Check for WoSign/StartCom certificates.
	if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys),
	crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr) {
	// 2016-10-21 00:00:00 UTC
	const base::Time last_wosign_cert =
	base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000);

	// Don't allow new certificates.
	if (cert.valid_start().is_null() \|\| cert.valid_start().is_max() \|\|
	cert.valid_start() > last_wosign_cert) {
	return true;
	}

	// Don't allow certificates from non-whitelisted hosts.
	return !IsWhitelistedHost(wosign::kDafsa, arraysize(wosign::kDafsa),
	hostname);
	}
	}
	return false;
	}

	bool IsWhitelistedHost(const unsigned char* graph,
	size_t graph_length,
	base::StringPiece host) {
	if (host.empty())
	return false;

	size_t end = host.length();

	// Skip trailing '.', if any.
	if (host[end - 1] == '.') {
	--end;
	}

	// Reverse through each of the domain components, trying to see if the
	// domain is on the whitelist. For example, the string
	// "www.domain.example.com" would be processed by first searching
	// for "com", then "example.com", then "domain.example.com". The
	// loop will terminate when there are no more distinct label separators,
	// and thus the final check for "www.domain.example.com".
	size_t start = end;
	while (start != 0 &&
	(start = host.rfind('.', start - 1)) != base::StringPiece::npos) {
	const char* domain_str = host.data() + start + 1;
	size_t domain_length = end - start - 1;
	if (domain_length == 0)
	return false;
	if (LookupStringInFixedSet(graph, graph_length, domain_str,
	domain_length) != kDafsaNotFound) {
	return true;
	}
	}

	return LookupStringInFixedSet(graph, graph_length, host.data(), end) !=
	kDafsaNotFound;
	}

	} // namespace net