diff --git a/DEPS b/DEPS index 3622a3d9..3effac4 100644 --- a/DEPS +++ b/DEPS
@@ -643,7 +643,7 @@ Var('chromium_git') + '/external/khronosgroup/webgl.git' + '@' + 'd458ada06171a85af00367251a4ed55db7fe2018', 'src/third_party/webrtc': - Var('webrtc_git') + '/src.git' + '@' + 'e1838ee1652fc4d5d5071782c1ab0fc726e4c66c', # commit position 20628 + Var('webrtc_git') + '/src.git' + '@' + '23f35d99ae2af40e3d366d75fbbdd80aa76b851a', # commit position 20628 'src/third_party/xdg-utils': { 'url': Var('chromium_git') + '/chromium/deps/xdg-utils.git' + '@' + 'd80274d5869b17b8c9067a1022e4416ee7ed5e0d',
diff --git a/android_webview/browser/aw_browser_context.cc b/android_webview/browser/aw_browser_context.cc index 461488a0..8faa2c3e 100644 --- a/android_webview/browser/aw_browser_context.cc +++ b/android_webview/browser/aw_browser_context.cc
@@ -65,6 +65,8 @@ namespace { +const base::FilePath::CharType kChannelIDFilename[] = "Origin Bound Certs"; + const void* const kDownloadManagerDelegateKey = &kDownloadManagerDelegateKey; // Shows notifications which correspond to PersistentPrefStore's reading errors. @@ -140,9 +142,9 @@ InitUserPrefService(); - url_request_context_getter_ = - new AwURLRequestContextGetter(cache_path, CreateProxyConfigService(), - user_pref_service_.get(), net_log); + url_request_context_getter_ = new AwURLRequestContextGetter( + cache_path, context_storage_path_.Append(kChannelIDFilename), + CreateProxyConfigService(), user_pref_service_.get(), net_log); scoped_refptr<base::SequencedTaskRunner> db_task_runner = base::CreateSequencedTaskRunnerWithTraits( @@ -219,12 +221,10 @@ pref_registry->RegisterBooleanPref(autofill::prefs::kAutofillEnabled, false); policy::URLBlacklistManager::RegisterProfilePrefs(pref_registry); - pref_registry->RegisterStringPref(prefs::kAuthServerWhitelist, std::string()); - pref_registry->RegisterStringPref(prefs::kAuthAndroidNegotiateAccountType, - std::string()); pref_registry->RegisterStringPref(prefs::kWebRestrictionsAuthority, std::string()); + AwURLRequestContextGetter::RegisterPrefs(pref_registry); metrics::MetricsService::RegisterPrefs(pref_registry); safe_browsing::RegisterProfilePrefs(pref_registry);
diff --git a/android_webview/browser/net/aw_url_request_context_getter.cc b/android_webview/browser/net/aw_url_request_context_getter.cc index 99117a3..76eb6fd7 100644 --- a/android_webview/browser/net/aw_url_request_context_getter.cc +++ b/android_webview/browser/net/aw_url_request_context_getter.cc
@@ -18,7 +18,6 @@ #include "android_webview/browser/net/init_native_callback.h" #include "android_webview/browser/net/token_binding_manager.h" #include "android_webview/common/aw_content_client.h" - #include "base/base_paths_android.h" #include "base/bind.h" #include "base/command_line.h" @@ -30,6 +29,7 @@ #include "base/threading/sequenced_worker_pool.h" #include "build/build_config.h" #include "components/network_session_configurator/common/network_switches.h" +#include "components/prefs/pref_registry_simple.h" #include "components/prefs/pref_service.h" #include "components/version_info/version_info.h" #include "content/public/browser/browser_thread.h" @@ -55,6 +55,8 @@ #include "net/proxy/proxy_service.h" #include "net/socket/next_proto.h" #include "net/ssl/channel_id_service.h" +#include "net/ssl/ssl_config.h" +#include "net/ssl/ssl_config_service.h" #include "net/url_request/data_protocol_handler.h" #include "net/url_request/file_protocol_handler.h" #include "net/url_request/url_request_context.h" @@ -77,7 +79,6 @@ bool g_check_cleartext_permitted = false; -const base::FilePath::CharType kChannelIDFilename[] = "Origin Bound Certs"; const char kProxyServerSwitch[] = "proxy-server"; void ApplyCmdlineOverridesToHostResolver( @@ -174,14 +175,34 @@ return job_factory; } +// For Android WebView, do not enforce the policies outlined in +// https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html +// as those will be handled by Android itself on its own schedule. Otherwise, +// it returns the default SSLConfig. +class AwSSLConfigService : public net::SSLConfigService { + public: + AwSSLConfigService() { default_config_.symantec_enforcement_disabled = true; } + + void GetSSLConfig(net::SSLConfig* config) override { + *config = default_config_; + } + + private: + ~AwSSLConfigService() override = default; + + net::SSLConfig default_config_; +}; + } // namespace AwURLRequestContextGetter::AwURLRequestContextGetter( const base::FilePath& cache_path, + const base::FilePath& channel_id_path, std::unique_ptr<net::ProxyConfigService> config_service, PrefService* user_pref_service, net::NetLog* net_log) : cache_path_(cache_path), + channel_id_path_(channel_id_path), net_log_(net_log), proxy_config_service_(std::move(config_service)), http_user_agent_settings_(new AwHttpUserAgentSettings()) { @@ -257,9 +278,6 @@ net::URLRequestContextBuilder builder; - AwBrowserContext* browser_context = AwBrowserContext::GetDefault(); - DCHECK(browser_context); - builder.set_network_delegate(std::make_unique<AwNetworkDelegate>()); #if !BUILDFLAG(DISABLE_FTP_SUPPORT) builder.set_ftp_enabled(false); // Android WebView does not support ftp yet. @@ -267,11 +285,9 @@ DCHECK(proxy_config_service_.get()); std::unique_ptr<net::ChannelIDService> channel_id_service; if (TokenBindingManager::GetInstance()->is_enabled()) { - base::FilePath channel_id_path = - browser_context->GetPath().Append(kChannelIDFilename); scoped_refptr<net::SQLiteChannelIDStore> channel_id_db; channel_id_db = new net::SQLiteChannelIDStore( - channel_id_path, + channel_id_path_, base::CreateSequencedTaskRunnerWithTraits( {base::MayBlock(), base::TaskPriority::BACKGROUND})); @@ -316,6 +332,8 @@ CreateAuthHandlerFactory(host_resolver.get())); builder.set_host_resolver(std::move(host_resolver)); + builder.set_ssl_config_service(base::MakeRefCounted<AwSSLConfigService>()); + url_request_context_ = builder.Build(); #if DCHECK_IS_ON() g_created_url_request_context_builder = true; @@ -330,6 +348,21 @@ http_user_agent_settings_.get()); } +// static +void AwURLRequestContextGetter::RegisterPrefs(PrefRegistrySimple* registry) { + registry->RegisterStringPref(prefs::kAuthServerWhitelist, std::string()); + registry->RegisterStringPref(prefs::kAuthAndroidNegotiateAccountType, + std::string()); +} + +// static +void AwURLRequestContextGetter::set_check_cleartext_permitted(bool permitted) { +#if DCHECK_IS_ON() + DCHECK(!g_created_url_request_context_builder); +#endif + g_check_cleartext_permitted = permitted; +} + net::URLRequestContext* AwURLRequestContextGetter::GetURLRequestContext() { DCHECK_CURRENTLY_ON(BrowserThread::IO); if (!url_request_context_) @@ -350,14 +383,6 @@ request_interceptors_.swap(request_interceptors); } -// static -void AwURLRequestContextGetter::set_check_cleartext_permitted(bool permitted) { -#if DCHECK_IS_ON() - DCHECK(!g_created_url_request_context_builder); -#endif - g_check_cleartext_permitted = permitted; -} - std::unique_ptr<net::HttpAuthHandlerFactory> AwURLRequestContextGetter::CreateAuthHandlerFactory( net::HostResolver* resolver) {
diff --git a/android_webview/browser/net/aw_url_request_context_getter.h b/android_webview/browser/net/aw_url_request_context_getter.h index 10254cfcf..e7f331f9 100644 --- a/android_webview/browser/net/aw_url_request_context_getter.h +++ b/android_webview/browser/net/aw_url_request_context_getter.h
@@ -18,6 +18,7 @@ #include "net/url_request/url_request_job_factory.h" class PrefService; +class PrefRegistrySimple; namespace net { class FileNetLogObserver; @@ -37,19 +38,22 @@ public: AwURLRequestContextGetter( const base::FilePath& cache_path, + const base::FilePath& channel_id_path, std::unique_ptr<net::ProxyConfigService> config_service, PrefService* pref_service, net::NetLog* net_log); + static void set_check_cleartext_permitted(bool permitted); + static void RegisterPrefs(PrefRegistrySimple* registry); + // net::URLRequestContextGetter implementation. net::URLRequestContext* GetURLRequestContext() override; scoped_refptr<base::SingleThreadTaskRunner> GetNetworkTaskRunner() const override; - static void set_check_cleartext_permitted(bool permitted); - private: friend class AwBrowserContext; + friend class AwURLRequestContextGetterTest; ~AwURLRequestContextGetter() override; // Prior to GetURLRequestContext() being called, this is called to hand over @@ -74,6 +78,7 @@ void UpdateAndroidAuthNegotiateAccountType(); const base::FilePath cache_path_; + const base::FilePath channel_id_path_; net::NetLog* net_log_; std::unique_ptr<net::ProxyConfigService> proxy_config_service_;
diff --git a/android_webview/browser/net/aw_url_request_context_getter_unittest.cc b/android_webview/browser/net/aw_url_request_context_getter_unittest.cc new file mode 100644 index 0000000..f99284c --- /dev/null +++ b/android_webview/browser/net/aw_url_request_context_getter_unittest.cc
@@ -0,0 +1,102 @@ +// Copyright 2017 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "android_webview/browser/net/aw_url_request_context_getter.h" + +#include <memory> + +#include "base/android/jni_android.h" +#include "base/files/scoped_temp_dir.h" +#include "base/memory/ref_counted.h" +#include "components/prefs/testing_pref_service.h" +#include "content/public/browser/browser_thread.h" +#include "content/public/common/url_constants.h" +#include "content/public/test/test_browser_thread_bundle.h" +#include "net/base/net_errors.h" +#include "net/log/net_log.h" +#include "net/proxy/proxy_config_service.h" +#include "net/proxy/proxy_service.h" +#include "net/ssl/ssl_config.h" +#include "net/ssl/ssl_config_service.h" +#include "net/test/url_request/url_request_failed_job.h" +#include "net/url_request/url_request_context.h" +#include "net/url_request/url_request_job_factory.h" +#include "testing/gtest/include/gtest/gtest.h" + +namespace android_webview { + +namespace { + +// A ProtocolHandler that will immediately fail all jobs. +class FailingProtocolHandler + : public net::URLRequestJobFactory::ProtocolHandler { + public: + net::URLRequestJob* MaybeCreateJob( + net::URLRequest* request, + net::NetworkDelegate* network_delegate) const override { + return new net::URLRequestFailedJob(request, network_delegate, + net::URLRequestFailedJob::START, + net::ERR_FAILED); + } +}; + +} // namespace + +class AwURLRequestContextGetterTest : public ::testing::Test { + public: + AwURLRequestContextGetterTest() = default; + + protected: + void SetUp() override { + ASSERT_TRUE(temp_dir_.CreateUniqueTempDir()); + env_ = base::android::AttachCurrentThread(); + ASSERT_TRUE(env_); + + pref_service_ = std::make_unique<TestingPrefServiceSimple>(); + android_webview::AwURLRequestContextGetter::RegisterPrefs( + pref_service_->registry()); + + getter_ = base::MakeRefCounted<android_webview::AwURLRequestContextGetter>( + temp_dir_.GetPath(), temp_dir_.GetPath().AppendASCII("ChannelID"), + net::ProxyService::CreateSystemProxyConfigService( + content::BrowserThread::GetTaskRunnerForThread( + content::BrowserThread::IO)), + pref_service_.get(), &net_log_); + + // AwURLRequestContextGetter implicitly depends on having protocol handlers + // provided for url::kBlobScheme, url::kFileSystemScheme, and + // content::kChromeUIScheme, so provide testing values here. + content::ProtocolHandlerMap fake_handlers; + fake_handlers[url::kBlobScheme].reset(new FailingProtocolHandler()); + fake_handlers[url::kFileSystemScheme].reset(new FailingProtocolHandler()); + fake_handlers[content::kChromeUIScheme].reset(new FailingProtocolHandler()); + content::URLRequestInterceptorScopedVector interceptors; + getter_->SetHandlersAndInterceptors(&fake_handlers, + std::move(interceptors)); + } + + content::TestBrowserThreadBundle thread_bundle_; + base::ScopedTempDir temp_dir_; + JNIEnv* env_; + net::NetLog net_log_; + std::unique_ptr<TestingPrefServiceSimple> pref_service_; + scoped_refptr<android_webview::AwURLRequestContextGetter> getter_; +}; + +// Tests that constraints on trust for Symantec-issued certificates are not +// enforced for the AwURLRequestContext(Getter), as it should behave like +// the Android system. +TEST_F(AwURLRequestContextGetterTest, SymantecPoliciesExempted) { + net::URLRequestContext* context = getter_->GetURLRequestContext(); + ASSERT_TRUE(context); + net::SSLConfigService* config_service = context->ssl_config_service(); + ASSERT_TRUE(config_service); + + net::SSLConfig config; + EXPECT_FALSE(config.symantec_enforcement_disabled); + config_service->GetSSLConfig(&config); + EXPECT_TRUE(config.symantec_enforcement_disabled); +} + +} // namespace android_webview
diff --git a/android_webview/test/BUILD.gn b/android_webview/test/BUILD.gn index c7edbf9..b0ccc2b 100644 --- a/android_webview/test/BUILD.gn +++ b/android_webview/test/BUILD.gn
@@ -262,7 +262,11 @@ ":android_webview_unittests_jni", "//android_webview:common", "//base/test:test_support", + "//components/prefs:prefs", + "//components/prefs:test_support", + "//content:content", "//content/test:test_support", + "//net:net", "//net:test_support", "//ui/base:ui_base_jni_headers", "//ui/gl", @@ -281,6 +285,7 @@ "../browser/input_stream_unittest.cc", "../browser/net/android_stream_reader_url_request_job_unittest.cc", "../browser/net/aw_cookie_store_wrapper_unittest.cc", + "../browser/net/aw_url_request_context_getter_unittest.cc", "../browser/net/input_stream_reader_unittest.cc", "../browser/permission/media_access_permission_request_unittest.cc", "../browser/permission/permission_request_handler_unittest.cc",
diff --git a/chrome/browser/ssl/ssl_browsertest.cc b/chrome/browser/ssl/ssl_browsertest.cc index 54de558..962c81e 100644 --- a/chrome/browser/ssl/ssl_browsertest.cc +++ b/chrome/browser/ssl/ssl_browsertest.cc
@@ -1853,6 +1853,12 @@ AuthState::NONE); } +IN_PROC_BROWSER_TEST_P(SSLUITest, SymantecEnforcementIsNotDisabled) { + bool net::SSLConfig::*member = &net::SSLConfig::symantec_enforcement_disabled; + ASSERT_NO_FATAL_FAILURE( + CheckSSLConfig(browser()->profile()->GetRequestContext(), member, false)); +} + // Visit a HTTP page which request WSS connection to a server providing invalid // certificate. Close the page while WSS connection waits for SSLManager's // response from UI thread.
diff --git a/net/BUILD.gn b/net/BUILD.gn index 2b9378e6..2168ac5 100644 --- a/net/BUILD.gn +++ b/net/BUILD.gn
@@ -2406,6 +2406,7 @@ "data/ssl/certificates/ct-test-embedded-with-intermediate-chain.pem", "data/ssl/certificates/ct-test-embedded-with-intermediate-preca-chain.pem", "data/ssl/certificates/ct-test-embedded-with-preca-chain.pem", + "data/ssl/certificates/dec_2017.pem", "data/ssl/certificates/diginotar_cyber_ca.pem", "data/ssl/certificates/diginotar_pkioverheid.pem", "data/ssl/certificates/diginotar_pkioverheid_g2.pem",
diff --git a/net/cert/cert_verifier.h b/net/cert/cert_verifier.h index 50cc833..2745942 100644 --- a/net/cert/cert_verifier.h +++ b/net/cert/cert_verifier.h
@@ -84,6 +84,10 @@ // match against the commonName of the certificate, but only if they are // issued by non-public trust anchors. VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS = 1 << 6, + + // If set, disables the policy enforcement described at + // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html + VERIFY_DISABLE_SYMANTEC_ENFORCEMENT = 1 << 7, }; // Parameters to verify |certificate| against the supplied
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc index c2027f89..732bbd61 100644 --- a/net/cert/cert_verify_proc.cc +++ b/net/cert/cert_verify_proc.cc
@@ -30,6 +30,7 @@ #include "net/cert/internal/signature_algorithm.h" #include "net/cert/known_roots.h" #include "net/cert/ocsp_revocation_status.h" +#include "net/cert/symantec_certs.h" #include "net/cert/x509_certificate.h" #include "net/cert/x509_util.h" #include "net/der/encode_values.h" @@ -193,6 +194,23 @@ return start >= kSHA1DeprecationDate; } +// See +// https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html +// for more details. +bool IsUntrustedSymantecCert(const X509Certificate& cert) { + const base::Time& start = cert.valid_start(); + if (start.is_max() || start.is_null()) + return true; + // Certificates issued on/after 2017-12-01 00:00:00 UTC are no longer + // trusted. + const base::Time kSymantecDeprecationDate = + base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1512086400); + if (start >= kSymantecDeprecationDate) + return true; + + return false; +} + void BestEffortCheckOCSP(const std::string& raw_response, const X509Certificate& certificate, OCSPVerifyResult* verify_result) { @@ -582,6 +600,17 @@ rv = MapCertStatusToNetError(verify_result->cert_status); } + // Distrust Symantec-issued certificates, as described at + // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html + if (!(flags & CertVerifier::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT) && + IsLegacySymantecCert(verify_result->public_key_hashes)) { + if (IsUntrustedSymantecCert(*verify_result->verified_cert)) { + verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; + if (rv == OK || IsCertificateError(rv)) + rv = MapCertStatusToNetError(verify_result->cert_status); + } + } + // Flag certificates from publicly-trusted CAs that are issued to intranet // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit // these to be issued until 1 November 2015, they represent a real risk for
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc index 050f951..826c7420 100644 --- a/net/cert/cert_verify_proc_unittest.cc +++ b/net/cert/cert_verify_proc_unittest.cc
@@ -1461,6 +1461,63 @@ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); } +// Tests that certificates issued by Symantec's legacy infrastructure +// are rejected according to the policies outlined in +// https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html +// unless the caller has explicitly disabled that enforcement. +TEST(CertVerifyProcTest, SymantecCertsRejected) { + constexpr SHA256HashValue kSymantecHashValue = { + {0xb2, 0xde, 0xf5, 0x36, 0x2a, 0xd3, 0xfa, 0xcd, 0x04, 0xbd, 0x29, + 0x04, 0x7a, 0x43, 0x84, 0x4f, 0x76, 0x70, 0x34, 0xea, 0x48, 0x92, + 0xf8, 0x0e, 0x56, 0xbe, 0xe6, 0x90, 0x24, 0x3e, 0x25, 0x02}}; + constexpr SHA256HashValue kGoogleHashValue = { + {0xec, 0x72, 0x29, 0x69, 0xcb, 0x64, 0x20, 0x0a, 0xb6, 0x63, 0x8f, + 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, + 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; + + scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile( + GetTestCertsDirectory(), "dec_2017.pem", X509Certificate::FORMAT_AUTO); + ASSERT_TRUE(cert); + + scoped_refptr<CertVerifyProc> verify_proc; + int error = 0; + + // Test that a Symantec certificate is rejected if issued after 2017-12-01. + CertVerifyResult symantec_result; + symantec_result.verified_cert = cert; + symantec_result.public_key_hashes.push_back(HashValue(kSymantecHashValue)); + symantec_result.is_issued_by_known_root = true; + verify_proc = base::MakeRefCounted<MockCertVerifyProc>(symantec_result); + + CertVerifyResult test_result_1; + error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, + nullptr, CertificateList(), &test_result_1); + EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID)); + EXPECT_TRUE(test_result_1.cert_status & CERT_STATUS_AUTHORITY_INVALID); + + // ... Unless the Symantec cert chains through a whitelisted intermediate. + CertVerifyResult whitelisted_result; + whitelisted_result.verified_cert = cert; + whitelisted_result.public_key_hashes.push_back(HashValue(kSymantecHashValue)); + whitelisted_result.public_key_hashes.push_back(HashValue(kGoogleHashValue)); + whitelisted_result.is_issued_by_known_root = true; + verify_proc = base::MakeRefCounted<MockCertVerifyProc>(whitelisted_result); + + CertVerifyResult test_result_2; + error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, + nullptr, CertificateList(), &test_result_2); + EXPECT_THAT(error, IsOk()); + EXPECT_FALSE(test_result_2.cert_status & CERT_STATUS_AUTHORITY_INVALID); + + // ... Or the caller disabled enforcement of Symantec policies. + CertVerifyResult test_result_3; + error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), + CertVerifier::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT, + nullptr, CertificateList(), &test_result_3); + EXPECT_THAT(error, IsOk()); + EXPECT_FALSE(test_result_3.cert_status & CERT_STATUS_AUTHORITY_INVALID); +} + // While all SHA-1 certificates should be rejected, in the event that there // emerges some unexpected bug, test that the 'legacy' behaviour works // correctly - rejecting all SHA-1 certificates from publicly trusted CAs
diff --git a/net/cert/symantec_certs.cc b/net/cert/symantec_certs.cc index 3a1d388..fdaafdf 100644 --- a/net/cert/symantec_certs.cc +++ b/net/cert/symantec_certs.cc
@@ -193,9 +193,15 @@ {{0x72, 0x89, 0xc0, 0x6d, 0xed, 0xd1, 0x6b, 0x71, 0xa7, 0xdc, 0xca, 0x66, 0x57, 0x85, 0x72, 0xe2, 0xe1, 0x09, 0xb1, 0x1d, 0x70, 0xad, 0x04, 0xc2, 0x60, 0x1b, 0x67, 0x43, 0xbc, 0x66, 0xd0, 0x7b}}, + {{0x8b, 0xb5, 0x93, 0xa9, 0x3b, 0xe1, 0xd0, 0xe8, 0xa8, 0x22, 0xbb, + 0x88, 0x7c, 0x54, 0x78, 0x90, 0xc3, 0xe7, 0x06, 0xaa, 0xd2, 0xda, + 0xb7, 0x62, 0x54, 0xf9, 0x7f, 0xb3, 0x6b, 0x82, 0xfc, 0x26}}, {{0xb5, 0xcf, 0x82, 0xd4, 0x7e, 0xf9, 0x82, 0x3f, 0x9a, 0xa7, 0x8f, 0x12, 0x31, 0x86, 0xc5, 0x2e, 0x88, 0x79, 0xea, 0x84, 0xb0, 0xf8, 0x22, 0xc9, 0x1d, 0x83, 0xe0, 0x42, 0x79, 0xb7, 0x8f, 0xd5}}, + {{0xb9, 0x4c, 0x19, 0x83, 0x00, 0xce, 0xc5, 0xc0, 0x57, 0xad, 0x07, + 0x27, 0xb7, 0x0b, 0xbe, 0x91, 0x81, 0x69, 0x92, 0x25, 0x64, 0x39, + 0xa7, 0xb3, 0x2f, 0x45, 0x98, 0x11, 0x9d, 0xda, 0x9c, 0x97}}, {{0xc0, 0x55, 0x4b, 0xde, 0x87, 0xa0, 0x75, 0xec, 0x13, 0xa6, 0x1f, 0x27, 0x59, 0x83, 0xae, 0x02, 0x39, 0x57, 0x29, 0x4b, 0x45, 0x4c, 0xaf, 0x0a, 0x97, 0x24, 0xe3, 0xb2, 0x1b, 0x79, 0x35, 0xbc}}, @@ -212,11 +218,24 @@ const size_t kSymantecExceptionsLength = arraysize(kSymantecExceptions); +const SHA256HashValue kSymantecManagedCAs[] = { + {{0x7c, 0xac, 0x9a, 0x0f, 0xf3, 0x15, 0x38, 0x77, 0x50, 0xba, 0x8b, + 0xaf, 0xdb, 0x1c, 0x2b, 0xc2, 0x9b, 0x3f, 0x0b, 0xba, 0x16, 0x36, + 0x2c, 0xa9, 0x3a, 0x90, 0xf8, 0x4d, 0xa2, 0xdf, 0x5f, 0x3e}}, + {{0xac, 0x50, 0xb5, 0xfb, 0x73, 0x8a, 0xed, 0x6c, 0xb7, 0x81, 0xcc, + 0x35, 0xfb, 0xff, 0xf7, 0x78, 0x6f, 0x77, 0x10, 0x9a, 0xda, 0x7c, + 0x08, 0x86, 0x7c, 0x04, 0xa5, 0x73, 0xfd, 0x5c, 0xf9, 0xee}}, +}; + +const size_t kSymantecManagedCAsLength = arraysize(kSymantecManagedCAs); + bool IsLegacySymantecCert(const HashValueVector& public_key_hashes) { return IsAnySHA256HashInSortedArray(public_key_hashes, kSymantecRoots, kSymantecRootsLength) && - !IsAnySHA256HashInSortedArray(public_key_hashes, kSymantecExceptions, - kSymantecExceptionsLength); + !(IsAnySHA256HashInSortedArray(public_key_hashes, kSymantecExceptions, + kSymantecExceptionsLength) || + IsAnySHA256HashInSortedArray(public_key_hashes, kSymantecManagedCAs, + kSymantecManagedCAsLength)); } } // namespace net
diff --git a/net/cert/symantec_certs.h b/net/cert/symantec_certs.h index 88e4532..cf4ad4a 100644 --- a/net/cert/symantec_certs.h +++ b/net/cert/symantec_certs.h
@@ -17,12 +17,17 @@ // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html // for details about why. // -// Independently operated sub-CAs are exempt from these policies, and are -// listed in |kSymantecExceptions|. -extern const SHA256HashValue kSymantecRoots[]; -extern const size_t kSymantecRootsLength; -extern const SHA256HashValue kSymantecExceptions[]; -extern const size_t kSymantecExceptionsLength; +// Pre-existing, independently operated sub-CAs are exempt from these +// policies, and are listed in |kSymantecExceptions|. +// +// The Managed Partner CAs are required to disclose via Certificate +// Transparency, and are listed in |kSymantecManagedCAs|. +NET_EXPORT_PRIVATE extern const SHA256HashValue kSymantecRoots[]; +NET_EXPORT_PRIVATE extern const size_t kSymantecRootsLength; +NET_EXPORT_PRIVATE extern const SHA256HashValue kSymantecExceptions[]; +NET_EXPORT_PRIVATE extern const size_t kSymantecExceptionsLength; +NET_EXPORT_PRIVATE extern const SHA256HashValue kSymantecManagedCAs[]; +NET_EXPORT_PRIVATE extern const size_t kSymantecManagedCAsLength; // Returns true if |public_key_hashes| contains a certificate issued from // Symantec's "legacy" PKI. This constraint excludes certificates that were
diff --git a/net/cert/symantec_certs_unittest.cc b/net/cert/symantec_certs_unittest.cc index dcb94ab4..b0c3df2 100644 --- a/net/cert/symantec_certs_unittest.cc +++ b/net/cert/symantec_certs_unittest.cc
@@ -4,6 +4,9 @@ #include "net/cert/symantec_certs.h" +#include <algorithm> + +#include "net/base/hash_value.h" #include "testing/gtest/include/gtest/gtest.h" namespace net { @@ -38,4 +41,16 @@ EXPECT_FALSE(IsLegacySymantecCert(hashes)); } +TEST(SymantecCertsTest, AreSortedArrays) { + ASSERT_TRUE(std::is_sorted(kSymantecRoots, + kSymantecRoots + kSymantecRootsLength, + SHA256HashValueLessThan())); + ASSERT_TRUE(std::is_sorted(kSymantecExceptions, + kSymantecExceptions + kSymantecExceptionsLength, + SHA256HashValueLessThan())); + ASSERT_TRUE(std::is_sorted(kSymantecManagedCAs, + kSymantecManagedCAs + kSymantecManagedCAsLength, + SHA256HashValueLessThan())); +} + } // namespace net
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README index 0940ae9..3c0f4ac 100644 --- a/net/data/ssl/certificates/README +++ b/net/data/ssl/certificates/README
@@ -185,11 +185,11 @@ - pre_june_2016.pem - post_june_2016.pem +- dec_2017.pem Certs to test that policies related to enforcing CT on Symantec are - properly gated on the issuance date. These files also contain legacy - Symantec roots to simulate a chain for testing the upcoming Symantec - distrust events; see https://g.co/chrome/symantecpkicerts. (Note, - however, that the leaf and root do not actually form a chain.) + properly gated on the issuance date. See + https://g.co/chrome/symantecpkicerts. (Note, however, that the leaf and + root do not actually form a chain.) - tls_feature_extension.pem A certificate that contains the TLS Feature Extension.
diff --git a/net/data/ssl/certificates/dec_2017.pem b/net/data/ssl/certificates/dec_2017.pem new file mode 100644 index 0000000..e0dff79 --- /dev/null +++ b/net/data/ssl/certificates/dec_2017.pem
@@ -0,0 +1,84 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 25 (0x19) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA + Validity + Not Before: Dec 20 00:00:00 2017 GMT + Not After : Dec 20 00:00:00 2020 GMT + Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d0:c1:27:76:2d:56:e6:b9:e3:23:b9:b6:c3:0e: + f4:8c:cb:73:85:0e:45:ed:b8:ea:e6:21:b6:60:56: + 1d:b7:24:72:b9:51:72:68:07:22:9f:8f:fd:47:c7: + da:9b:7b:5c:ad:e8:f5:6a:72:4d:8b:e4:55:fc:c6: + 41:d8:53:5e:0a:ba:35:4e:bc:98:21:d0:c2:ae:f7: + ff:ec:8f:26:eb:a1:71:74:11:b7:21:fd:38:04:5a: + e5:42:3d:02:28:05:3a:8d:2d:9b:5e:7b:39:35:e4: + fe:59:a8:98:39:c7:6c:d1:9e:1a:d7:c3:11:78:cb: + 44:72:e4:a0:89:83:e2:f8:de:c9:46:3a:c5:71:7f: + af:ee:e5:ba:1f:fa:97:19:f0:d0:5c:32:81:d3:7d: + 80:99:70:49:2a:ba:c8:40:b0:32:51:ec:16:3b:4d: + 61:05:e2:dc:b9:24:f0:a6:6b:ad:cd:53:1d:cd:9a: + ba:bb:df:96:f1:ac:e6:5e:03:cb:98:07:da:21:6e: + 8c:ac:56:37:39:15:d4:ab:b0:43:d1:64:7a:05:59: + f8:f8:bd:4e:31:c7:8c:d6:23:e8:3d:99:ea:75:78: + 25:8d:1a:83:32:39:ec:ec:69:ef:76:cc:b6:cf:06: + 0e:1d:ca:ac:8c:b7:10:a7:d2:ec:18:86:7c:6f:20: + 9c:bf + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + 4F:62:A1:56:D4:81:D5:18:65:C6:E0:DC:91:72:07:32:58:0C:79:EE + X509v3 Authority Key Identifier: + keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + IP Address:127.0.0.1 + Signature Algorithm: sha256WithRSAEncryption + a5:16:f1:6f:8d:ab:b2:d7:c1:f6:98:98:d4:2d:8d:0f:85:09: + 65:73:f4:72:40:66:8b:28:f3:e4:d8:b8:8e:21:2b:9f:27:f2: + ab:0f:b6:e7:94:9a:1c:b1:58:9a:71:5e:79:d4:1b:9b:11:f3: + 52:ee:a2:00:85:75:d5:a0:6e:af:11:39:cd:72:f8:a8:57:09: + 09:4f:df:e7:42:26:63:08:a2:fb:19:ff:ab:97:e4:f1:01:7c: + df:e5:87:58:e7:90:e6:61:c0:f8:35:89:5f:4b:f2:f0:ae:cb: + 1a:69:3b:1f:0b:ac:38:18:28:5a:ca:92:75:fa:ee:56:69:dd: + dc:e8:c4:db:8f:84:20:d2:50:ee:34:32:e6:2f:90:aa:12:3d: + db:56:a3:38:0f:80:b7:f5:32:b6:12:b8:30:1c:14:84:83:4e: + 7b:42:49:16:ef:1e:b0:3a:f5:03:30:72:86:1f:0d:77:1a:7b: + 44:8b:60:e4:34:49:d8:b0:af:8d:a6:f1:08:70:b3:69:54:5f: + e0:2f:6d:42:2f:ff:68:07:fd:cf:c1:f7:fa:e7:5f:fe:1f:93: + ba:02:01:29:69:37:97:6a:16:03:7f:2d:0c:b2:2a:d8:43:13: + ed:cf:1b:2d:1f:b0:f3:b6:e1:98:cb:92:d3:26:5e:f4:a7:a3: + 90:de:6a:ab +-----BEGIN CERTIFICATE----- +MIIDvzCCAqegAwIBAgIBGTANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzET +MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G +A1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE3MTIyMDAw +MDAwMFoXDTIwMTIyMDAwMDAwMFowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh +bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3Qg +Q0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBANDBJ3YtVua54yO5tsMO9IzLc4UORe246uYhtmBWHbckcrlRcmgHIp+P +/UfH2pt7XK3o9WpyTYvkVfzGQdhTXgq6NU68mCHQwq73/+yPJuuhcXQRtyH9OARa +5UI9AigFOo0tm157OTXk/lmomDnHbNGeGtfDEXjLRHLkoImD4vjeyUY6xXF/r+7l +uh/6lxnw0FwygdN9gJlwSSq6yECwMlHsFjtNYQXi3Lkk8KZrrc1THc2aurvflvGs +5l4Dy5gH2iFujKxWNzkV1KuwQ9FkegVZ+Pi9TjHHjNYj6D2Z6nV4JY0agzI57Oxp +73bMts8GDh3KrIy3EKfS7BiGfG8gnL8CAwEAAaOBgDB+MAwGA1UdEwEB/wQCMAAw +HQYDVR0OBBYEFE9ioVbUgdUYZcbg3JFyBzJYDHnuMB8GA1UdIwQYMBaAFJsmC4qY +qbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAP +BgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQClFvFvjauy18H2mJjU +LY0PhQllc/RyQGaLKPPk2LiOISufJ/KrD7bnlJocsViacV551BubEfNS7qIAhXXV +oG6vETnNcvioVwkJT9/nQiZjCKL7Gf+rl+TxAXzf5YdY55DmYcD4NYlfS/Lwrssa +aTsfC6w4GChaypJ1+u5Wad3c6MTbj4Qg0lDuNDLmL5CqEj3bVqM4D4C39TK2Ergw +HBSEg057QkkW7x6wOvUDMHKGHw13GntEi2DkNEnYsK+NpvEIcLNpVF/gL21CL/9o +B/3Pwff651/+H5O6AgEpaTeXahYDfy0MsirYQxPtzxstH7DztuGYy5LTJl70p6OQ +3mqr +-----END CERTIFICATE-----
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh index 33ff78c..7f798c7 100755 --- a/net/data/ssl/scripts/generate-test-certs.sh +++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -463,6 +463,22 @@ /bin/sh -c "cat out/common_name_only.key out/common_name_only.pem \ > ../certificates/common_name_only.pem" +# Issued after 1 Dec 2017 (Symantec Legacy Distrust Date) +openssl req \ + -config ../scripts/ee.cnf \ + -newkey rsa:2048 \ + -text \ + -out out/dec_2017.req +CA_NAME="req_ca_dn" \ + openssl ca \ + -batch \ + -extensions user_cert \ + -startdate 171220000000Z \ + -enddate 201220000000Z \ + -in out/dec_2017.req \ + -out ../certificates/dec_2017.pem \ + -config ca.cnf + # Regenerate CRLSets ## Block a leaf cert directly by SPKI python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
diff --git a/net/data/ssl/symantec/README.md b/net/data/ssl/symantec/README.md index f4926bb..4d8219d1 100644 --- a/net/data/ssl/symantec/README.md +++ b/net/data/ssl/symantec/README.md
@@ -1,15 +1,17 @@ # Symantec Certificates This directory contains the set of known active and legacy root certificates -operated by Symantec Corporation. In order for certificates issued from -roots to be trusted, it is required that the certificates be logged using -Certificate Transparency. +that were operated by Symantec Corporation. In order for certificates issued +from these roots to be trusted, it is required that they comply with the +policies outlined at <https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html>. -For details about why, see <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html> +The exceptions to this are: + * Pre-existing independently operated sub-CAs, whose keys were and are not + controled by Symantec and which maintain current and appropriate audits. + * The set of Managed CAs in accordance with the above policies. -The exception to this is sub-CAs which have been disclosed as independently -operated, whose keys are not in control of Symantec, and which are -maintaining a current and appropriate audit. +In addition to the above, no changes exist from the Certificate Transparency +requirement outlined at <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html> ## Roots @@ -34,6 +36,14 @@ * [ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem](excluded/ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem) * [a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem](excluded/a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem) +### DigiCert + +[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=2228) +[Certification Practices Statement](https://www.digicert.com/CPS) + + * [8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem](excluded/8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem) + * [b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem](excluded/b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem) + ### Google [WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1941) @@ -41,3 +51,9 @@ * [c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem](excluded/c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem) +## Excluded Managed CAs + +### DigiCert + + * [7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem](managed/7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem) + * [ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem](managed/ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem)
diff --git a/net/data/ssl/symantec/excluded/8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem b/net/data/ssl/symantec/excluded/8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem new file mode 100644 index 0000000..f6d561e --- /dev/null +++ b/net/data/ssl/symantec/excluded/8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem
@@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 63:18:0d:38:fb:80:97:78:a9:d0:35:a3:16:18:f8:40 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 + Validity + Not Before: Nov 6 00:00:00 2017 GMT + Not After : Nov 5 23:59:59 2022 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bb:37:cd:34:dc:7b:6b:c9:b2:68:90:ad:4a:75: + ff:46:ba:21:0a:08:8d:f5:19:54:c9:fb:88:db:f3: + ae:f2:3a:89:91:3c:7a:e6:ab:06:1a:6b:cf:ac:2d: + e8:5e:09:24:44:ba:62:9a:7e:d6:a3:a8:7e:e0:54: + 75:20:05:ac:50:b7:9c:63:1a:6c:30:dc:da:1f:19: + b1:d7:1e:de:fd:d7:e0:cb:94:83:37:ae:ec:1f:43: + 4e:dd:7b:2c:d2:bd:2e:a5:2f:e4:a9:b8:ad:3a:d4: + 99:a4:b6:25:e9:9b:6b:00:60:92:60:ff:4f:21:49: + 18:f7:67:90:ab:61:06:9c:8f:f2:ba:e9:b4:e9:92: + 32:6b:b5:f3:57:e8:5d:1b:cd:8c:1d:ab:95:04:95: + 49:f3:35:2d:96:e3:49:6d:dd:77:e3:fb:49:4b:b4: + ac:55:07:a9:8f:95:b3:b4:23:bb:4c:6d:45:f0:f6: + a9:b2:95:30:b4:fd:4c:55:8c:27:4a:57:14:7c:82: + 9d:cd:73:92:d3:16:4a:06:0c:8c:50:d1:8f:1e:09: + be:17:a1:e6:21:ca:fd:83:e5:10:bc:83:a5:0a:c4: + 67:28:f6:73:14:14:3d:46:76:c3:87:14:89:21:34: + 4d:af:0f:45:0c:a6:49:a1:ba:bb:9c:c5:b1:33:83: + 29:85 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: https://d.symcb.com/cps + User Notice: + Explicit Text: https://d.symcb.com/rpa + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://s.symcb.com/pca3-g5.crl + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://s.symcd.com + + X509v3 Authority Key Identifier: + keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 + + Signature Algorithm: sha256WithRSAEncryption + 50:dd:d3:56:29:25:01:8a:9e:a7:e5:7d:4d:b9:af:1b:8c:a2: + d2:27:35:e5:9d:eb:1c:6a:f3:c4:08:ca:45:06:52:08:28:7d: + a6:73:a9:8b:d9:7a:ff:c2:44:88:04:3a:ec:a8:03:b7:b0:17: + 26:a0:93:7e:9f:c5:77:d0:ee:49:7a:5a:ed:10:01:58:4b:24: + 43:5d:fb:bb:f1:99:47:9f:a9:2f:57:9f:e3:3d:41:44:08:43: + 3f:85:d3:74:c7:c5:9d:2e:91:a3:24:ca:9f:b3:41:06:e6:a1: + e3:f9:46:b1:a6:e7:16:0f:8e:39:c1:e6:b8:ce:52:bb:85:44: + 7e:30:0f:1f:ab:46:1d:d4:71:0a:8f:87:3c:4d:c8:1a:40:81: + cc:6b:82:87:af:8e:3c:71:0e:bd:7b:70:8f:10:24:61:44:d8: + 3e:44:02:93:d8:8e:d2:95:a5:73:2e:f6:81:ff:cc:b2:9b:6a: + 0c:08:4b:28:aa:24:53:f1:d6:d7:83:7e:5a:28:46:26:9b:39: + f7:3b:f9:a7:07:b6:c6:51:df:c4:52:b9:08:7f:b1:55:6a:68: + 18:65:dd:5f:4b:34:1e:83:57:07:a9:fd:23:6b:a7:87:a6:fa: + b6:6d:39:7e:71:61:47:6a:af:fc:e0:a9:47:7b:94:61:d0:2b: + 26:a5:9c:e7 +-----BEGIN CERTIFICATE----- +MIIE3zCCA8egAwIBAgIQYxgNOPuAl3ip0DWjFhj4QDANBgkqhkiG9w0BAQsFADCB +yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL +ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp +U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW +ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5IC0gRzUwHhcNMTcxMTA2MDAwMDAwWhcNMjIxMTA1MjM1OTU5WjBhMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu +ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMjCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALs3zTTce2vJsmiQrUp1/0a6 +IQoIjfUZVMn7iNvzrvI6iZE8euarBhprz6wt6F4JJES6Ypp+1qOofuBUdSAFrFC3 +nGMabDDc2h8Zsdce3v3X4MuUgzeu7B9DTt17LNK9LqUv5Km4rTrUmaS2JembawBg +kmD/TyFJGPdnkKthBpyP8rrptOmSMmu181foXRvNjB2rlQSVSfM1LZbjSW3dd+P7 +SUu0rFUHqY+Vs7Qju0xtRfD2qbKVMLT9TFWMJ0pXFHyCnc1zktMWSgYMjFDRjx4J +vheh5iHK/YPlELyDpQrEZyj2cxQUPUZ2w4cUiSE0Ta8PRQymSaG6u5zFsTODKYUC +AwEAAaOCAScwggEjMB0GA1UdDgQWBBROIlQgGJXm427mD/r6uRLtBhePOTAPBgNV +HRMBAf8EBTADAQH/MF8GA1UdIARYMFYwVAYEVR0gADBMMCMGCCsGAQUFBwIBFhdo +dHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZDBdodHRwczovL2Qu +c3ltY2IuY29tL3JwYTAvBgNVHR8EKDAmMCSgIqAghh5odHRwOi8vcy5zeW1jYi5j +b20vcGNhMy1nNS5jcmwwDgYDVR0PAQH/BAQDAgGGMC4GCCsGAQUFBwEBBCIwIDAe +BggrBgEFBQcwAYYSaHR0cDovL3Muc3ltY2QuY29tMB8GA1UdIwQYMBaAFH/TZafC +3ey78DAJ80M5+gKvMzEzMA0GCSqGSIb3DQEBCwUAA4IBAQBQ3dNWKSUBip6n5X1N +ua8bjKLSJzXlnescavPECMpFBlIIKH2mc6mL2Xr/wkSIBDrsqAO3sBcmoJN+n8V3 +0O5JelrtEAFYSyRDXfu78ZlHn6kvV5/jPUFECEM/hdN0x8WdLpGjJMqfs0EG5qHj ++UaxpucWD445wea4zlK7hUR+MA8fq0Yd1HEKj4c8TcgaQIHMa4KHr448cQ69e3CP +ECRhRNg+RAKT2I7SlaVzLvaB/8yym2oMCEsoqiRT8dbXg35aKEYmmzn3O/mnB7bG +Ud/EUrkIf7FVamgYZd1fSzQeg1cHqf0ja6eHpvq2bTl+cWFHaq/84KlHe5Rh0Csm +pZzn +-----END CERTIFICATE-----
diff --git a/net/data/ssl/symantec/excluded/b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem b/net/data/ssl/symantec/excluded/b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem new file mode 100644 index 0000000..73543a3 --- /dev/null +++ b/net/data/ssl/symantec/excluded/b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem
@@ -0,0 +1,76 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3d:cd:5f:22:5e:a4:c9:6d:4b:90:94:a0:2d:2b:56:c6 + Signature Algorithm: ecdsa-with-SHA384 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4 + Validity + Not Before: Nov 6 00:00:00 2017 GMT + Not After : Nov 5 23:59:59 2022 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:dd:a7:d9:bb:8a:b8:0b:fb:0b:7f:21:d2:f0:be: + be:73:f3:33:5d:1a:bc:34:ea:de:c6:9b:bc:d0:95: + f6:f0:cc:d0:0b:ba:61:5b:51:46:7e:9e:2d:9f:ee: + 8e:63:0c:17:ec:07:70:f5:cf:84:2e:40:83:9c:e8: + 3f:41:6d:3b:ad:d3:a4:14:59:36:78:9d:03:43:ee: + 10:13:6c:72:de:ae:88:a7:a1:6b:b5:43:ce:67:dc: + 23:ff:03:1c:a3:e2:3e + ASN1 OID: secp384r1 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B3:DB:48:A4:F9:A1:C5:D8:AE:36:41:CC:11:63:69:62:29:BC:4B:C6 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: https://d.symcb.com/cps + User Notice: + Explicit Text: https://d.symcb.com/rpa + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://s.symcb.com/pca3-g4.crl + + Authority Information Access: + OCSP - URI:http://s.symcd.com + + X509v3 Authority Key Identifier: + keyid:B3:16:91:FD:EE:A6:6E:E4:B5:2E:49:8F:87:78:81:80:EC:E5:B1:B5 + + Signature Algorithm: ecdsa-with-SHA384 + 30:65:02:31:00:f7:91:70:39:bc:f0:9b:8f:73:b1:c1:bf:cb: + 62:a2:06:ef:04:f3:eb:bf:ee:4a:cf:a9:fb:02:21:17:c1:af: + 77:bc:cc:34:ff:2d:79:54:b3:8e:57:46:fb:9e:9d:f8:05:02: + 30:26:bf:8d:dd:63:bd:65:80:46:cd:4f:12:82:21:79:e4:cf: + 71:09:3b:fd:ac:90:3f:34:3d:ba:0c:0c:d9:5f:80:88:88:c9: + 92:af:93:24:4e:44:c9:1c:ed:40:24:15:23 +-----BEGIN CERTIFICATE----- +MIIDkDCCAxagAwIBAgIQPc1fIl6kyW1LkJSgLStWxjAKBggqhkjOPQQDAzCByjEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW +ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2ln +biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp +U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y +aXR5IC0gRzQwHhcNMTcxMTA2MDAwMDAwWhcNMjIxMTA1MjM1OTU5WjBhMQswCQYD +VQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln +aWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABN2n2buKuAv7C38h0vC+vnPzM10avDTq3sabvNCV +9vDM0Au6YVtRRn6eLZ/ujmMMF+wHcPXPhC5Ag5zoP0FtO63TpBRZNnidA0PuEBNs +ct6uiKeha7VDzmfcI/8DHKPiPqOCAScwggEjMA4GA1UdDwEB/wQEAwIBhjAdBgNV +HQ4EFgQUs9tIpPmhxdiuNkHMEWNpYim8S8YwDwYDVR0TAQH/BAUwAwEB/zBfBgNV +HSAEWDBWMFQGBFUdIAAwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNv +bS9jcHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwLwYD +VR0fBCgwJjAkoCKgIIYeaHR0cDovL3Muc3ltY2IuY29tL3BjYTMtZzQuY3JsMC4G +CCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL3Muc3ltY2QuY29tMB8G +A1UdIwQYMBaAFLMWkf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMDA2gAMGUC +MQD3kXA5vPCbj3Oxwb/LYqIG7wTz67/uSs+p+wIhF8Gvd7zMNP8teVSzjldG+56d ++AUCMCa/jd1jvWWARs1PEoIheeTPcQk7/ayQPzQ9ugwM2V+AiIjJkq+TJE5EyRzt +QCQVIw== +-----END CERTIFICATE-----
diff --git a/net/data/ssl/symantec/managed/7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem b/net/data/ssl/symantec/managed/7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem new file mode 100644 index 0000000..b1efd79 --- /dev/null +++ b/net/data/ssl/symantec/managed/7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem
@@ -0,0 +1,73 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 79:c6:70:41:b4:62:32:04:39:4d:d0:42:fb:6e:96:80 + Signature Algorithm: ecdsa-with-SHA384 + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4 + Validity + Not Before: Nov 6 00:00:00 2017 GMT + Not After : Nov 5 23:59:59 2022 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Transition ECC Root + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:5a:ff:46:dc:c9:ae:bd:2c:e7:1c:56:97:e4:fa: + eb:d5:c6:ff:75:53:23:5e:c6:b0:7d:ac:ac:57:3a: + 9f:94:50:07:0d:f1:f3:4d:51:0d:7d:fd:88:41:82: + 3f:1c:7f:fb:c3:1e:fa:f6:eb:d4:37:ff:fe:18:9d: + 01:83:2a:80:3a + ASN1 OID: prime256v1 + X509v3 extensions: + X509v3 Subject Key Identifier: + CF:37:24:66:74:19:7E:7F:A3:64:E4:BD:99:36:34:8B:7D:FB:42:BE + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: https://d.symcb.com/cps + User Notice: + Explicit Text: https://d.symcb.com/rpa + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://s.symcb.com/pca3-g4.crl + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://s.symcd.com + + X509v3 Authority Key Identifier: + keyid:B3:16:91:FD:EE:A6:6E:E4:B5:2E:49:8F:87:78:81:80:EC:E5:B1:B5 + + Signature Algorithm: ecdsa-with-SHA384 + 30:64:02:30:58:17:b0:44:e7:e3:c4:09:ba:de:bd:db:84:d9: + ca:b1:71:fb:68:5d:56:7a:68:d8:3a:ce:e3:a0:af:02:5e:80: + 7b:60:f0:97:de:0d:13:26:35:50:fe:ba:84:bd:d9:1b:02:30: + 08:2c:18:cf:8f:72:e1:b5:dc:2a:91:76:09:00:bf:80:3a:f0: + 79:4b:29:7f:89:c2:db:b6:4d:26:c6:6d:94:14:a6:40:78:9a: + ac:ab:af:96:52:63:f9:51:31:52:f6:f8 +-----BEGIN CERTIFICATE----- +MIIDdzCCAv6gAwIBAgIQecZwQbRiMgQ5TdBC+26WgDAKBggqhkjOPQQDAzCByjEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW +ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2ln +biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp +U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y +aXR5IC0gRzQwHhcNMTcxMTA2MDAwMDAwWhcNMjIxMTA1MjM1OTU5WjBmMQswCQYD +VQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln +aWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBUcmFuc2l0aW9uIEVDQyBSb290 +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWv9G3MmuvSznHFaX5Prr1cb/dVMj +XsawfaysVzqflFAHDfHzTVENff2IQYI/HH/7wx769uvUN//+GJ0BgyqAOqOCAScw +ggEjMB0GA1UdDgQWBBTPNyRmdBl+f6Nk5L2ZNjSLfftCvjAPBgNVHRMBAf8EBTAD +AQH/MF8GA1UdIARYMFYwVAYEVR0gADBMMCMGCCsGAQUFBwIBFhdodHRwczovL2Qu +c3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZDBdodHRwczovL2Quc3ltY2IuY29t +L3JwYTAvBgNVHR8EKDAmMCSgIqAghh5odHRwOi8vcy5zeW1jYi5jb20vcGNhMy1n +NC5jcmwwDgYDVR0PAQH/BAQDAgGGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcw +AYYSaHR0cDovL3Muc3ltY2QuY29tMB8GA1UdIwQYMBaAFLMWkf3upm7ktS5Jj4d4 +gYDs5bG1MAoGCCqGSM49BAMDA2cAMGQCMFgXsETn48QJut6924TZyrFx+2hdVnpo +2DrO46CvAl6Ae2Dwl94NEyY1UP66hL3ZGwIwCCwYz49y4bXcKpF2CQC/gDrweUsp +f4nC27ZNJsZtlBSmQHiarKuvllJj+VExUvb4 +-----END CERTIFICATE-----
diff --git a/net/data/ssl/symantec/managed/ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem b/net/data/ssl/symantec/managed/ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem new file mode 100644 index 0000000..8f9d5c7 --- /dev/null +++ b/net/data/ssl/symantec/managed/ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem
@@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 78:ae:a4:31:c1:5c:eb:75:7b:0d:8a:61:0a:74:8e:67 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 + Validity + Not Before: Nov 6 00:00:00 2017 GMT + Not After : Nov 5 23:59:59 2022 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Transition RSA Root + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b0:3e:d8:46:63:32:df:49:1f:61:6d:ae:df:c9: + 7f:2b:b1:63:a1:a7:e6:46:35:34:0e:d4:a5:3d:12: + af:04:6a:d5:f8:ba:a7:65:93:ec:66:c5:ca:eb:68: + 01:24:69:1f:af:b0:a3:59:af:3c:5b:39:44:29:60: + 6e:8b:41:98:49:21:d8:18:13:d3:41:55:fe:aa:22: + 7e:a7:51:4a:a6:d0:23:5f:73:84:a2:9c:b4:cb:17: + d0:65:24:87:e9:80:cb:b7:3c:a1:10:f5:97:b5:0d: + 9d:ec:f7:ba:5b:a3:0b:65:eb:12:75:a9:46:74:0d: + 80:d7:08:13:93:21:57:c6:38:3d:a8:4b:3b:0b:6f: + 18:e5:b3:4c:f7:c2:cd:18:f9:58:2d:03:33:1b:fc: + 16:dd:90:4e:c2:1f:37:9c:d6:7b:61:96:f1:c5:26: + 87:52:e3:e2:a4:f8:15:e5:4c:22:e9:09:2b:95:d1: + 93:f9:3a:39:76:74:2a:0b:80:be:be:0e:d3:10:0b: + e2:e1:48:a6:24:05:69:3d:17:fd:c7:37:21:b2:b0: + e3:77:47:39:87:01:e0:4e:db:23:e8:f9:39:9f:36: + 46:66:23:1e:c7:22:51:44:3f:33:c5:f5:76:a9:f8: + 06:b0:79:cc:ee:41:dc:71:8e:0d:50:8e:b0:3c:48: + ab:f5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 90:47:8A:1B:84:D3:A0:DF:A4:24:D6:19:B4:17:F5:21:A3:B2:9B:A8 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: https://d.symcb.com/cps + User Notice: + Explicit Text: https://d.symcb.com/rpa + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://s.symcb.com/pca3-g5.crl + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://s.symcd.com + + X509v3 Authority Key Identifier: + keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 + + Signature Algorithm: sha256WithRSAEncryption + 89:c4:a9:58:d9:16:5d:80:c5:9d:b0:ec:c5:56:48:5a:51:29: + 5a:01:89:94:56:cd:cd:2a:b9:b0:16:b7:4b:ea:17:69:f0:7c: + 4c:28:fe:73:85:4f:3c:f9:85:83:99:11:43:f7:5a:e0:a2:f8: + 43:8c:9a:2c:e3:83:f8:05:50:99:dc:f0:e7:ef:36:3b:36:48: + ff:5d:a3:18:d0:cb:c1:41:68:18:f1:f6:8f:0c:97:1c:4c:2a: + 69:17:dc:3f:24:20:5a:e4:26:61:c8:fe:e5:92:10:bf:4d:9e: + ec:f2:6e:ca:67:1e:46:b8:e3:f8:b0:69:e7:51:cf:26:cf:05: + 91:cf:1d:b7:c6:3a:89:41:78:2b:6e:eb:13:7a:4b:9d:da:88: + 0e:bd:53:08:8d:38:4d:17:5c:65:c9:42:d3:9b:35:36:e2:7e: + 60:df:e6:c3:24:e3:d0:fc:8b:36:1e:5a:38:bc:d4:c7:8c:3b: + 07:35:64:22:46:de:66:8a:34:5b:50:c5:42:95:68:dd:0c:84: + be:2c:e4:e4:2e:42:00:60:f9:1e:d7:0d:3d:40:a6:f0:3b:5d: + 9b:17:07:b7:f2:30:47:e4:8b:06:d7:a2:06:37:2b:3c:a2:a9: + 82:e8:0d:a3:e3:1b:4c:e5:91:43:fe:3d:78:b9:03:8a:e0:d6: + c1:05:a8:2c +-----BEGIN CERTIFICATE----- +MIIE5DCCA8ygAwIBAgIQeK6kMcFc63V7DYphCnSOZzANBgkqhkiG9w0BAQsFADCB +yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL +ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp +U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW +ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5IC0gRzUwHhcNMTcxMTA2MDAwMDAwWhcNMjIxMTA1MjM1OTU5WjBmMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu +ZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBUcmFuc2l0aW9uIFJTQSBS +b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsD7YRmMy30kfYW2u +38l/K7FjoafmRjU0DtSlPRKvBGrV+LqnZZPsZsXK62gBJGkfr7CjWa88WzlEKWBu +i0GYSSHYGBPTQVX+qiJ+p1FKptAjX3OEopy0yxfQZSSH6YDLtzyhEPWXtQ2d7Pe6 +W6MLZesSdalGdA2A1wgTkyFXxjg9qEs7C28Y5bNM98LNGPlYLQMzG/wW3ZBOwh83 +nNZ7YZbxxSaHUuPipPgV5Uwi6QkrldGT+To5dnQqC4C+vg7TEAvi4UimJAVpPRf9 +xzchsrDjd0c5hwHgTtsj6Pk5nzZGZiMexyJRRD8zxfV2qfgGsHnM7kHccY4NUI6w +PEir9QIDAQABo4IBJzCCASMwHQYDVR0OBBYEFJBHihuE06DfpCTWGbQX9SGjspuo +MA8GA1UdEwEB/wQFMAMBAf8wXwYDVR0gBFgwVjBUBgRVHSAAMEwwIwYIKwYBBQUH +AgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBz +Oi8vZC5zeW1jYi5jb20vcnBhMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9zLnN5 +bWNiLmNvbS9wY2EzLWc1LmNybDAOBgNVHQ8BAf8EBAMCAYYwLgYIKwYBBQUHAQEE +IjAgMB4GCCsGAQUFBzABhhJodHRwOi8vcy5zeW1jZC5jb20wHwYDVR0jBBgwFoAU +f9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAInEqVjZFl2A +xZ2w7MVWSFpRKVoBiZRWzc0qubAWt0vqF2nwfEwo/nOFTzz5hYOZEUP3WuCi+EOM +mizjg/gFUJnc8OfvNjs2SP9doxjQy8FBaBjx9o8MlxxMKmkX3D8kIFrkJmHI/uWS +EL9NnuzybspnHka44/iwaedRzybPBZHPHbfGOolBeCtu6xN6S53aiA69UwiNOE0X +XGXJQtObNTbifmDf5sMk49D8izYeWji81MeMOwc1ZCJG3maKNFtQxUKVaN0MhL4s +5OQuQgBg+R7XDT1ApvA7XZsXB7fyMEfkiwbXogY3KzyiqYLoDaPjG0zlkUP+PXi5 +A4rg1sEFqCw= +-----END CERTIFICATE-----
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc index 20bf386..a4df218 100644 --- a/net/http/transport_security_state.cc +++ b/net/http/transport_security_state.cc
@@ -946,9 +946,12 @@ const base::Time epoch = base::Time::UnixEpoch(); const CTRequiredPolicies& ct_required_policies = GetCTRequiredPolicies(); + + bool found = false; for (const auto& restricted_ca : ct_required_policies) { - if (epoch + restricted_ca.effective_date > - validated_certificate_chain->valid_start()) { + if (!restricted_ca.effective_date.is_zero() && + (epoch + restricted_ca.effective_date > + validated_certificate_chain->valid_start())) { // The candidate cert is not subject to the CT policy, because it // was issued before the effective CT date. continue; @@ -963,15 +966,21 @@ // Found a match, indicating this certificate is potentially // restricted. Determine if any of the hashes are on the exclusion // list as exempt from the CT requirement. - if (IsAnySHA256HashInSortedArray(public_key_hashes, + if (restricted_ca.exceptions && + IsAnySHA256HashInSortedArray(public_key_hashes, restricted_ca.exceptions, restricted_ca.exceptions_length)) { // Found an excluded sub-CA; CT is not required. - return default_response; + continue; } - // No exception found. This certificate must conform to the CT policy. - return complies ? CT_REQUIREMENTS_MET : CT_REQUIREMENTS_NOT_MET; + + // No exception found. This certificate must conform to the CT policy. The + // compliance state is treated as additive - it must comply with all + // stated policies. + found = true; } + if (found) + return complies ? CT_REQUIREMENTS_MET : CT_REQUIREMENTS_NOT_MET; return default_response; }
diff --git a/net/http/transport_security_state_ct_policies.inc b/net/http/transport_security_state_ct_policies.inc index d01cbd2..f7ea8e5 100644 --- a/net/http/transport_security_state_ct_policies.inc +++ b/net/http/transport_security_state_ct_policies.inc
@@ -20,7 +20,8 @@ size_t roots_length; // The date at which enforcement should begin, relative to the Unix - // Epoch. + // Epoch. If equivalent to zero (base::TimeDelta()), then it is enforced + // for all certificates. base::TimeDelta effective_date; // However, if a certificate ALSO chains to or through one of @@ -33,7 +34,7 @@ size_t exceptions_length; }; -typedef CTRequiredPolicy CTRequiredPolicies[1]; +typedef CTRequiredPolicy CTRequiredPolicies[2]; const CTRequiredPolicies& GetCTRequiredPolicies() { static const CTRequiredPolicy kCTRequiredPolicies[] = { @@ -41,8 +42,12 @@ { kSymantecRoots, kSymantecRootsLength, // 1 June 2016, 00:00:00 GMT. - base::TimeDelta::FromSeconds(1464739200), kSymantecExceptions, - kSymantecExceptionsLength, + base::TimeDelta::FromSeconds(1464739200), + kSymantecExceptions, kSymantecExceptionsLength, + }, + { + kSymantecManagedCAs, kSymantecManagedCAsLength, + base::TimeDelta(), nullptr, 0 }, };
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc index c82eed3..130566e 100644 --- a/net/http/transport_security_state_unittest.cc +++ b/net/http/transport_security_state_unittest.cc
@@ -2357,11 +2357,11 @@ ImportCertFromFile(GetTestCertsDirectory(), "post_june_2016.pem"); ASSERT_TRUE(after_cert); - SHA256HashValue symantec_hash_value = { + const SHA256HashValue symantec_hash_value = { {0xb2, 0xde, 0xf5, 0x36, 0x2a, 0xd3, 0xfa, 0xcd, 0x04, 0xbd, 0x29, 0x04, 0x7a, 0x43, 0x84, 0x4f, 0x76, 0x70, 0x34, 0xea, 0x48, 0x92, 0xf8, 0x0e, 0x56, 0xbe, 0xe6, 0x90, 0x24, 0x3e, 0x25, 0x02}}; - SHA256HashValue google_hash_value = { + const SHA256HashValue google_hash_value = { {0xec, 0x72, 0x29, 0x69, 0xcb, 0x64, 0x20, 0x0a, 0xb6, 0x63, 0x8f, 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; @@ -2473,6 +2473,93 @@ ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); } +// Tests that Certificate Transparency is required for all of the Symantec +// Managed CAs, regardless of when the certificate was issued. +TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) { + const SHA256HashValue symantec_hash_value = { + {0xb2, 0xde, 0xf5, 0x36, 0x2a, 0xd3, 0xfa, 0xcd, 0x04, 0xbd, 0x29, + 0x04, 0x7a, 0x43, 0x84, 0x4f, 0x76, 0x70, 0x34, 0xea, 0x48, 0x92, + 0xf8, 0x0e, 0x56, 0xbe, 0xe6, 0x90, 0x24, 0x3e, 0x25, 0x02}}; + const SHA256HashValue managed_hash_value = { + {0x7c, 0xac, 0x9a, 0x0f, 0xf3, 0x15, 0x38, 0x77, 0x50, 0xba, 0x8b, + 0xaf, 0xdb, 0x1c, 0x2b, 0xc2, 0x9b, 0x3f, 0x0b, 0xba, 0x16, 0x36, + 0x2c, 0xa9, 0x3a, 0x90, 0xf8, 0x4d, 0xa2, 0xdf, 0x5f, 0x3e}}; + + TransportSecurityState state; + + HashValueVector hashes; + hashes.push_back(HashValue(symantec_hash_value)); + hashes.push_back(HashValue(managed_hash_value)); + + // All certificates, both before and after the pre-existing 1 June 2016 + // date, are expected to be compliant. + scoped_refptr<X509Certificate> before_cert = + ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); + ASSERT_TRUE(before_cert); + + EXPECT_EQ( + TransportSecurityState::CT_REQUIREMENTS_NOT_MET, + state.CheckCTRequirements( + HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), + before_cert.get(), SignedCertificateTimestampAndStatusList(), + TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, + ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); + EXPECT_EQ( + TransportSecurityState::CT_REQUIREMENTS_NOT_MET, + state.CheckCTRequirements( + HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), + before_cert.get(), SignedCertificateTimestampAndStatusList(), + TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, + ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS)); + EXPECT_EQ( + TransportSecurityState::CT_REQUIREMENTS_MET, + state.CheckCTRequirements( + HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), + before_cert.get(), SignedCertificateTimestampAndStatusList(), + TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, + ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY)); + EXPECT_EQ( + TransportSecurityState::CT_REQUIREMENTS_MET, + state.CheckCTRequirements( + HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), + before_cert.get(), SignedCertificateTimestampAndStatusList(), + TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, + ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS)); + + scoped_refptr<X509Certificate> after_cert = + ImportCertFromFile(GetTestCertsDirectory(), "post_june_2016.pem"); + ASSERT_TRUE(after_cert); + + EXPECT_EQ( + TransportSecurityState::CT_REQUIREMENTS_NOT_MET, + state.CheckCTRequirements( + HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), + after_cert.get(), SignedCertificateTimestampAndStatusList(), + TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, + ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); + EXPECT_EQ( + TransportSecurityState::CT_REQUIREMENTS_NOT_MET, + state.CheckCTRequirements( + HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), + after_cert.get(), SignedCertificateTimestampAndStatusList(), + TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, + ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS)); + EXPECT_EQ( + TransportSecurityState::CT_REQUIREMENTS_MET, + state.CheckCTRequirements( + HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), + after_cert.get(), SignedCertificateTimestampAndStatusList(), + TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, + ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY)); + EXPECT_EQ( + TransportSecurityState::CT_REQUIREMENTS_MET, + state.CheckCTRequirements( + HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), + after_cert.get(), SignedCertificateTimestampAndStatusList(), + TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, + ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS)); +} + // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { base::test::ScopedFeatureList feature_list;
diff --git a/net/ssl/ssl_config.cc b/net/ssl/ssl_config.cc index 23b140c5..72d63d83 100644 --- a/net/ssl/ssl_config.cc +++ b/net/ssl/ssl_config.cc
@@ -26,6 +26,7 @@ rev_checking_required_local_anchors(false), sha1_local_anchors_enabled(true), common_name_fallback_local_anchors_enabled(true), + symantec_enforcement_disabled(false), version_min(kDefaultSSLVersionMin), version_max(kDefaultSSLVersionMax), tls13_variant(kDefaultTLS13Variant), @@ -69,6 +70,9 @@ flags |= CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS; if (common_name_fallback_local_anchors_enabled) flags |= CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS; + if (symantec_enforcement_disabled) + flags |= CertVerifier::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT; + return flags; }
diff --git a/net/ssl/ssl_config.h b/net/ssl/ssl_config.h index 1cef729..32f6902 100644 --- a/net/ssl/ssl_config.h +++ b/net/ssl/ssl_config.h
@@ -92,6 +92,11 @@ // (non-public) trust anchor will be allowed to match. bool common_name_fallback_local_anchors_enabled; + // symantec_enforcement_disabled is true if the policies outlined in + // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html + // should not be enforced. + bool symantec_enforcement_disabled; + // The minimum and maximum protocol versions that are enabled. // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it
diff --git a/net/ssl/ssl_config_unittest.cc b/net/ssl/ssl_config_unittest.cc index 437edd5..e3fca97 100644 --- a/net/ssl/ssl_config_unittest.cc +++ b/net/ssl/ssl_config_unittest.cc
@@ -15,32 +15,25 @@ bool rev_checking_enabled, bool verify_ev_cert, bool cert_io_enabled, - bool rev_checking_required_local_anchors) { + bool rev_checking_required_local_anchors, + bool symantec_enforcement_disabled) { ssl_config->rev_checking_enabled = rev_checking_enabled; ssl_config->verify_ev_cert = verify_ev_cert; ssl_config->cert_io_enabled = cert_io_enabled; ssl_config->rev_checking_required_local_anchors = rev_checking_required_local_anchors; + ssl_config->symantec_enforcement_disabled = symantec_enforcement_disabled; + int flags = ssl_config->GetCertVerifyFlags(); - if (rev_checking_enabled) - EXPECT_TRUE(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED); - else - EXPECT_FALSE(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED); - if (verify_ev_cert) - EXPECT_TRUE(flags & CertVerifier::VERIFY_EV_CERT); - else - EXPECT_FALSE(flags & CertVerifier::VERIFY_EV_CERT); - if (cert_io_enabled) - EXPECT_TRUE(flags & CertVerifier::VERIFY_CERT_IO_ENABLED); - else - EXPECT_FALSE(flags & CertVerifier::VERIFY_CERT_IO_ENABLED); - if (rev_checking_required_local_anchors) { - EXPECT_TRUE(flags & - CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS); - } else { - EXPECT_FALSE(flags & - CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS); - } + EXPECT_EQ(rev_checking_enabled, + !!(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED)); + EXPECT_EQ(verify_ev_cert, !!(flags & CertVerifier::VERIFY_EV_CERT)); + EXPECT_EQ(cert_io_enabled, !!(flags & CertVerifier::VERIFY_CERT_IO_ENABLED)); + EXPECT_EQ( + rev_checking_required_local_anchors, + !!(flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)); + EXPECT_EQ(symantec_enforcement_disabled, + !!(flags & CertVerifier::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT)); } } // namespace @@ -51,37 +44,50 @@ /*rev_checking_enabled=*/true, /*verify_ev_cert=*/true, /*cert_io_enabled=*/true, - /*rev_checking_required_local_anchors=*/true); + /*rev_checking_required_local_anchors=*/true, + /*symantec_enforcement_disabled=*/true); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/false, /*verify_ev_cert=*/false, /*cert_io_enabled=*/false, - /*rev_checking_required_local_anchors=*/false); + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/false); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/true, /*verify_ev_cert=*/false, /*cert_io_enabled=*/false, - /*rev_checking_required_local_anchors=*/false); + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/false); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/false, /*verify_ev_cert=*/true, /*cert_io_enabled=*/false, - /*rev_checking_required_local_anchors=*/false); + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/false); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/false, /*verify_ev_cert=*/false, /*cert_io_enabled=*/true, - /*rev_checking_required_local_anchors=*/false); + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/false); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/false, /*verify_ev_cert=*/false, /*cert_io_enabled=*/false, - /*rev_checking_required_local_anchors=*/true); + /*rev_checking_required_local_anchors=*/true, + /*symantec_enforcement_disabled=*/false); + + CheckCertVerifyFlags(&ssl_config, + /*rev_checking_enabled=*/false, + /*verify_ev_cert=*/false, + /*cert_io_enabled=*/true, + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/true); } } // namespace net