Blacklist the Superfish root certificate

The Superfish software causes certificate errors on every HTTPS page load
starting in M57, because it uses SHA-1 signatures. We've decided to blacklist
the root to prevent these errors from being bypassable and guide users into
cleaning up their machines. Blacklisting the root will also protect users who
may have uninstalled the software but not the root, or for whom SHA-1 is allowed
by policy.

BUG=734590

Change-Id: I99d38b0d8940d52dfc3355b9ca3aa619ddfec3ee
Reviewed-on: https://chromium-review.googlesource.com/565747
Commit-Queue: Emily Stark <estark@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485422}

net/cert/cert_verify_proc_blacklist.inc

@@ -51,6 +51,10 @@ static constexpr uint8_t
         {0x45, 0x5b, 0x87, 0xe9, 0x6f, 0x1c, 0xea, 0x2f, 0x8b, 0x6d, 0xae,
          0x08, 0x08, 0xec, 0x24, 0x73, 0x8f, 0xd9, 0x2b, 0x7f, 0xd3, 0x06,
          0x75, 0x71, 0x98, 0xbf, 0x38, 0x9d, 0x75, 0x5c, 0x0b, 0x6c},
+        // b6fe9151402bad1c06d7e66db67a26aa7356f2e6c644dbcf9f98968ff632e1b7.pem
+        {0x4b, 0xb8, 0xf3, 0x5b, 0xa1, 0xe1, 0x26, 0xf8, 0xdd, 0xe1, 0xb0,
+         0xc4, 0x20, 0x62, 0x5e, 0xd8, 0x6d, 0xce, 0x61, 0xa7, 0xbd, 0xda,
+         0xdb, 0xde, 0xa9, 0xab, 0xa5, 0x78, 0xff, 0x13, 0x14, 0x5e},
         // 7abd72a323c9d179c722564f4e27a51dd4afd24006b38a40ce918b94960bcf18.pem
         {0x57, 0x80, 0x94, 0x46, 0xea, 0xf1, 0x14, 0x84, 0x38, 0x54, 0xfe,
          0x63, 0x6e, 0xd9, 0xbc, 0xb5, 0x52, 0xe3, 0xc6, 0x16, 0x66, 0x3b,

net/data/ssl/blacklist/README.md

@@ -143,6 +143,17 @@ Baseline Requirements, and then subsequently published the private key.
 
   * [83618f932d6947744d5ecca299d4b2820c01483947bd16be814e683f7436be24.pem](83618f932d6947744d5ecca299d4b2820c01483947bd16be814e683f7436be24.pem)
 
+### Superfish
+
+For details, see <https://www.eff.org/deeplinks/2015/02/how-remove-superfish-adware-your-lenovo-computer>
+
+Superfish software with an associated root certificate came preinstalled on
+Lenovo computers. The software used a single root certificate across all
+computers, and the private key was trivially extracted; thus the associated
+public key was blacklisted.
+
+  * [b6fe9151402bad1c06d7e66db67a26aa7356f2e6c644dbcf9f98968ff632e1b7.pem](b6fe9151402bad1c06d7e66db67a26aa7356f2e6c644dbcf9f98968ff632e1b7.pem)
+
 ## Miscellaneous
 
 ### DigiCert

net/data/ssl/blacklist/b6fe9151402bad1c06d7e66db67a26aa7356f2e6c644dbcf9f98968ff632e1b7.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15203047915477327079 (0xd2fc1387a944dce7)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: O=Superfish, Inc., L=SF, ST=CA, C=US, CN=Superfish, Inc.
+        Validity
+            Not Before: May 12 16:25:26 2014 GMT
+            Not After : May  7 16:25:26 2034 GMT
+        Subject: O=Superfish, Inc., L=SF, ST=CA, C=US, CN=Superfish, Inc.
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:e8:f3:4a:18:76:5f:19:3f:b1:cf:58:e9:7f:43:
+                    07:09:95:80:35:c5:0f:fe:71:31:27:81:99:12:26:
+                    20:a5:df:8f:6a:fc:42:55:39:ee:09:38:89:d9:e0:
+                    36:c4:ac:01:82:5b:d5:39:e6:f9:8f:07:88:df:fe:
+                    ee:f6:a1:14:ce:a9:74:45:d8:fd:f0:17:57:2a:82:
+                    e1:7a:2e:12:93:5a:ac:8a:d7:15:63:d1:b7:9b:55:
+                    80:0f:58:bc:1c:49:ed:20:62:dd:b6:4c:a5:3a:eb:
+                    1c:3d:a0:ff:7a:71:a6:d3:10:78:33:ae:4b:c2:1c:
+                    fd:92:4a:a1:c3:e7:41:a4:2d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                FB:98:B3:53:7F:14:44:2E:E8:EE:D5:09:9A:5E:0E:56:86:A8:35:88
+            X509v3 Authority Key Identifier: 
+                keyid:FB:98:B3:53:7F:14:44:2E:E8:EE:D5:09:9A:5E:0E:56:86:A8:35:88
+                DirName:/O=Superfish, Inc./L=SF/ST=CA/C=US/CN=Superfish, Inc.
+                serial:D2:FC:13:87:A9:44:DC:E7
+
+    Signature Algorithm: sha1WithRSAEncryption
+         a4:7c:a0:ec:0a:4a:c7:70:c4:71:68:f3:3b:22:e2:dc:9c:8d:
+         d0:92:fe:73:7e:72:2b:55:44:9b:1b:b4:42:eb:1f:af:be:ba:
+         e3:93:a3:d4:8b:18:c2:94:f0:b3:a6:bd:65:34:4c:cd:24:f8:
+         19:0b:c5:15:0a:da:f3:57:8b:a9:86:cf:6c:c3:ee:84:2f:85:
+         0b:19:14:17:98:b4:0c:d4:96:8b:e9:1c:cc:95:c9:4e:d0:aa:
+         4b:01:a5:f6:df:49:12:81:6a:be:d5:be:ce:76:7d:4e:ac:8b:
+         88:e3:30:ed:31:84:50:8f:bc:f1:50:2a:5b:4a:a6:5e:7c:0f:
+         71:fa
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAl6gAwIBAgIJANL8E4epRNznMA0GCSqGSIb3DQEBBQUAMFsxGDAWBgNV
+BAoTD1N1cGVyZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQsw
+CQYDVQQGEwJVUzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuMB4XDTE0MDUxMjE2
+MjUyNloXDTM0MDUwNzE2MjUyNlowWzEYMBYGA1UEChMPU3VwZXJmaXNoLCBJbmMu
+MQswCQYDVQQHEwJTRjELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVTMRgwFgYDVQQD
+Ew9TdXBlcmZpc2gsIEluYy4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjz
+Shh2Xxk/sc9Y6X9DBwmVgDXFD/5xMSeBmRImIKXfj2r8QlU57gk4idngNsSsAYJb
+1Tnm+Y8HiN/+7vahFM6pdEXY/fAXVyqC4XouEpNarIrXFWPRt5tVgA9YvBxJ7SBi
+3bZMpTrrHD2g/3pxptMQeDOuS8Ic/ZJKocPnQaQtAgMBAAGjgcAwgb0wDAYDVR0T
+BAUwAwEB/zAdBgNVHQ4EFgQU+5izU38URC7o7tUJml4OVoaoNYgwgY0GA1UdIwSB
+hTCBgoAU+5izU38URC7o7tUJml4OVoaoNYihX6RdMFsxGDAWBgNVBAoTD1N1cGVy
+ZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJV
+UzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuggkA0vwTh6lE3OcwDQYJKoZIhvcN
+AQEFBQADgYEApHyg7ApKx3DEcWjzOyLi3JyN0JL+c35yK1VEmxu0Qusfr76645Oj
+1IsYwpTws6a9ZTRMzST4GQvFFQra81eLqYbPbMPuhC+FCxkUF5i0DNSWi+kczJXJ
+TtCqSwGl9t9JEoFqvtW+znZ9TqyLiOMw7TGEUI+88VAqW0qmXnwPcfo=
+-----END CERTIFICATE-----
\ No newline at end of file