Exclude some GlobalSign R2 subCAs from Google pins.

GlobalSign R2 signed some subCAs before Google owned it. No Google property should ever have a certificate chain that uses those subCAs so exclude them in pinning. Change-Id: I69df3fbef40e952ec194840731b6257aced813ce Reviewed-on: https://chromium-review.googlesource.com/1186092 Commit-Queue: Adam Langley <agl@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#585375}

Exclude some GlobalSign R2 subCAs from Google pins.
GlobalSign R2 signed some subCAs before Google owned it. No Google property should ever have a certificate chain that uses those subCAs so exclude them in pinning. Change-Id: I69df3fbef40e952ec194840731b6257aced813ce Reviewed-on: https://chromium-review.googlesource.com/1186092 Commit-Queue: Adam Langley <agl@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#585375}
8a2cea6f · Adam Langley · Commit Bot · 15633635 · 8a2cea6f · 8a2cea6f
Commit 8a2cea6f authored Aug 23, 2018 by Adam Langley Committed by Commit Bot Aug 23, 2018
Showing with 92 additions and 0 deletions

net/http/transport_security_state_static.json net/http/transport_security_state_static.json +6 -0

net/http/transport_security_state_static.pins net/http/transport_security_state_static.pins +86 -0

No files found.
--- a/net/http/transport_security_state_static.json
+++ b/net/http/transport_security_state_static.json
@@ -69,6 +69,12 @@
        "GTSCA1O1",
        "GlobalSignRootCA_R2"
      ],
+      "bad_static_spki_hashes": [
+        "GlobalSignRootCA",
+        "GlobalSignExtendedValidationCA",
+        "GlobalSignExtendedValidationCA_G2",
+        "GlobalSignExtendedValidationCA_SHA256_G2"
+      ],
      "report_uri": "http://clients3.google.com/cert_upload_json"
    },
    {
--- a/net/http/transport_security_state_static.pins
+++ b/net/http/transport_security_state_static.pins
@@ -1260,6 +1260,92 @@ AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
 TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
 -----END CERTIFICATE-----
+GlobalSignExtendedValidationCA
+-----BEGIN CERTIFICATE-----
+MIIEmDCCA4CgAwIBAgILBAAAAAABIg08FMUwDQYJKoZIhvcNAQEFBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwNjIzMTIwMDAwWhcNMjExMjE1
+MDcwMDAwWjBiMR8wHQYDVQQLExZFeHRlbmRlZCBWYWxpZGF0aW9uIENBMRMwEQYD
+VQQKEwpHbG9iYWxTaWduMSowKAYDVQQDEyFHbG9iYWxTaWduIEV4dGVuZGVkIFZh
+bGlkYXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1Emt6
+QwnnRLFD0fgyHn2XJOtkPy/ieGsyjWyyRakXgmd/EWGtkLNGhEAjYVDxE70u/758
+XoXH2Q0c9e5Ecde4j4W2DkbMSSM1ITsl+lAtS33NK1Q/j+opI+qTDvyqhzbEZtcO
+c/Xc8P0H+cGPeqBI397N2xkYMMrYg/F5rDaKn6jA0onrYKTtKlXFFQxjK8cLfjHO
+wZsr+oalY032uubczjUhZs9YHMjzqi+My80kugG9J73V72nVdaHiorih7oivdX9f
+8tIyEHc1H2n5AmKEf4onD3/6tr6Zcq59rJtyD1jDy8gStbiA4cCxwNHRhjX8cXwg
+Lva4p7D8hCA2NoaZAgMBAAGjggFjMIIBXzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
+AQH/BAgwBgEB/wIBADBGBgNVHSAEPzA9MDsGBFUdIAAwMzAxBggrBgEFBQcCARYl
+aHR0cDovL3d3dy5nbG9iYWxzaWduLm5ldC9yZXBvc2l0b3J5LzAdBgNVHQ4EFgQU
+NLH5yYxrNUTMCGkK7uOjuVy/FuAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
+bC5nbG9iYWxzaWduLm5ldC9yb290LXIyLmNybDBEBggrBgEFBQcBAQQ4MDYwNAYI
+KwYBBQUHMAGGKGh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL0V4dGVuZGVkU1NM
+Q0EwEQYJYIZIAYb4QgEBBAQDAgIEMCAGA1UdJQQZMBcGCisGAQQBgjcKAwMGCWCG
+SAGG+EIEATAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgkqhkiG
+9w0BAQUFAAOCAQEAjptrWhnUYSEbidPudkEgnfANTeTyobGM8M5TaPLpLOJpzRcX
+DLD+ad0jK8fZIn2OL45stDHsNOPH4vXNWAr1/FMi84Lm3E61MSI9ucfqTPybZokJ
+XkrXdUttuVMS/2eqvhhaoqfFGO7TMZAgnUoWpqF8ro9C2AM47BslE+8MVdZ/Duvj
+koUnTO2IngpODIlcvrUcr5HhGZzE3CMjtKjfEjkNW5gg0byMyBnAUHb1sfwX3cB3
+8KkEYSNuf2VuS9UN811ZObhHzTyPr5TCkUJ+BK2ZPQm/6x+ujNsCr7Zeh7n09LWg
+cfeRNrdGKOurYGly9fYFM9G083hngPWK0N477g==
+-----END CERTIFICATE-----
+GlobalSignExtendedValidationCA_G2
+-----BEGIN CERTIFICATE-----
+MIIEhjCCA26gAwIBAgILBAAAAAABL07hXdQwDQYJKoZIhvcNAQEFBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwNDEzMTAwMDAwWhcNMjIwNDEz
+MTAwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z
+YTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBFeHRlbmRlZCBWYWxpZGF0aW9uIENBIC0g
+RzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoUbMUpq4pbR/WNnN
+2EugcgyXW6aIIMO5PUbc0FxSMPb6WU+FX7DbiLSpXysjSKyr9ZJ4FLYyD/tcaoVb
+AJDgu2X1WvlPZ37HbCnsk8ArysRe2LDb1r4/mwvAj6ldrvcAAqT8umYROHf+IyAl
+VRDFvYK5TLFoxuJwe4NcE2fBofN8C6iZmtDimyUxyCuNQPZSY7GgrVou9Xk2bTUs
+Dt0F5NDiB0i3KF4r1VjVbNAMoQFGAVqPxq9kx1UBXeHRxmxQJaAFrQCrDI1la93r
+wnJUyQ88ABeHIu/buYZ4FlGud9mmKE3zWI2DZ7k0JZscUYBR84OSaqOuR5rW5Isb
+wO2xAgMBAAGjggFaMIIBVjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
+/wIBADAdBgNVHQ4EFgQUsLBK/Rx1KPgcYaoT9vrBkD1rFqMwRwYDVR0gBEAwPjA8
+BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t
+L3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFs
+c2lnbi5uZXQvcm9vdC1yMi5jcmwwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAB
+hihodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9FeHRlbmRlZFNTTENBMCkGA1Ud
+JQQiMCAGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzAfBgNVHSMEGDAW
+gBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAL0m28rZa
+pJWrnlrpK4KbzJBrfHRFIOde2Mcj7ig1sTVlKqVR4FU/9oNntOQ2KbDa7JeVqYoF
+o0X+Iy5SiLQfEICt0oufo1+oxetz3nmIQZgz7qdgGLFGyUAQB5yPClLJExoGbqCb
+LTr2rk/no1E1KlsYBRLlUdy2NmLz4aQP++TPw5S/EauhWTEB8MxT7I9j12yW00gq
+iiPtRVaoZkHqAblH7qFHDBTxI+Egc8p9UHxkOFejj0qcm+ltRc9Ea01gIEBxJbVG
+qmwIft/I+shWKpLLg7h5CZctXqEBzgbttJfJBNxB7+BPNk3kQHNG7BESfIhbNCYl
+TercGL7FG81kwA==
+-----END CERTIFICATE-----
+GlobalSignExtendedValidationCA_SHA256_G2
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgILBAAAAAABRE7wSlUwDQYJKoZIhvcNAQELBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTQwMjIwMTAwMDAwWhcNMjExMjE1
+MDgwMDAwWjBiMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z
+YTE4MDYGA1UEAxMvR2xvYmFsU2lnbiBFeHRlbmRlZCBWYWxpZGF0aW9uIENBIC0g
+U0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj6qHS
+w0nl9xxdr8OSQq+KPNzvTOYvXwwrn4pQMGbvTshPIUr25/JOG4xTV7CeyFv3uEZV
+sxrtwmr+9BvsSEYOj+D74JEZ35kYby5Rr9r2mspkb5lUEHTqPMiqgE1DN/vIpH8F
+nTeSvZgANVqvu1t0FQ68vMbpt4bn7q5NSwRMK6C0ZUi4wzrNdbs3yUrAARHZvz8V
+hmAZazQgRvWGZg8k9Mxin5+eHf0QpJle8EHrsJT/LLM21usdpxdf385qd8eaxDJj
+pwat8xIbnTByWQvrcusq0nd7kXfbAPzYb/Uv2HrFDDqge16Q852EWcgB2ZE3VuU6
+U5OtYEknJdnh2oLXAgMBAAGjggEoMIIBJDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
+AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU2kB3Q2Uc+P6n4/Rkgj5NQxMiMQIwRwYD
+VR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2Jh
+bHNpZ24uY29tL3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9j
+cmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC1yMi5jcmwwPQYIKwYBBQUHAQEEMTAvMC0G
+CCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjIwHwYD
+VR0jBBgwFoAUm+IHV2ccHsBqBt5ZtJot39wZhi4wDQYJKoZIhvcNAQELBQADggEB
+AEDvEpCDdJaK+Tq6m1lKM9PvTBMrtZHLyZbtbvVsZPHGhLJGWVpYglLxNKBUQWQg
+q9hXO9QUdHEYNswTwcdwwPVFZg5xroevkpTrcUAJ9Mx39xuThYpKrjOF5nSu9RCm
+PslZg8P5XJb5KPc0e+k4xpE8T3FYdf7hVnV2zUDEFUA5qUH9ZBAPl4UH6Hlk0FtN
+TJsnl9NzXpJ+H0jiyrkFl07vLBxrTYpfeFOVzQI5wi/maU/2cdGZtX9tIN5Dj9sA
+G6M7N97RP23ztpB2Haydb4RPJJQJduCdqE33TTePpC9fS0HkSRaXzHtsrxHKllQJ
+iyRRrl3tovG7UxBNl/oadwM=
+-----END CERTIFICATE-----
 GlobalSignRootCA_R3
 -----BEGIN CERTIFICATE-----
 MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G