Remove the StartCom/WoSign whitelist

This fully removes trust in WoSign and StartCom, as announced at https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html BUG=731838 Review-Url: https://codereview.chromium.org/2927383002 Cr-Commit-Position: refs/heads/master@{#478768}

Remove the StartCom/WoSign whitelist
This fully removes trust in WoSign and StartCom, as announced at https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html BUG=731838 Review-Url: https://codereview.chromium.org/2927383002 Cr-Commit-Position: refs/heads/master@{#478768}
8c640b21 · rsleevi · Commit Bot · 74520997 · 8c640b21 · 8c640b21
Commit 8c640b21 authored Jun 12, 2017 by rsleevi Committed by Commit Bot Jun 12, 2017
23 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -359,7 +359,6 @@ component("net") {
    "//base",
    "//net/base/registry_controlled_domains",
    "//net/data/ssl/certificate_transparency:ct_log_list",
-    "//net/data/ssl/wosign:wosign_domains",
    "//net/http:generate_transport_security_state",
    "//third_party/protobuf:protobuf_lite",
    "//url:url_features",
@@ -532,8 +531,6 @@ component("net") {
      "cert/cert_verify_proc_mac.h",
      "cert/cert_verify_proc_nss.cc",
      "cert/cert_verify_proc_nss.h",
-      "cert/cert_verify_proc_whitelist.cc",
-      "cert/cert_verify_proc_whitelist.h",
      "cert/cert_verify_proc_win.cc",
      "cert/cert_verify_proc_win.h",
      "cert/crl_set_storage.cc",
@@ -2414,8 +2411,6 @@ bundle_data("test_support_bundle_data") {
    "data/ssl/certificates/websocket_cacert.pem",
    "data/ssl/certificates/websocket_client_cert.p12",
    "data/ssl/certificates/wildcard.pem",
-    "data/ssl/certificates/wosign_after_oct_21.pem",
-    "data/ssl/certificates/wosign_before_oct_21.pem",
    "data/ssl/certificates/www_us_army_mil_cert.der",
    "data/ssl/certificates/x509_verify_results.chain.pem",
  ]
@@ -4532,7 +4527,6 @@ test("net_unittests") {
    "cert/cert_verify_proc_ios_unittest.cc",
    "cert/cert_verify_proc_mac_unittest.cc",
    "cert/cert_verify_proc_unittest.cc",
-    "cert/cert_verify_proc_whitelist_unittest.cc",
    "cert/crl_set_unittest.cc",
    "cert/ct_known_logs_unittest.cc",
    "cert/ct_log_response_parser_unittest.cc",
@@ -5097,7 +5091,6 @@ test("net_unittests") {
  defines = []

  deps = [
-    ":cert_verify_proc_whitelist_unittest_data",
    ":net",
    ":quic_test_tools",
    ":simple_quic_tools",
@@ -5519,21 +5512,6 @@ if (!is_ios && !is_proto_quic) {
  }
 }

-action_foreach("cert_verify_proc_whitelist_unittest_data") {
-  script = "//net/tools/dafsa/make_dafsa.py"
-  sources = [
-    "//net/cert/cert_verify_proc_whitelist_unittest1.gperf",
-  ]
-  outputs = [
-    "${target_gen_dir}/cert/{{source_name_part}}-inc.cc",
-  ]
-  args = [
-    "{{source}}",
-    rebase_path("${target_gen_dir}/cert/{{source_name_part}}-inc.cc",
-                root_build_dir),
-  ]
-}
-
 # Fuzzers

 # This has a global (InitGlobals) that must always be linked in, so

--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -15,13 +15,13 @@
 #include "base/strings/stringprintf.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
+#include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/base/url_util.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/cert_verify_proc_whitelist.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/internal/parse_ocsp.h"
@@ -582,12 +582,6 @@ int CertVerifyProc::Verify(X509Certificate* cert,
    rv = MapCertStatusToNetError(verify_result->cert_status);
  }

-  if (IsNonWhitelistedCertificate(*verify_result->verified_cert,
-                                  verify_result->public_key_hashes, hostname)) {
-    verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
-    rv = MapCertStatusToNetError(verify_result->cert_status);
-  }
-
  // Check for weak keys in the entire verified chain.
  bool weak_key = ExaminePublicKeys(verify_result->verified_cert,
                                    verify_result->is_issued_by_known_root);

--- a/net/cert/cert_verify_proc_blacklist.inc
+++ b/net/cert/cert_verify_proc_blacklist.inc
@@ -5,9 +5,8 @@
 // The certificate(s) that were misissued, and which represent these SPKIs,
 // are stored within net/data/ssl/blacklist. Further details about the
 // rationale is documented in net/data/ssl/blacklist/README.md
-static const size_t kNumBlacklistedSPKIs = 36u;
-static const uint8_t
-    kBlacklistedSPKIs[kNumBlacklistedSPKIs][crypto::kSHA256Length] = {
+static constexpr uint8_t
+    kBlacklistedSPKIs[][crypto::kSHA256Length] = {
        // ead610e6e90b439f2ecb51628b0932620f6ef340bd843fca38d3181b8f4ba197.pem
        {0x12, 0x13, 0x23, 0x60, 0xa3, 0x3b, 0xfd, 0xc6, 0xc3, 0xbf, 0x7b,
         0x7f, 0xab, 0x26, 0xa1, 0x68, 0x48, 0x74, 0xe7, 0x2c, 0x12, 0x63,
@@ -20,6 +19,10 @@ static const uint8_t
        {0x13, 0x0a, 0xd4, 0xe0, 0x63, 0x35, 0x21, 0x29, 0x05, 0x31, 0xb6,
         0x65, 0x1f, 0x57, 0x59, 0xb0, 0xbc, 0x7b, 0xc6, 0x56, 0x70, 0x9f,
         0xf8, 0xf3, 0x65, 0xc2, 0x14, 0x3b, 0x03, 0x89, 0xb6, 0xf6},
+        // c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem
+        {0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a, 0x83, 0x0b, 0x0b,
+         0x95, 0xa5, 0x99, 0x68, 0xce, 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf,
+         0x51, 0x81, 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65},
        // 1af56c98ff043ef92bebff54cebb4dd67a25ba956c817f3e6dd3c1e52eb584c1.key
        {0x1a, 0xf5, 0x6c, 0x98, 0xff, 0x04, 0x3e, 0xf9, 0x2b, 0xeb, 0xff,
         0x54, 0xce, 0xbb, 0x4d, 0xd6, 0x7a, 0x25, 0xba, 0x95, 0x6c, 0x81,
@@ -36,6 +39,10 @@ static const uint8_t
        {0x32, 0xec, 0xc9, 0x6f, 0x91, 0x2f, 0x96, 0xd8, 0x89, 0xe7, 0x30,
         0x88, 0xcd, 0x03, 0x1c, 0x7d, 0xed, 0x2c, 0x65, 0x1c, 0x80, 0x50,
         0x16, 0x15, 0x7a, 0x23, 0xb6, 0xf3, 0x2f, 0x79, 0x8a, 0x3b},
+        // d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem
+        {0x38, 0x1a, 0x3f, 0xc7, 0xa8, 0xb0, 0x82, 0xfa, 0x28, 0x61, 0x3a,
+         0x4d, 0x07, 0xf2, 0xc7, 0x55, 0x3f, 0x4e, 0x19, 0x18, 0xee, 0x07,
+         0xca, 0xa9, 0xe8, 0xb7, 0xce, 0xde, 0x5a, 0x9c, 0xa0, 0x6a},
        // 42187727be39faf667aeb92bf0cc4e268f6e2ead2cefbec575bdc90430024f69.pem
        {0x3e, 0xdb, 0xd9, 0xac, 0xe6, 0x39, 0xba, 0x1a, 0x2d, 0x4a, 0xd0,
         0x47, 0x18, 0x71, 0x1f, 0xda, 0x23, 0xe8, 0x59, 0xb2, 0xfb, 0xf5,
@@ -62,6 +69,10 @@ static const uint8_t
        {0x71, 0x65, 0xe9, 0x91, 0xad, 0xe7, 0x91, 0x6d, 0x86, 0xb4, 0x66,
         0xab, 0xeb, 0xb6, 0xe4, 0x57, 0xca, 0x93, 0x1c, 0x80, 0x4e, 0x58,
         0xce, 0x1f, 0xba, 0xba, 0xe5, 0x09, 0x15, 0x6f, 0xfb, 0x43},
+        // 8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem
+        {0x7a, 0xed, 0xdd, 0xf3, 0x6b, 0x18, 0xf8, 0xac, 0xb7, 0x37, 0x9f,
+         0xe1, 0xce, 0x18, 0x32, 0x12, 0xb2, 0x35, 0x0d, 0x07, 0x88, 0xab,
+         0xe0, 0xe8, 0x24, 0x57, 0xbe, 0x9b, 0xad, 0xad, 0x6d, 0x54},
        // f3bae5e9c0adbfbfb6dbf7e04e74be6ead3ca98a5604ffe591cea86c241848ec.pem
        {0x7d, 0x5e, 0x3f, 0x50, 0x50, 0x81, 0x97, 0xb9, 0xa4, 0x78, 0xb1,
         0x13, 0x40, 0xb7, 0xdc, 0xe2, 0x0a, 0x3c, 0x4d, 0xe4, 0x9c, 0x48,
@@ -82,6 +93,10 @@ static const uint8_t
        {0x9b, 0x8a, 0x93, 0xde, 0xcc, 0xcf, 0xba, 0xfc, 0xf4, 0xd0, 0x4d,
         0x34, 0x42, 0x12, 0x8f, 0xb3, 0x52, 0x18, 0xcf, 0xe4, 0x37, 0xa3,
         0xd8, 0xd0, 0x32, 0x8c, 0x99, 0xf8, 0x90, 0x89, 0xe4, 0x50},
+        // 7d8ce822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem
+        {0x9d, 0x98, 0xa1, 0xfb, 0x60, 0x53, 0x8c, 0x4c, 0xc4, 0x85, 0x7f,
+         0xf1, 0xa8, 0xc8, 0x03, 0x4f, 0xaf, 0x6f, 0xc5, 0x92, 0x09, 0x3f,
+         0x61, 0x99, 0x94, 0xb2, 0xc8, 0x13, 0xd2, 0x50, 0xb8, 0x64},
        // 1c01c6f4dbb2fefc22558b2bca32563f49844acfc32b7be4b0ff599f9e8c7af7.pem
        {0x9d, 0xd5, 0x5f, 0xc5, 0x73, 0xf5, 0x46, 0xcb, 0x6a, 0x38, 0x31,
         0xd1, 0x11, 0x2d, 0x87, 0x10, 0xa6, 0xf4, 0xf8, 0x2d, 0xc8, 0x7f,
@@ -123,6 +138,14 @@ static const uint8_t
        {0xd3, 0x4b, 0x25, 0x5b, 0x2f, 0xe7, 0xd1, 0xa0, 0x96, 0x56, 0xcb,
         0xab, 0x64, 0x09, 0xf7, 0x3c, 0x79, 0x6e, 0xc7, 0xd6, 0x6a, 0xf7,
         0x36, 0x53, 0xec, 0xc3, 0x9a, 0xf9, 0x78, 0x29, 0x73, 0x10},
+        // 4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem
+        {0xd6, 0xa1, 0x84, 0x43, 0xd3, 0x48, 0xdb, 0x99, 0x4f, 0x93, 0x4c,
+         0xcd, 0x8e, 0x63, 0x5d, 0x83, 0x3a, 0x27, 0xac, 0x1e, 0x56, 0xf8,
+         0xaf, 0xaf, 0x7c, 0x97, 0xcb, 0x4f, 0x43, 0xea, 0xb6, 0x8b},
+        // d6f034bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem
+        {0xdb, 0x15, 0xc0, 0x06, 0x2b, 0x52, 0x0f, 0x31, 0x8a, 0x19, 0xda,
+         0xcf, 0xec, 0xd6, 0x4f, 0x9e, 0x7a, 0x3f, 0xbe, 0x60, 0x9f, 0xd5,
+         0x86, 0x79, 0x6f, 0x20, 0xae, 0x02, 0x8e, 0x8e, 0x30, 0x58},
        // 3946901f46b0071e90d78279e82fababca177231a704be72c5b0e8918566ea66.pem
        {0xdd, 0x3e, 0xeb, 0x77, 0x9b, 0xee, 0x07, 0xf9, 0xef, 0xda, 0xc3,
         0x82, 0x40, 0x8b, 0x28, 0xd1, 0x42, 0xfa, 0x84, 0x2c, 0x78, 0xe8,
@@ -131,6 +154,11 @@ static const uint8_t
        {0xde, 0x8f, 0x05, 0x07, 0x4e, 0xc0, 0x31, 0x8e, 0x7e, 0x7e, 0x8d,
         0x31, 0x90, 0xda, 0xe8, 0xb0, 0x08, 0x94, 0xf0, 0xe8, 0xdd, 0xdf,
         0xd3, 0x91, 0x3d, 0x01, 0x75, 0x9b, 0x4f, 0x79, 0xb0, 0x5d},
+        // c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem
+        // e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem
+        {0xe4, 0x2f, 0x24, 0xbd, 0x4d, 0x37, 0xf4, 0xaa, 0x2e, 0x56, 0xb9,
+         0x79, 0xd8, 0x3d, 0x1e, 0x65, 0x21, 0x9f, 0xe0, 0xe9, 0xe3, 0xa3,
+         0x82, 0xa1, 0xb3, 0xcb, 0x66, 0xc9, 0x39, 0x55, 0xde, 0x75},
        // e4f9a3235df7330255f36412bc849fb630f8519961ec3538301deb896c953da5.pem
        {0xe6, 0xe1, 0x36, 0xc8, 0x61, 0x54, 0xf3, 0x2c, 0x3e, 0x49, 0xf4,
         0x7c, 0xfc, 0x6b, 0x33, 0x8f, 0xf2, 0xdc, 0x61, 0xce, 0x14, 0xfc,

--- a/net/cert/cert_verify_proc_whitelist.cc
+++ b/net/cert/cert_verify_proc_whitelist.cc
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/cert/cert_verify_proc_whitelist.h"
-
-#include <cstdlib>
-
-#include "net/base/lookup_string_in_fixed_set.h"
-#include "net/cert/x509_certificate.h"
-
-namespace net {
-
-namespace {
-
-// clang-format off
-// SHA-256 hashes of the subjectPublicKeyInfos of root certificates owned
-// or operated by WoSign, including that of StartCom. For the certificates,
-// see //net/data/ssl/wosign.
-const uint8_t kWosignKeys[][crypto::kSHA256Length] = {
-    { 0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a,
-      0x83, 0x0b, 0x0b, 0x95, 0xa5, 0x99, 0x68, 0xce,
-      0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf, 0x51, 0x81,
-      0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65 },
-    { 0x38, 0x1a, 0x3f, 0xc7, 0xa8, 0xb0, 0x82, 0xfa,
-      0x28, 0x61, 0x3a, 0x4d, 0x07, 0xf2, 0xc7, 0x55,
-      0x3f, 0x4e, 0x19, 0x18, 0xee, 0x07, 0xca, 0xa9,
-      0xe8, 0xb7, 0xce, 0xde, 0x5a, 0x9c, 0xa0, 0x6a },
-    { 0x7a, 0xed, 0xdd, 0xf3, 0x6b, 0x18, 0xf8, 0xac,
-      0xb7, 0x37, 0x9f, 0xe1, 0xce, 0x18, 0x32, 0x12,
-      0xb2, 0x35, 0x0d, 0x07, 0x88, 0xab, 0xe0, 0xe8,
-      0x24, 0x57, 0xbe, 0x9b, 0xad, 0xad, 0x6d, 0x54 },
-    { 0x9d, 0x98, 0xa1, 0xfb, 0x60, 0x53, 0x8c, 0x4c,
-      0xc4, 0x85, 0x7f, 0xf1, 0xa8, 0xc8, 0x03, 0x4f,
-      0xaf, 0x6f, 0xc5, 0x92, 0x09, 0x3f, 0x61, 0x99,
-      0x94, 0xb2, 0xc8, 0x13, 0xd2, 0x50, 0xb8, 0x64 },
-    { 0xd6, 0xa1, 0x84, 0x43, 0xd3, 0x48, 0xdb, 0x99,
-      0x4f, 0x93, 0x4c, 0xcd, 0x8e, 0x63, 0x5d, 0x83,
-      0x3a, 0x27, 0xac, 0x1e, 0x56, 0xf8, 0xaf, 0xaf,
-      0x7c, 0x97, 0xcb, 0x4f, 0x43, 0xea, 0xb6, 0x8b },
-    { 0xdb, 0x15, 0xc0, 0x06, 0x2b, 0x52, 0x0f, 0x31,
-      0x8a, 0x19, 0xda, 0xcf, 0xec, 0xd6, 0x4f, 0x9e,
-      0x7a, 0x3f, 0xbe, 0x60, 0x9f, 0xd5, 0x86, 0x79,
-      0x6f, 0x20, 0xae, 0x02, 0x8e, 0x8e, 0x30, 0x58 },
-    { 0xe4, 0x2f, 0x24, 0xbd, 0x4d, 0x37, 0xf4, 0xaa,
-      0x2e, 0x56, 0xb9, 0x79, 0xd8, 0x3d, 0x1e, 0x65,
-      0x21, 0x9f, 0xe0, 0xe9, 0xe3, 0xa3, 0x82, 0xa1,
-      0xb3, 0xcb, 0x66, 0xc9, 0x39, 0x55, 0xde, 0x75 },
-};
-// clang-format on
-
-// Comparator to compare a (SHA-256) HashValue with a uint8_t array containing
-// a raw SHA-256 hash. Return value follows memcmp semantics.
-int CompareHashValueToRawHash(const void* key, const void* element) {
-  const HashValue* search_key = reinterpret_cast<const HashValue*>(key);
-  return memcmp(search_key->data(), element, search_key->size());
-}
-
-namespace wosign {
-#include "net/data/ssl/wosign/wosign_domains-inc.cc"
-}  // namespace wosign
-
-}  // namespace
-
-bool IsNonWhitelistedCertificate(const X509Certificate& cert,
-                                 const HashValueVector& public_key_hashes,
-                                 base::StringPiece hostname) {
-  for (const auto& hash : public_key_hashes) {
-    if (hash.tag != HASH_VALUE_SHA256)
-      continue;
-
-    // Check for WoSign/StartCom certificates.
-    if (bsearch(&hash, kWosignKeys, arraysize(kWosignKeys),
-                crypto::kSHA256Length, CompareHashValueToRawHash) != nullptr) {
-      // 2016-10-21 00:00:00 UTC
-      const base::Time last_wosign_cert =
-          base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1477008000);
-
-      // Don't allow new certificates.
-      if (cert.valid_start().is_null() || cert.valid_start().is_max() ||
-          cert.valid_start() > last_wosign_cert) {
-        return true;
-      }
-
-      // Don't allow certificates from non-whitelisted hosts.
-      return !IsWhitelistedHost(wosign::kDafsa, arraysize(wosign::kDafsa),
-                                hostname);
-    }
-  }
-  return false;
-}
-
-bool IsWhitelistedHost(const unsigned char* graph,
-                       size_t graph_length,
-                       base::StringPiece host) {
-  if (host.empty())
-    return false;
-
-  size_t end = host.length();
-
-  // Skip trailing '.', if any.
-  if (host[end - 1] == '.') {
-    --end;
-  }
-
-  // Reverse through each of the domain components, trying to see if the
-  // domain is on the whitelist. For example, the string
-  // "www.domain.example.com" would be processed by first searching
-  // for "com", then "example.com", then "domain.example.com". The
-  // loop will terminate when there are no more distinct label separators,
-  // and thus the final check for "www.domain.example.com".
-  size_t start = end;
-  while (start != 0 &&
-         (start = host.rfind('.', start - 1)) != base::StringPiece::npos) {
-    const char* domain_str = host.data() + start + 1;
-    size_t domain_length = end - start - 1;
-    if (domain_length == 0)
-      return false;
-    if (LookupStringInFixedSet(graph, graph_length, domain_str,
-                               domain_length) != kDafsaNotFound) {
-      return true;
-    }
-  }
-
-  return LookupStringInFixedSet(graph, graph_length, host.data(), end) !=
-         kDafsaNotFound;
-}
-
-}  // namespace net
--- a/net/cert/cert_verify_proc_whitelist.h
+++ b/net/cert/cert_verify_proc_whitelist.h
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_CERT_CERT_VERIFY_PROC_WHITELIST_H_
-#define NET_CERT_CERT_VERIFY_PROC_WHITELIST_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/strings/string_piece.h"
-#include "crypto/sha2.h"
-#include "net/base/hash_value.h"
-#include "net/base/net_export.h"
-
-namespace net {
-
-class X509Certificate;
-
-// Returns true if |cert| has been issued by a CA that is constrained from
-// issuing new certificates and |cert| is not within the whitelist of
-// existing certificates. Returns false if |cert| was issued by an
-// unconstrained CA or if it was in the whitelist for that
-// CA.
-// |cert| should be the verified certificate chain, with |public_key_hashes|
-// being the set of hashes of the SPKIs within the verified chain, and
-// |hostname| as the GURL-normalized hostname.
-bool NET_EXPORT_PRIVATE
-IsNonWhitelistedCertificate(const X509Certificate& cert,
-                            const HashValueVector& public_key_hashes,
-                            base::StringPiece hostname);
-
-// Returns true if |host| is in (or a subdomain of) a whitelisted host
-// in |graph|, which is a DAFSA constructed by
-// //net/tools/dafsa/make_dafsa.py that is |graph_length| bytes long.
-bool NET_EXPORT_PRIVATE IsWhitelistedHost(const unsigned char* graph,
-                                          size_t graph_length,
-                                          base::StringPiece host);
-
-}  // namespace net
-
-#endif  // NET_CERT_CERT_VERIFY_PROC_WHITELIST_H_
--- a/net/cert/cert_verify_proc_whitelist_unittest.cc
+++ b/net/cert/cert_verify_proc_whitelist_unittest.cc
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/cert/cert_verify_proc_whitelist.h"
-
-#include "base/memory/ref_counted.h"
-#include "net/cert/x509_certificate.h"
-#include "net/test/cert_test_util.h"
-#include "net/test/test_data_directory.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace net {
-
-namespace {
-
-namespace test1 {
-#include "net/cert/cert_verify_proc_whitelist_unittest1-inc.cc"
-}  // namespace test1
-
-TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) {
-  // The domain must be in the whitelist from
-  // //net/data/ssl/wosign/wosign_domains.gperf
-  const char kWhitelistedDomain[] = "005.tv";
-  const char kNonWhitelistedDomain[] = "006.tv";
-
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "wosign_before_oct_21.pem");
-  ASSERT_TRUE(cert);
-
-  HashValueVector public_key_hashes;
-  public_key_hashes.emplace_back(SHA256HashValue{
-      {0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a, 0x83, 0x0b, 0x0b,
-       0x95, 0xa5, 0x99, 0x68, 0xce, 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf,
-       0x51, 0x81, 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65}});
-
-  // Domains on the whitelist are allowed, as long as their certificates were
-  // pre-existing before Oct 21, 2016.
-  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
-                                           kWhitelistedDomain));
-  // Domains not on the whitelist are not allowed, regardless of the validity
-  // period of the certificate.
-  EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
-                                          kNonWhitelistedDomain));
-
-  cert = ImportCertFromFile(GetTestCertsDirectory(), "wosign_after_oct_21.pem");
-  ASSERT_TRUE(cert);
-
-  // No new certificates (after Oct 21, 2016) are all allowed, regardless
-  // of the domain.
-  EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
-                                          kWhitelistedDomain));
-  EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
-                                          kNonWhitelistedDomain));
-
-  // Certificates that aren't issued by WoSign are allowed, regardless of
-  // domain.
-  public_key_hashes[0].data()[0] = 0x14;
-  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
-                                           kWhitelistedDomain));
-  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
-                                           kNonWhitelistedDomain));
-}
-
-TEST(CertVerifyProcWhitelistTest, IsWhitelistedHost) {
-  const unsigned char* graph = test1::kDafsa;
-  size_t graph_size = arraysize(test1::kDafsa);
-
-  // Test malformed inputs.
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, ""));
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "."));
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, ".."));
-
-  // Make sure that TLDs aren't accepted just because a subdomain is.
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "com"));
-
-  // Test various forms of domain names that GURL will accept for entries in
-  // the graph.
-  EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "example.com"));
-  EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "subdomain.example.com"));
-  EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, ".subdomain.example.com"));
-  EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "example.com."));
-  EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, ".example.com."));
-  EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "www.example.bar.jp"));
-
-  // Test various prefix/suffices of entries in the graph, but that aren't
-  // themselves domain matches.
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "anotherexample.com"));
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "bar.jp"));
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "example.bar.jp.junk"));
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "foo.example.bar.jp.junk"));
-
-  // Test various forms of domain names that GURL will accept for entries not
-  // in the graph.
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "domain.com"));
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "example..com"));
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "www.co.uk"));
-  EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "www..co.uk"));
-}
-
-}  // namespace
-
-}  // namespace net
--- a/net/cert/cert_verify_proc_whitelist_unittest1.gperf
+++ b/net/cert/cert_verify_proc_whitelist_unittest1.gperf
-%{
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-%}
-%%
-example.com, 0
-example.bar.jp, 0
-%%
--- a/net/cert/ev_root_ca_metadata.cc
+++ b/net/cert/ev_root_ca_metadata.cc
@@ -168,20 +168,6 @@ static const EVMetadata ev_root_ca_metadata[] = {
          0x50, 0xBD, 0xC7, 0xC2, 0x81, 0xA5, 0xBC, 0xA9, 0x64, 0x57}},
        {"2.16.578.1.26.1.3.3", ""},
    },
-    // CA 沃通根证书
-    // https://root2evtest.wosign.com/
-    {
-        {{0x16, 0x32, 0x47, 0x8d, 0x89, 0xf9, 0x21, 0x3a, 0x92, 0x00,
-          0x85, 0x63, 0xf5, 0xa4, 0xa7, 0xd3, 0x12, 0x40, 0x8a, 0xd6}},
-        {"1.3.6.1.4.1.36305.2", ""},
-    },
-    // Certification Authority of WoSign
-    // https://root1evtest.wosign.com/
-    {
-        {{0xb9, 0x42, 0x94, 0xbf, 0x91, 0xea, 0x8f, 0xb6, 0x4b, 0xe6,
-          0x10, 0x97, 0xc7, 0xfb, 0x00, 0x13, 0x59, 0xb6, 0x76, 0xcb}},
-        {"1.3.6.1.4.1.36305.2", ""},
-    },
    // CertPlus Class 2 Primary CA (KEYNECTIS)
    // https://www.keynectis.com/
    {

--- a/net/data/ssl/wosign/4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem
+++ b/net/data/ssl/wosign/4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem
--- a/net/data/ssl/wosign/7d8ce822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem
+++ b/net/data/ssl/wosign/7d8ce822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem
--- a/net/data/ssl/wosign/8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem
+++ b/net/data/ssl/wosign/8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem
--- a/net/data/ssl/blacklist/README.md
+++ b/net/data/ssl/blacklist/README.md
@@ -204,3 +204,16 @@ This intermediate certificate was retired by T-Systems, and blacklisted
 for robustness at their request.

  * [f4a5984324de98bd979ef181a100cf940f2166173319a86a0d9d7c8fac3b0a8f.pem](f4a5984324de98bd979ef181a100cf940f2166173319a86a0d9d7c8fac3b0a8f.pem)
+
+### WoSign/StartCom
+
+For details, see <https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html>
+
+  * [4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem](4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem)
+  * [7d8ce822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem](7d8ce822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem)
+  * [8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem](8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem)
+  * [c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem](c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem)
+  * [c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem](c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem)
+  * [d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem](d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem)
+  * [d6f034bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem](d6f034bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem)
+  * [e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem](e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem)
--- a/net/data/ssl/wosign/c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem
+++ b/net/data/ssl/wosign/c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem
--- a/net/data/ssl/wosign/c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem
+++ b/net/data/ssl/wosign/c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem
--- a/net/data/ssl/wosign/d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem
+++ b/net/data/ssl/wosign/d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem
--- a/net/data/ssl/wosign/d6f034bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem
+++ b/net/data/ssl/wosign/d6f034bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem
--- a/net/data/ssl/wosign/e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem
+++ b/net/data/ssl/wosign/e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -69,11 +69,6 @@ unit tests.
  Trust the certificate in verisign_class3_g5_crosssigned.pem (Generated by
  scripts/generate-verisign_class3_g5_crosssigned-trusted-keychain.sh)

- wosign_before_oct_21.pem
- wosign_after_oct_21.pem
-    Two certificates issued by WoSign CA Ltd, before and after the
-    2016-10-21 00:00:00 UTC sunset for trust in this CA.
-
 ===== Manually generated certificates
 - client.p12 : A PKCS #12 file containing a client certificate and a private
     key created for testing.  The password is "12345".

--- a/net/data/ssl/certificates/wosign_after_oct_21.pem
+++ b/net/data/ssl/certificates/wosign_after_oct_21.pem
-----BEGIN CERTIFICATE-----
-MIIG4zCCBcugAwIBAgIQLiULSX95morl9Ud1Z42ELzANBgkqhkiG9w0BAQsFADB4
-MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
-U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
-Q29tIENsYXNzIDIgSVYgU2VydmVyIENBMB4XDTE2MTAyMjAxMjQzNloXDTE4MTAy
-MjAxMjQzNlowgYgxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApMYW5jYXNoaXJlMRIw
-EAYDVQQHDAlCbGFja3Bvb2wxDzANBgNVBAQMBlBpbmRlcjEPMA0GA1UEKgwGU2Ft
-dWVsMS4wLAYDVQQDDCVub3RiZWZvcmUtYWZ0ZXItMjFzdC10ZXN0LnNhbXNwaW4u
-bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3uorG2l4UvPvIaSL
-W6trBNTaFoZaWgxsSmgZCocYad+1PSk/S4LLOEelrQ0bjYpfP6uTg2XM7ZaPPyNz
-pjVvXuTscFFYzk5DpOrCwGiPgTl0UpWGxRWTLgNrhHhYPkI3SIQFOxxG28H1ej57
-Konwgkd6jB3QH5QmQjiYiC4GuqQQb2vRo88crcdE35GudFdjOfz3oLganxBcwlYF
-T/m6+W7zciWydSw6ZZ1mZ7O9ZIukJxCQFOva8KjnbYHMVNM7Dk5f5uOV0oq42hhA
-7s5YWuzfx0vgOQd8ck/b9yLmNjXb7tNnNIwDB4WI8mUha0Aormm1+hw7/GGtqv5m
-hsEJrQIDAQABo4IDVjCCA1IwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
-AQUFBwMCBggrBgEFBQcDATAJBgNVHRMEAjAAMB0GA1UdDgQWBBQ1rGzhNCycYR7e
-MPiTDYL2VWZoIjAfBgNVHSMEGDAWgBSU3oVBKqXZRfZgLC5MkwmmLCN+PjBvBggr
-BgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv
-bTA5BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2Nh
-LnNlcnZlcjIuY3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRz
-c2wuY29tL3NjYS1zZXJ2ZXIyLmNybDAwBgNVHREEKTAngiVub3RiZWZvcmUtYWZ0
-ZXItMjFzdC10ZXN0LnNhbXNwaW4ubmV0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cu
-c3RhcnRzc2wuY29tLzBRBgNVHSAESjBIMAgGBmeBDAECAzA8BgsrBgEEAYG1NwEC
-BTAtMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5
-MIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgA0u2rWw9+cA+6opJn/eJFIbJ1e
-XKyS0B97/RvOGdtI7wAAAVfqIcrqAAAEAwBHMEUCIQDzahsao+JBVB5a6S53C/d2
-9In0No34SD2qhcXlBre2OQIgU9wUUjeDzHfJnmuedQEHtQUF/ZVCIJBad+fMY21F
-lPoAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAVfqIdAFAAAE
-AwBHMEUCIQDC8Y/efCY+T79yaPh2bWoz+Alvl4LMTPUvytWuyEFvSAIgdvrURBpl
-MOacD7Q4XqLwbqvnwq1pcjM8t38EV4DKBl8AdwBo9pj4H2SCvjqM7rkoHUz8cVFd
-Z5PURNEKZ6y7T0/7xAAAAVfqIc8+AAAEAwBIMEYCIQDmoQArwzWqM/vW1knll6Sx
-KKqbaTdhsPHHdDFwxMEV7wIhAMSYd4xl3YYoBszW5IcB9uoYxq45JR5uJjZQvBLR
-U7EuMA0GCSqGSIb3DQEBCwUAA4IBAQBrVuxrjvtT59pETCpYYkI4yAvUv4nZGV9G
-iF7oopMvoNA01J4y0TI690dhtVGdLDo4DZsrIs1OytChVDUSvQ+GNlC97ImWhSwX
-Vka5ZQhYwMrtBwfZyb0qBHpegL+HVZoYcxL0NnCeJ2xRTQCWsZC4gyBPg+uZ1Wwa
-sF/8xzeYs4Yub42W/3RuP+sTxBoatTGZ4zQqFijXzOVjiIhyuNCUvcDpsR0r+qse
-V+CjUgjIZH/Y2q642buXwHnd0H7iYn9sQTuXS3dWqLPIih100sgxhflpvSeuU4+u
-9R9DBpX7IOhW7EqJFcXdk2PnVSgwlMscVyNCNcQQw1LJc5zOJT9O
-----END CERTIFICATE-----
--- a/net/data/ssl/certificates/wosign_before_oct_21.pem
+++ b/net/data/ssl/certificates/wosign_before_oct_21.pem
-----BEGIN CERTIFICATE-----
-MIIIeTCCB2GgAwIBAgIQKKbTLCuXG4ls0N6Ud/0qBjANBgkqhkiG9w0BAQsFADBS
-MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJzAlBgNV
-BAMTHldvU2lnbiBDbGFzcyA0IEVWIFNlcnZlciBDQSBHMjAeFw0xNjAyMjQwNzI0
-NDVaFw0xODA0MjQwNzI0NDVaMIIBZDETMBEGCysGAQQBgjc8AgEDEwJDTjEaMBgG
-CysGAQQBgjc8AgECDAlHdWFuZ2RvbmcxGTAXBgsrBgEEAYI3PAIBAQwIU2hlbnpo
-ZW4xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRgwFgYDVQQFEw80NDAz
-MDExMDMzMDg2MTkxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAnlub/kuJznnIExEjAQ
-BgNVBAcMCea3seWcs+W4gjEPMA0GA1UEEQwGNTE4MDY3MUgwRgYDVQQJDD/mt7Hl
-nLPluILljZflsbHljLrljZfmtbflpKfpgZMxMDU35Y+356eR5oqA5aSn5Y6m5LqM
-5pyfQeagizUwMiMxNDAyBgNVBAoMK1dvU2lnbiDmsoPpgJrnlLXlrZDorqTor4Hm
-nI3liqHmnInpmZDlhazlj7gxFzAVBgNVBAMMDnd3dy53b3NpZ24uY29tMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApffKEl+GUGjfRGsYr4MO6M6Y6L14
-nH/4bhcK7bF1M42gqFO0jzm9ayiC8rCmO0v1j7TFa+MFR0pEbsFFuqdw85z0L5xH
-Ps+OZvpt+Ywqf6MhUsvuWPAdf2r6gVOT/MmQ55UO270qbijL4OBE/m9kQm9fW2Mg
-uoONbLsGA2SZvFE9+sdwnLSMs7AE7ZUnR5ENI8VgLghgX+Tc5vjypisNUg/EP3Au
-fltXO+mrObhWyPCrWBan6Vo+TJ1Rykr1X0NZVCj+tCpFzOCpl3UxJ+sqVHCGMZvA
-uxSVL2u0hQhmVxJJxjgbVV/90cV0IX7hF6PbNBHzG3HReHYmcEG4UCfKDwIDAQAB
-o4IENTCCBDEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
-BgEFBQcDATAJBgNVHRMEAjAAMB0GA1UdDgQWBBTHuLW/Sz/GGh6bVeF600xgXM2R
-VDAfBgNVHSMEGDAWgBS7c4souCWoYAbYkOxLfWao+32AxTBzBggrBgEFBQcBAQRn
-MGUwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwMS53b3NpZ24uY29tL2NhNi9zZXJ2
-ZXI0MDIGCCsGAQUFBzAChiZodHRwOi8vYWlhMS53b3NpZ24uY29tL2NhNi5zZXJ2
-ZXI0LmNlcjA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsczEud29zaWduLmNv
-bS9jYTYtc2VydmVyNC5jcmwwggEmBgNVHREEggEdMIIBGYIOd3d3Lndvc2lnbi5j
-b22CCndvc2lnbi5jb22CFnhuLS1idXc0MjdlLnhuLS1maXF6OXOCFnhuLS1idXc0
-MjdlLnhuLS1maXFzOHOCDnhuLS1idXc0MjdlLmNugg94bi0tYnV3NDI3ZS5jb22C
-CXdvc2lnbi50d4INd3d3Lndvc2lnbi50d4IJd29zaWduLnVzgg13d3cud29zaWdu
-LnVzggl3b3NpZ24uaGuCDXd3dy53b3NpZ24uaGuCDXdvc2lnbi5jb20uaGuCEXd3
-dy53b3NpZ24uY29tLmhrgg13b3NpZ24uY29tLmNughF3d3cud29zaWduLmNvbS5j
-boIJd29zaWduLmNugg13d3cud29zaWduLmNuMFsGA1UdIARUMFIwCwYJKwYBBAGC
-m1ECMAcGBWeBDAEBMDoGCysGAQQBgptRAQECMCswKQYIKwYBBQUHAgEWHWh0dHA6
-Ly93d3cud29zaWduLmNvbS9wb2xpY3kvMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFp
-AWcAdQB0YbSgnPs9QddRWVdbLnZJpEWo0ncJsMxWSmSCt+tBowAAAVMSUIu/AAAE
-AwBGMEQCIGtsalnFg8ccCBLr/dcwJFFHBidFQLS3pZ8ZitYsZYnmAiBH5SAi5XRN
-IGGaAdZ0HQl222QFR8hUBo5zah5i4nPJOQB2AGj2mPgfZIK+OozuuSgdTPxxUV1n
-k9RE0QpnrLtPT/vEAAABUxJQjmEAAAQDAEcwRQIhANZD8ma2vBvZVmcpen8YIrK0
-bpGmejqUuwJWgJgSmgO8AiAUEj7yZuAqH9iZ4aIzAOtfcTRoyX3Dpok5rbR938ed
-LwB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUxJQjogAAAQD
-AEcwRQIgcvVhTBJ76zzHqFtLj016bLMm7aT2tNw8I24dF0DfPUcCIQDYcvmRXBUA
-KUQsQwgv2NAOY2Bh4TxYol7RPJFubyh+tjANBgkqhkiG9w0BAQsFAAOCAQEACT93
-Qf02cQmZrpEctEwKVRUgb8vN9EcyuR35ax1Uzam6OJuMxai7wvXs72tZP1qI0Alu
-gIB13ljw7lSYU7bXWL2S47Evn07SRjkBRd47WiVVLGgDECHpRQJn0A1s8UHtipk/
-4PLO+WLYs/oguqeURZGgaqcJKFSyJC3MZLXaxFvvn2/YCxmd0tTAtvO5VlE8ll3i
-REExIusOle7yjc0D9vrt8094PZ3yKTx1OAgOz12HVuu8ZqPsPiKKatNZ09J+QzTd
-fTqxkOTMLOJOwnxl59MsALcT05JJcPTFiHToCtoMCDdMRrV2NPK4XbLMxG/ZX8T/
-N3BvtSXJkvdKFmlj8A==
-----END CERTIFICATE-----
--- a/net/data/ssl/wosign/BUILD.gn
+++ b/net/data/ssl/wosign/BUILD.gn
-# Copyright (c) 2017 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-action_foreach("wosign_domains") {
-  script = "//net/tools/dafsa/make_dafsa.py"
-  sources = [
-    "wosign_domains.gperf",
-  ]
-  outputs = [
-    "${target_gen_dir}/{{source_name_part}}-inc.cc",
-  ]
-  args = [
-    "{{source}}",
-    rebase_path("${target_gen_dir}/{{source_name_part}}-inc.cc",
-                root_build_dir),
-  ]
-}
--- a/net/data/ssl/wosign/README.md
+++ b/net/data/ssl/wosign/README.md
-# WoSign Certificates
-
-This directory contains the set of known active and legacy root certificates
-operated by WoSign CA Limited, including those of its wholly owned subisiary
-StartCom.
-
-Trust in these root certificates is being phased out, as described at
-<https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html>
-
-## Roots
-
-The files in this directory are organized by the SHA-256 hash of the
-certificate file, while the policies are based on the SHA-256 hash of
-the subjectPublicKeyInfo contained within the certificate.
-
-The following command can be used to extract the key hashes:
-
-`` for f in *.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort ``
-
--- a/net/data/ssl/wosign/wosign_domains.gperf
+++ b/net/data/ssl/wosign/wosign_domains.gperf