net: trim allowed Google pins now that we have switched to GIAG2.

BUG=none R=palmer@chromium.org Review URL: https://codereview.chromium.org/55893003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@233033 0039d316-1c4b-4281-b951-d872f2087c98

net: trim allowed Google pins now that we have switched to GIAG2.
BUG=none R=palmer@chromium.org Review URL: https://codereview.chromium.org/55893003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@233033 0039d316-1c4b-4281-b951-d872f2087c98
9d1ecd6e · agl@chromium.org · b815f59e · 9d1ecd6e · 9d1ecd6e · 9d1ecd6e
Commit 9d1ecd6e authored Nov 05, 2013 by agl@chromium.org
4 changed files
--- a/net/http/transport_security_state_static.certs
+++ b/net/http/transport_security_state_static.certs
--- a/net/http/transport_security_state_static.h
+++ b/net/http/transport_security_state_static.h
@@ -22,18 +22,6 @@ static const char kSPKIHash_VeriSignClass3_G3[] =
    "\x22\xf1\x9e\x2e\xc6\xea\xcc\xfc\x5d\x23"
    "\x46\xf4\xc2\xe8\xf6\xc5\x54\xdd\x5e\x07";

-static const char kSPKIHash_Google1024[] =
-    "\x40\xc5\x40\x1d\x6f\x8c\xba\xf0\x8b\x00"
-    "\xed\xef\xb1\xee\x87\xd0\x05\xb3\xb9\xcd";
-
-static const char kSPKIHash_Google2048[] =
-    "\x01\xb9\x21\xc5\x8d\x0b\xdf\x8d\xe0\x29"
-    "\xff\x9c\x92\x2e\xcd\x55\x6a\x7e\xa3\x39";
-
-static const char kSPKIHash_GoogleBackup1024[] =
-    "\x7d\x5b\xa3\xca\x8e\x37\x65\x1d\x7c\x71"
-    "\xc3\xe3\xb7\x74\xcd\xe9\x7b\x1b\x59\x43";
-
 static const char kSPKIHash_GoogleBackup2048[] =
    "\xbe\xae\xce\xca\x34\xa7\xa8\xe7\x28\xf6"
    "\x7c\x8c\x08\x31\x9d\xcb\xbe\xde\x8a\x33";
@@ -42,22 +30,6 @@ static const char kSPKIHash_GoogleG2[] =
    "\x43\xda\xd6\x30\xee\x53\xf8\xa9\x80\xca"
    "\x6e\xfd\x85\xf4\x6a\xa3\x79\x90\xe0\xea";

-static const char kSPKIHash_ThawteSGCCA[] =
-    "\x87\x31\xea\x0e\x3d\xf5\xe8\x70\x3e\x83"
-    "\x72\x57\x77\xa9\x65\x3b\x3b\xfa\x5e\x14";
-
-static const char kSPKIHash_VeriSignClass3SSPIntermediateCA[] =
-    "\x99\x6a\x20\x6a\x85\x57\x62\xcb\x9a\xf2"
-    "\x02\x37\xb3\xc0\x69\x5d\xa9\x1e\xc2\x22";
-
-static const char kSPKIHash_EquifaxSecureCA[] =
-    "\x48\xe6\x68\xf9\x2b\xd2\xb2\x95\xd7\x47"
-    "\xd8\x23\x20\x10\x4f\x33\x98\x90\x9f\xd4";
-
-static const char kSPKIHash_Aetna[] =
-    "\x92\x52\xaa\x14\xde\xbf\x80\xae\x30\xaa"
-    "\xd9\x4e\x60\x38\x70\x24\xa5\x43\x2f\x1a";
-
 static const char kSPKIHash_GeoTrustGlobal[] =
    "\xc0\x7a\x98\x68\x8d\x89\xfb\xab\x05\x64"
    "\x0c\x11\x7d\xaa\x7d\x65\xb8\xca\xcc\x4e";
@@ -66,18 +38,6 @@ static const char kSPKIHash_GeoTrustPrimary[] =
    "\xb0\x19\x89\xe7\xef\xfb\x4a\xaf\xcb\x14"
    "\x8f\x58\x46\x39\x76\x22\x41\x50\xe1\xba";

-static const char kSPKIHash_Intel[] =
-    "\x0e\xc6\x2a\xf7\x59\xb2\x08\x10\x90\x25"
-    "\x6f\xc3\xdd\xfd\x8a\x66\x31\x30\x2b\xc5";
-
-static const char kSPKIHash_TCTrustCenter[] =
-    "\x83\x3b\x84\x10\x00\x7f\x6e\x4a\x9d\x41"
-    "\x2d\xc4\x22\x39\x36\x6f\x2e\xe5\x5b\xe9";
-
-static const char kSPKIHash_Vodafone[] =
-    "\x0d\x7f\xe1\x5c\x55\x14\x36\x68\x99\xfc"
-    "\x40\xd6\x22\x08\xef\x22\xeb\xd1\x15\x1c";
-
 static const char kSPKIHash_RapidSSL[] =
    "\xa3\x93\x99\xc4\x04\xc3\xb2\x09\xb0\x81"
    "\xc2\x1f\x21\x62\x27\x78\xc2\x74\x8e\x4c";
@@ -268,29 +228,13 @@ static const char* const kTestAcceptableCerts[] = {
 }

 static const char* const kGoogleAcceptableCerts[] = {
-  kSPKIHash_VeriSignClass3,
-  kSPKIHash_VeriSignClass3_G3,
-  kSPKIHash_Google1024,
-  kSPKIHash_Google2048,
-  kSPKIHash_GoogleBackup1024,
  kSPKIHash_GoogleBackup2048,
  kSPKIHash_GoogleG2,
-  kSPKIHash_EquifaxSecureCA,
-  kSPKIHash_GeoTrustGlobal,
-  NULL,
-};
-static const char* const kGoogleRejectedCerts[] = {
-  kSPKIHash_Aetna,
-  kSPKIHash_Intel,
-  kSPKIHash_TCTrustCenter,
-  kSPKIHash_Vodafone,
-  kSPKIHash_ThawteSGCCA,
-  kSPKIHash_VeriSignClass3SSPIntermediateCA,
  NULL,
 };
 #define kGooglePins { \
  kGoogleAcceptableCerts, \
-  kGoogleRejectedCerts, \
+  kNoRejectedPublicKeys, \
 }

 static const char* const kTorAcceptableCerts[] = {

--- a/net/http/transport_security_state_static.json
+++ b/net/http/transport_security_state_static.json
@@ -42,23 +42,8 @@
    {
      "name": "google",
      "static_spki_hashes": [
-        "VeriSignClass3",
-        "VeriSignClass3_G3",
-        "Google1024",
-        "Google2048",
-        "GoogleBackup1024",
        "GoogleBackup2048",
-        "GoogleG2",
-        "EquifaxSecureCA",
-        "GeoTrustGlobal"
-      ],
-      "bad_static_spki_hashes": [
-        "Aetna",
-        "Intel",
-        "TCTrustCenter",
-        "Vodafone",
-        "ThawteSGCCA",
-        "VeriSignClass3SSPIntermediateCA"
+        "GoogleG2"
      ]
    },
    {

--- a/net/http/transport_security_state_unittest.cc
+++ b/net/http/transport_security_state_unittest.cc
@@ -547,43 +547,6 @@ static bool AddHash(const std::string& type_and_base64,
  return true;
 }

-TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) {
-  // kGoodPath is plus.google.com via Google Internet Authority.
-  static const char* kGoodPath[] = {
-    "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
-    "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=",
-    "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
-    NULL,
-  };
-
-  // kBadPath is plus.google.com via Trustcenter, which contains a required
-  // certificate (Equifax root), but also an excluded certificate
-  // (Trustcenter).
-  static const char* kBadPath[] = {
-    "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
-    "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
-    "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
-    NULL,
-  };
-
-  HashValueVector good_hashes, bad_hashes;
-
-  for (size_t i = 0; kGoodPath[i]; i++) {
-    EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
-  }
-  for (size_t i = 0; kBadPath[i]; i++) {
-    EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
-  }
-
-  TransportSecurityState state;
-  TransportSecurityState::DomainState domain_state;
-  EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state));
-  EXPECT_TRUE(domain_state.HasPublicKeyPins());
-
-  EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes));
-  EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes));
-}
-
 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
  // kGoodPath is blog.torproject.org.
  static const char* kGoodPath[] = {
@@ -620,100 +583,6 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
  EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes));
 }

-TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) {
-  static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=";
-  static const char* ee_sha256 =
-      "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I=";
-  static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
-  static const char* google_1024_sha256 =
-      "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU=";
-  static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
-  static const char* equifax_sha256 =
-      "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY=";
-  static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=";
-  static const char* trustcenter_sha256 =
-      "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M=";
-
-  // Good chains for plus.google.com chain up through google_1024_sha{1,256}
-  // to equifax_sha{1,256}. Bad chains chain up to Equifax through
-  // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax
-  // and Google1024 are known-good, the blacklistedness of Trustcenter
-  // should override and cause pin validation failure.
-
-  TransportSecurityState state;
-  TransportSecurityState::DomainState domain_state;
-  EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state));
-  EXPECT_TRUE(domain_state.HasPublicKeyPins());
-
-  // The statically-defined pins are all SHA-1, so we add some SHA-256 pins
-  // manually:
-  EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes));
-  EXPECT_TRUE(AddHash(trustcenter_sha256,
-                      &domain_state.bad_static_spki_hashes));
-
-  // Try an all-good SHA1 chain.
-  HashValueVector validated_chain;
-  EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
-  EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain));
-
-  // Try an all-bad SHA1 chain.
-  validated_chain.clear();
-  EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
-  EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain));
-
-  // Try an all-good SHA-256 chain.
-  validated_chain.clear();
-  EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
-  EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain));
-
-  // Try an all-bad SHA-256 chain.
-  validated_chain.clear();
-  EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
-  EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain));
-
-  // Try a mixed-hash good chain.
-  validated_chain.clear();
-  EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
-  EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain));
-
-  // Try a mixed-hash bad chain.
-  validated_chain.clear();
-  EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
-  EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain));
-
-  // Try a chain with all good hashes.
-  validated_chain.clear();
-  EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
-  EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain));
-
-  // Try a chain with all bad hashes.
-  validated_chain.clear();
-  EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
-  EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
-  EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
-  EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain));
-}
-
 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
  TransportSecurityState state;
  TransportSecurityState::DomainState domain_state;