Remove the CNNIC whitelist

The CNNIC whitelist was temporary, and only contained EE certs.

Remove the whitelist, fully distrusting CNNIC.

BUG=673083

Review-Url: https://codereview.chromium.org/2565743004
Cr-Commit-Position: refs/heads/master@{#437935}

net/cert/cert_verify_proc_blacklist.inc

@@ -5,7 +5,7 @@
 // The certificate(s) that were misissued, and which represent these SPKIs,
 // are stored within net/data/ssl/blacklist. Further details about the
 // rationale is documented in net/data/ssl/blacklist/README.md
-static const size_t kNumBlacklistedSPKIs = 34u;
+static const size_t kNumBlacklistedSPKIs = 36u;
 static const uint8_t
     kBlacklistedSPKIs[kNumBlacklistedSPKIs][crypto::kSHA256Length] = {
         // ead610e6e90b439f2ecb51628b0932620f6ef340bd843fca38d3181b8f4ba197.pem
@@ -24,6 +24,10 @@ static const uint8_t
         {0x1a, 0xf5, 0x6c, 0x98, 0xff, 0x04, 0x3e, 0xf9, 0x2b, 0xeb, 0xff,
          0x54, 0xce, 0xbb, 0x4d, 0xd6, 0x7a, 0x25, 0xba, 0x95, 0x6c, 0x81,
          0x7f, 0x3e, 0x6d, 0xd3, 0xc1, 0xe5, 0x2e, 0xb5, 0x84, 0xc1},
+        // e28393773da845a679f2080cc7fb44a3b7a1c3792cb7eb7729fdcb6a8d99aea7.pem
+        {0x1f, 0x42, 0x24, 0xce, 0xc8, 0x4f, 0xc9, 0x9c, 0xed, 0x88, 0x1f,
+         0xf6, 0xfc, 0xfd, 0x3e, 0x21, 0xf8, 0xc5, 0x19, 0xc5, 0x47, 0xaa,
+         0x6a, 0x5d, 0xd3, 0xde, 0x24, 0x73, 0x02, 0xce, 0x50, 0xd1},
         // 2c998e761160c3b06d82faa9fdc7545d9bda9eb60310f992aa510a6280b74245.pem
         {0x2c, 0x99, 0x8e, 0x76, 0x11, 0x60, 0xc3, 0xb0, 0x6d, 0x82, 0xfa,
          0xa9, 0xfd, 0xc7, 0x54, 0x5d, 0x9b, 0xda, 0x9e, 0xb6, 0x03, 0x10,
@@ -78,6 +82,10 @@ static const uint8_t
         {0x9b, 0x8a, 0x93, 0xde, 0xcc, 0xcf, 0xba, 0xfc, 0xf4, 0xd0, 0x4d,
          0x34, 0x42, 0x12, 0x8f, 0xb3, 0x52, 0x18, 0xcf, 0xe4, 0x37, 0xa3,
          0xd8, 0xd0, 0x32, 0x8c, 0x99, 0xf8, 0x90, 0x89, 0xe4, 0x50},
+        // 1c01c6f4dbb2fefc22558b2bca32563f49844acfc32b7be4b0ff599f9e8c7af7.pem
+        {0x9d, 0xd5, 0x5f, 0xc5, 0x73, 0xf5, 0x46, 0xcb, 0x6a, 0x38, 0x31,
+         0xd1, 0x11, 0x2d, 0x87, 0x10, 0xa6, 0xf4, 0xf8, 0x2d, 0xc8, 0x7f,
+         0x5f, 0xae, 0x9d, 0x3a, 0x1a, 0x02, 0x8d, 0xd3, 0x6e, 0x4b},
         // 0d136e439f0ab6e97f3a02a540da9f0641aa554e1d66ea51ae2920d51b2f7217.pem
         // 4fee0163686ecbd65db968e7494f55d84b25486d438e9de558d629d28cd4d176.pem
         // 8a1bd21661c60015065212cc98b1abb50dfd14c872a208e66bae890f25c448af.pem

net/cert/cert_verify_proc_whitelist.h

@@ -16,15 +16,6 @@ namespace net {
 
 class X509Certificate;
 
-// PublicKeyWhitelist contains a SHA-256 SPKI hash and a pointer to an array
-// of SHA-256 certificate hashes that have been publicly disclosed and
-// whitelisted.
-struct PublicKeyWhitelist {
-  uint8_t public_key[crypto::kSHA256Length];
-  const uint8_t (*whitelist)[crypto::kSHA256Length];
-  size_t whitelist_size;
-};
-
 // Returns true if |cert| has been issued by a CA that is constrained from
 // issuing new certificates and |cert| is not within the whitelist of
 // existing certificates. Returns false if |cert| was issued by an
@@ -36,12 +27,6 @@ bool NET_EXPORT_PRIVATE
 IsNonWhitelistedCertificate(const X509Certificate& cert,
                             const HashValueVector& public_key_hashes);
 
-// Sets the certificate whitelist for testing. Supply nullptr/0 to reset to
-// the built-in whitelist.
-void NET_EXPORT_PRIVATE
-SetCertificateWhitelistForTesting(const PublicKeyWhitelist* whitelist,
-                                  size_t whitelist_size);
-
 }  // namespace net
 
 #endif  // NET_CERT_CERT_VERIFY_PROC_WHITELIST_H_

net/cert/cert_verify_proc_whitelist_unittest.cc

@@ -14,176 +14,6 @@ namespace net {
 
 namespace {
 
-HashValue GetTestHashValue(uint8_t label, HashValueTag tag) {
-  HashValue hash_value(tag);
-  memset(hash_value.data(), label, hash_value.size());
-  return hash_value;
-}
-
-HashValueVector GetFakeHashValues() {
-  HashValueVector public_key_hashes;
-
-  // Fake "root" hash
-  public_key_hashes.push_back(GetTestHashValue(0x00, HASH_VALUE_SHA256));
-  public_key_hashes.push_back(GetTestHashValue(0x01, HASH_VALUE_SHA1));
-  // Fake "intermediate" hash
-  public_key_hashes.push_back(GetTestHashValue(0x02, HASH_VALUE_SHA256));
-  public_key_hashes.push_back(GetTestHashValue(0x03, HASH_VALUE_SHA1));
-  // Fake "leaf" hash
-  public_key_hashes.push_back(GetTestHashValue(0x04, HASH_VALUE_SHA256));
-  public_key_hashes.push_back(GetTestHashValue(0x05, HASH_VALUE_SHA1));
-
-  return public_key_hashes;
-}
-
-// The SHA-256 hash of the leaf cert "ok_cert.pem"; obtainable either
-// via X509Certificate::CalculateFingerprint256 or
-// openssl x509 -inform pem -in ok_cert.pem -outform der | openssl
-//   dgst -sha256 -c
-const uint8_t kWhitelistCerts[][crypto::kSHA256Length] = {
-    /* clang-format off */
-  { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
-    0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
-    0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
-    0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
-    /* clang-format on */
-};
-
-TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByRoot) {
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
-  ASSERT_TRUE(cert);
-
-  // clang-format off
-  const PublicKeyWhitelist kWhitelist[] = {
-      { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-        kWhitelistCerts, arraysize(kWhitelistCerts)
-      },
-  };
-  // clang-format on
-
-  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
-
-  HashValueVector public_key_hashes = GetFakeHashValues();
-
-  // Should return false, indicating this cert is acceptable because of
-  // it being whitelisted.
-  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
-
-  SetCertificateWhitelistForTesting(nullptr, 0);
-}
-
-TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByIntermediate) {
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
-  ASSERT_TRUE(cert);
-
-  // clang-format off
-  const PublicKeyWhitelist kWhitelist[] = {
-      { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
-          0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
-          0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
-          0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
-        kWhitelistCerts, arraysize(kWhitelistCerts)
-      },
-  };
-  // clang-format on
-
-  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
-
-  HashValueVector public_key_hashes = GetFakeHashValues();
-
-  // Should return false, indicating this cert is acceptable because of
-  // it being whitelisted.
-  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
-
-  SetCertificateWhitelistForTesting(nullptr, 0);
-}
-
-TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEE) {
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert);
-
-  // clang-format off
-  const PublicKeyWhitelist kWhitelist[] = {
-      { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-        kWhitelistCerts, arraysize(kWhitelistCerts)
-      },
-  };
-  // clang-format on
-
-  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
-
-  HashValueVector public_key_hashes = GetFakeHashValues();
-
-  // Should return true, indicating this certificate chains to a constrained
-  // root and is not whitelisted.
-  EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
-
-  SetCertificateWhitelistForTesting(nullptr, 0);
-}
-
-TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEEByIntermediate) {
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert);
-
-  // clang-format off
-  const PublicKeyWhitelist kWhitelist[] = {
-      { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
-          0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
-          0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
-          0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
-        kWhitelistCerts, arraysize(kWhitelistCerts)
-      },
-  };
-  // clang-format on
-
-  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
-
-  HashValueVector public_key_hashes = GetFakeHashValues();
-
-  // Should return true, indicating this certificate chains to a constrained
-  // root and is not whitelisted.
-  EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
-
-  SetCertificateWhitelistForTesting(nullptr, 0);
-}
-
-TEST(CertVerifyProcWhitelistTest, AcceptsUnconstrainedLeaf) {
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
-  ASSERT_TRUE(cert);
-
-  // clang-format off
-  const PublicKeyWhitelist kWhitelist[] = {
-      { { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
-          0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
-          0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
-          0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 },
-        kWhitelistCerts, arraysize(kWhitelistCerts)
-      },
-  };
-  // clang-format on
-
-  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
-
-  HashValueVector public_key_hashes = GetFakeHashValues();
-
-  // Should return false, because the chain (as indicated by
-  // public_key_hashes) is not constrained.
-  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
-
-  SetCertificateWhitelistForTesting(nullptr, 0);
-}
-
 TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) {
   scoped_refptr<X509Certificate> cert =
       ImportCertFromFile(GetTestCertsDirectory(), "wosign_before_oct_21.pem");

net/data/ssl/blacklist/1c01c6f4dbb2fefc22558b2bca32563f49844acfc32b7be4b0ff599f9e8c7af7.pem

+-----BEGIN CERTIFICATE-----
+MIID9zCCAt+gAwIBAgIESJ8AATANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
+Q04xMjAwBgNVBAoMKUNoaW5hIEludGVybmV0IE5ldHdvcmsgSW5mb3JtYXRpb24g
+Q2VudGVyMUcwRQYDVQQDDD5DaGluYSBJbnRlcm5ldCBOZXR3b3JrIEluZm9ybWF0
+aW9uIENlbnRlciBFViBDZXJ0aWZpY2F0ZXMgUm9vdDAeFw0xMDA4MzEwNzExMjVa
+Fw0zMDA4MzEwNzExMjVaMIGKMQswCQYDVQQGEwJDTjEyMDAGA1UECgwpQ2hpbmEg
+SW50ZXJuZXQgTmV0d29yayBJbmZvcm1hdGlvbiBDZW50ZXIxRzBFBgNVBAMMPkNo
+aW5hIEludGVybmV0IE5ldHdvcmsgSW5mb3JtYXRpb24gQ2VudGVyIEVWIENlcnRp
+ZmljYXRlcyBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm35z
+7r07eKpkQ0H1UN+U8i6yjUqORlTSIRLIOTJCBumD1Z9S7eVnAztUwYyZmczpwA//
+DdmEEbK40ctb3B75aDFk4Zv6dOtouSCV98YPjUesWgbdYavi7NifFy2cyjw1l1Vx
+zUOFsUcW9SxTgHbP0wBkvUCZ3czY28Sf1hNfQYOL+Q2HklY0bBoQCxfVWhyXWIQ8
+hBouXJE0bhlffxdpxWXvayHG1VA6v2G5BY3vbzQ6sm8UY78WO5upKv23KzhmBsUs
+4qpnHkWnjQRmQvaPK++IIGmPMowUc9orhpFjIpryp9vOiYurXccUwVswah+xt54u
+gQEC7c+WXmPbqOY4twIDAQABo2MwYTAfBgNVHSMEGDAWgBR8cks5x8DbYqVPm6oY
+NJKiyoOCWTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4E
+FgQUfHJLOcfA22KlT5uqGDSSosqDglkwDQYJKoZIhvcNAQEFBQADggEBACrDx0M3
+j92tpLIM7twUbY8opJhJywyA6vPtI2Z1fcXTIWd50XPFtQO3WKwMVC/GVhMPMdoG
+52U7HW8228gd+f2ABsqjPWYWqJ1MFn3AlUa1UeTiH9fqBk1jjZaM7+czV0I664zB
+echNdn3e9rG3geCg+aF4RhcaVpjwTj2rHO3sOdwHSPdj/gauwqRcalsyiMXHM4Ws
+ZkJHwlgkmeHlPuV1LI5D1l08eB6olYIpUNHRFrrvwb562bTYzB5MRuF3sTGrvSrI
+zo9uoV1/A3U05K2JRVRevq4opbs/eHnrc7MKDf2+yfdWrPa37S+bISnHOLaVxATy
+wy39FCqQmbkHzJ8=
+-----END CERTIFICATE-----

net/data/ssl/blacklist/README.md

@@ -8,6 +8,17 @@ are included.
 
 ## Compromises & Misissuances
 
+### China Internet Network Information Center (CNNIC)
+
+For details, see <https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html>
+
+As a result of misissuance of a sub-CA certificate, CNNIC end-entity
+certificates were temporarily whitelisted, and then trust in the root fully
+removed.
+
+  * [1c01c6f4dbb2fefc22558b2bca32563f49844acfc32b7be4b0ff599f9e8c7af7.pem](1c01c6f4dbb2fefc22558b2bca32563f49844acfc32b7be4b0ff599f9e8c7af7.pem)
+  * [e28393773da845a679f2080cc7fb44a3b7a1c3792cb7eb7729fdcb6a8d99aea7.pem](e28393773da845a679f2080cc7fb44a3b7a1c3792cb7eb7729fdcb6a8d99aea7.pem)
+
 ### Comodo
 
 For details, see <https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html>,

net/data/ssl/blacklist/e28393773da845a679f2080cc7fb44a3b7a1c3792cb7eb7729fdcb6a8d99aea7.pem

+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIESTMAATANBgkqhkiG9w0BAQUFADAyMQswCQYDVQQGEwJD
+TjEOMAwGA1UEChMFQ05OSUMxEzARBgNVBAMTCkNOTklDIFJPT1QwHhcNMDcwNDE2
+MDcwOTE0WhcNMjcwNDE2MDcwOTE0WjAyMQswCQYDVQQGEwJDTjEOMAwGA1UEChMF
+Q05OSUMxEzARBgNVBAMTCkNOTklDIFJPT1QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDTNfc/c3et6FtzF8LRb+1VvG7q6KR5smzDo+/hn7E7SIX1mlwh
+IhAsxYLO2uOabjfhhyzcuQxauohV3/2q2x8x6gHx3zkBwRP9SFIhxFXf2tizVHa6
+dLG3fdfA6PZZxU3Iva0fFNrfWEQlMhkqx35+jq44sDB7R3IJMfAw28Mbdim7aXZO
+V/kbZKKTVrdvmW7bCgScEeOAH8tjlBAKqeFkgjH5jCftppkA9nCTGPihNIaj3XrC
+GHn2emU1z5DrvTOTn1OrczvmmzQgLx3vqR1jGqCA2wMv+SYahtKNu6m+UjqHZ0gN
+v7Sg2Ca+I19zN38m5pIEo3/PIKe38zrKy5nLAgMBAAGjczBxMBEGCWCGSAGG+EIB
+AQQEAwIABzAfBgNVHSMEGDAWgBRl8jGtKvf33VKWCscCwQ7vptU7ETAPBgNVHRMB
+Af8EBTADAQH/MAsGA1UdDwQEAwIB/jAdBgNVHQ4EFgQUZfIxrSr3991SlgrHAsEO
+76bVOxEwDQYJKoZIhvcNAQEFBQADggEBAEs17szkrr/Dbq2flTtLP1se31cpolnK
+OOK5Gv+e5m4y3R6u6jW39ZORTtpC4cMXYFDy0VwmuYK36m3knITnA3kXr5g9lNvH
+ugDnuL8BV8F3RTIMO/G0HAiw/VGgod2aHRM2mm23xzy54cXZF/qD1T0VoDy7Hgvi
+yJA/qIYM/PmLXoXLT1tLYhFHxUV8BS9BsZ4QaRuZluBVeftOhpm4lNqGOGqTo+fL
+buXf6iFViZx9fX+Y9QCJ7uOEwFyWtcVG6kbghVW2G8kS1sHNzYDzAgE8yGnLRUhj
+2JTQ7IUOO04RZfSCjKY9ri4ilAnIXOo8gV0WKgOXFlUJ24pBgp5mmxE=
+-----END CERTIFICATE-----