Issue 10545166: Support SHA-256 in public key pins for HTTPS.

Issue 10545166: Support SHA-256 in public key pins for HTTPS. (Closed)

Created:
8 years, 6 months ago by palmer

Modified:
8 years, 4 months ago

Reviewers:
wtc, agl, Ryan Sleevi, mmenke

CC:
chromium-reviews, cbentzel+watch_chromium.org, eroman, darin-cc_chromium.org

Base URL:
svn://svn.chromium.org/chrome/trunk/src/

Visibility:
Public.

More Reviews

Description

Support SHA-256 in public key pins for HTTPS. The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=149261

Patch Set 1 #

Total comments: 2

Patch Set 2 : #

Patch Set 3 : #

Total comments: 11

Patch Set 4 : #

Patch Set 5 : #

Patch Set 6 : #

Created: 8 years, 4 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+517 lines, -239 lines)			Patch
M	chrome/browser/net/transport_security_persister.cc	View	1 2 3	1 chunk	+23 lines, -9 lines	0 comments	Download
M	chrome/browser/net/transport_security_persister_unittest.cc	View	1 2 3	4 chunks	+16 lines, -12 lines	0 comments	Download
M	chrome/browser/ui/webui/net_internals/net_internals_ui.cc	View	1 2 3	2 chunks	+20 lines, -6 lines	0 comments	Download
M	net/base/cert_test_util.h	View	1 2 3	1 chunk	+2 lines, -2 lines	0 comments	Download
M	net/base/cert_test_util.cc	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	net/base/cert_verify_proc.h	View	1 2 3	1 chunk	+2 lines, -2 lines	0 comments	Download
M	net/base/cert_verify_proc.cc	View	1 2 3	2 chunks	+8 lines, -4 lines	0 comments	Download
M	net/base/cert_verify_proc_mac.cc	View	1 2 3 4	4 chunks	+14 lines, -5 lines	0 comments	Download
M	net/base/cert_verify_proc_nss.cc	View	1 2 3	3 chunks	+25 lines, -8 lines	0 comments	Download
M	net/base/cert_verify_proc_openssl.cc	View	1 2 3 4 5	3 chunks	+14 lines, -4 lines	0 comments	Download
M	net/base/cert_verify_proc_unittest.cc	View	1 2 3	3 chunks	+15 lines, -9 lines	0 comments	Download
M	net/base/cert_verify_proc_win.cc	View	1 2 3	5 chunks	+15 lines, -6 lines	0 comments	Download
M	net/base/cert_verify_result.h	View	1 2 3	1 chunk	+9 lines, -4 lines	0 comments	Download
M	net/base/cert_verify_result.cc	View	1 2 3	1 chunk	+7 lines, -1 line	0 comments	Download
M	net/base/ev_root_ca_metadata.h	View	1 2 3	5 chunks	+9 lines, -8 lines	0 comments	Download
M	net/base/ev_root_ca_metadata.cc	View	1 2 3	9 chunks	+10 lines, -10 lines	0 comments	Download
M	net/base/ev_root_ca_metadata_unittest.cc	View	1 2 3	2 chunks	+3 lines, -3 lines	0 comments	Download
M	net/base/multi_threaded_cert_verifier.h	View	1 2 3	2 chunks	+4 lines, -4 lines	0 comments	Download
M	net/base/multi_threaded_cert_verifier_unittest.cc	View	1 2 3	1 chunk	+2 lines, -2 lines	0 comments	Download
M	net/base/ssl_info.h	View	1 2 3	1 chunk	+5 lines, -2 lines	0 comments	Download
M	net/base/ssl_info.cc	View	1 2 3	2 chunks	+7 lines, -0 lines	0 comments	Download
M	net/base/transport_security_state.h	View	1 2 3	4 chunks	+6 lines, -6 lines	0 comments	Download
M	net/base/transport_security_state.cc	View	1 2 3	10 chunks	+69 lines, -47 lines	0 comments	Download
M	net/base/transport_security_state_unittest.cc	View	1 2 3	12 chunks	+70 lines, -29 lines	0 comments	Download
M	net/base/x509_cert_types.h	View	1 2 3	3 chunks	+115 lines, -13 lines	0 comments	Download
M	net/base/x509_cert_types.cc	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	net/base/x509_certificate.h	View	1 2 3	3 chunks	+6 lines, -6 lines	0 comments	Download
M	net/base/x509_certificate.cc	View	1 2 3	3 chunks	+3 lines, -3 lines	0 comments	Download
M	net/base/x509_certificate_mac.cc	View	1 2 3	3 chunks	+5 lines, -5 lines	0 comments	Download
M	net/base/x509_certificate_nss.cc	View	1 2 3	2 chunks	+4 lines, -4 lines	0 comments	Download
M	net/base/x509_certificate_openssl.cc	View	1 2 3	2 chunks	+4 lines, -4 lines	0 comments	Download
M	net/base/x509_certificate_unittest.cc	View	1 2 3	4 chunks	+4 lines, -4 lines	0 comments	Download
M	net/base/x509_certificate_win.cc	View	1 2 3	2 chunks	+4 lines, -4 lines	0 comments	Download
M	net/socket/ssl_client_socket_nss.h	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	net/socket/ssl_client_socket_nss.cc	View	1 2 3	2 chunks	+10 lines, -6 lines	0 comments	Download
M	net/url_request/url_request_unittest.cc	View	1 2 3	4 chunks	+4 lines, -4 lines	0 comments	Download

Messages

Total messages: 13 (0 generated)

Expand Messages | Collapse Messages

palmer

To fully implement the HTTP-based public key pinning spec, we need to support other hash ...

8 years, 6 months ago (2012-06-14 01:54:45 UTC) #1

mmenke

I'm not a good reviewer for this (agl and wtc are, however). Just one quick ...

8 years, 6 months ago (2012-06-14 15:47:29 UTC) #2

palmer

Thanks Matt! https://chromiumcodereview.appspot.com/10545166/diff/1/chrome/browser/ui/webui/net_internals/net_internals_ui.cc File chrome/browser/ui/webui/net_internals/net_internals_ui.cc (right): https://chromiumcodereview.appspot.com/10545166/diff/1/chrome/browser/ui/webui/net_internals/net_internals_ui.cc#newcode1087 chrome/browser/ui/webui/net_internals/net_internals_ui.cc:1087: continue; On 2012/06/14 15:47:29, Matt Menke wrote: ...

8 years, 6 months ago (2012-06-14 18:56:43 UTC) #3

Ryan Sleevi

drive by nits :) https://chromiumcodereview.appspot.com/10545166/diff/7002/net/base/x509_cert_types.h File net/base/x509_cert_types.h (right): https://chromiumcodereview.appspot.com/10545166/diff/7002/net/base/x509_cert_types.h#newcode83 net/base/x509_cert_types.h:83: DCHECK(false) << "Unknown FingerprintTag " ...

8 years, 6 months ago (2012-06-15 21:43:59 UTC) #4

palmer

https://chromiumcodereview.appspot.com/10545166/diff/7002/net/base/x509_cert_types.h File net/base/x509_cert_types.h (right): https://chromiumcodereview.appspot.com/10545166/diff/7002/net/base/x509_cert_types.h#newcode83 net/base/x509_cert_types.h:83: DCHECK(false) << "Unknown FingerprintTag " << tag; On 2012/06/15 ...

8 years, 6 months ago (2012-06-15 22:40:48 UTC) #5

Ryan Sleevi

https://chromiumcodereview.appspot.com/10545166/diff/7002/net/base/x509_cert_types.h File net/base/x509_cert_types.h (right): https://chromiumcodereview.appspot.com/10545166/diff/7002/net/base/x509_cert_types.h#newcode127 net/base/x509_cert_types.h:127: const Fingerprint& rhs) const { On 2012/06/15 22:40:49, Chris ...

8 years, 6 months ago (2012-06-15 22:51:45 UTC) #6

Ryan Sleevi

https://chromiumcodereview.appspot.com/10545166/diff/7002/net/base/x509_cert_types.h File net/base/x509_cert_types.h (right): https://chromiumcodereview.appspot.com/10545166/diff/7002/net/base/x509_cert_types.h#newcode127 net/base/x509_cert_types.h:127: const Fingerprint& rhs) const { On 2012/06/15 22:51:45, Ryan ...

8 years, 6 months ago (2012-06-15 22:54:49 UTC) #7

mmenke

net_internals LGTM as well. Forgot you'd need an OWNERs signoff for that.

8 years, 6 months ago (2012-06-18 15:17:57 UTC) #9

wtc

Review comments on patch set 3: I'm sorry I didn't have time to review this ...

8 years, 6 months ago (2012-06-18 17:00:29 UTC) #10

palmer

> It would be nice to come up with a better name than Fingerprint. > ...

8 years, 4 months ago (2012-07-30 21:08:06 UTC) #11

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/palmer@chromium.org/10545166/22040

8 years, 4 months ago (2012-07-31 18:40:58 UTC) #12

Change committed as 149261

Expand Messages | Collapse Messages