Loading transports/meeklite/hpkp_lite.go +27 −13 Original line number Diff line number Diff line Loading @@ -39,32 +39,42 @@ type pinEntry struct { func (db *hpkpDatabase) HasPins(host string) (string, bool) { h, err := normalizeHost(host) return h, (db.pins[host] != nil && err == nil) if err == nil { if entry := db.pins[host]; entry != nil { if time.Now().Before(entry.expiry) { return h, true } } } return h, false } func (db *hpkpDatabase) Validate(host string, chains [][]*x509.Certificate) bool { var ok bool if host, ok = db.HasPins(host); !ok { host, err := normalizeHost(host) if err != nil { return false } entry := db.pins[host] if entry == nil { return false } if time.Now().After(entry.expiry) { // If the pins are expired, assume that it is valid. return true } // Search for an intersection between the pins and the cert chain. for _, chain := range chains { for _, cert := range chain { derivedPin := sha256.Sum256(cert.RawSubjectPublicKeyInfo) derivedPinEncoded := base64.StdEncoding.EncodeToString(derivedPin[:]) if !entry.digests[derivedPinEncoded] { return false if entry.digests[derivedPinEncoded] { return true } } } return true return false } func (db *hpkpDatabase) Add(host string, pins []string, expiry time.Time) { Loading Loading @@ -93,15 +103,19 @@ func init() { pins: make(map[string]*pinEntry), } // Generated on 2019-02-04, expiry set to the expiration date // of the leaf, which is the earliest in the chain. // Pin all of Microsoft's CA intermediary certificates for the // Tor Browser Azure bridge. // // See: https://www.microsoft.com/pki/mscorp/cps/default.htm builtinPinDB.Add( "ajax.aspnetcdn.com", []string{ "PPjoAKk+kCVr9VNPXJkyHXEKnIyd5t5NqpPL3zCvJOE=", "wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=", "Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=", "CzdPous1hY3sIkO55pUH7vklXyIHVZAl/UnprSQvpEI=", // Microsoft IT SSL SHA2 - 2018-05-07 17:03:30 "xjXxgkOYlag7jCtR5DreZm9b61iaIhd+J3+b2LiybIw=", // Microsoft IT TLS CA 1 - 2024-05-20 12:51:28 "wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=", // Microsoft IT TLS CA 2 - 2024-05-20 12:51:57 "wUY9EOTJmS7Aj4fDVCu/KeE++mV7FgIcbn4WhMz1I2k=", // Microsoft IT TLS CA 4 - 2024-05-20 12:52:38 "RCbqB+W8nwjznTeP4O6VjqcwdxIgI79eBpnBKRr32gc=", // Microsoft IT TLS CA 5 - 2024-05-20 12:53:03 }, time.Date(2020, time.March, 30, 17, 48, 56, 0, time.UTC), time.Date(2024, time.March, 05, 20, 00, 00, 00, time.UTC), ) } Loading
transports/meeklite/hpkp_lite.go +27 −13 Original line number Diff line number Diff line Loading @@ -39,32 +39,42 @@ type pinEntry struct { func (db *hpkpDatabase) HasPins(host string) (string, bool) { h, err := normalizeHost(host) return h, (db.pins[host] != nil && err == nil) if err == nil { if entry := db.pins[host]; entry != nil { if time.Now().Before(entry.expiry) { return h, true } } } return h, false } func (db *hpkpDatabase) Validate(host string, chains [][]*x509.Certificate) bool { var ok bool if host, ok = db.HasPins(host); !ok { host, err := normalizeHost(host) if err != nil { return false } entry := db.pins[host] if entry == nil { return false } if time.Now().After(entry.expiry) { // If the pins are expired, assume that it is valid. return true } // Search for an intersection between the pins and the cert chain. for _, chain := range chains { for _, cert := range chain { derivedPin := sha256.Sum256(cert.RawSubjectPublicKeyInfo) derivedPinEncoded := base64.StdEncoding.EncodeToString(derivedPin[:]) if !entry.digests[derivedPinEncoded] { return false if entry.digests[derivedPinEncoded] { return true } } } return true return false } func (db *hpkpDatabase) Add(host string, pins []string, expiry time.Time) { Loading Loading @@ -93,15 +103,19 @@ func init() { pins: make(map[string]*pinEntry), } // Generated on 2019-02-04, expiry set to the expiration date // of the leaf, which is the earliest in the chain. // Pin all of Microsoft's CA intermediary certificates for the // Tor Browser Azure bridge. // // See: https://www.microsoft.com/pki/mscorp/cps/default.htm builtinPinDB.Add( "ajax.aspnetcdn.com", []string{ "PPjoAKk+kCVr9VNPXJkyHXEKnIyd5t5NqpPL3zCvJOE=", "wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=", "Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=", "CzdPous1hY3sIkO55pUH7vklXyIHVZAl/UnprSQvpEI=", // Microsoft IT SSL SHA2 - 2018-05-07 17:03:30 "xjXxgkOYlag7jCtR5DreZm9b61iaIhd+J3+b2LiybIw=", // Microsoft IT TLS CA 1 - 2024-05-20 12:51:28 "wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=", // Microsoft IT TLS CA 2 - 2024-05-20 12:51:57 "wUY9EOTJmS7Aj4fDVCu/KeE++mV7FgIcbn4WhMz1I2k=", // Microsoft IT TLS CA 4 - 2024-05-20 12:52:38 "RCbqB+W8nwjznTeP4O6VjqcwdxIgI79eBpnBKRr32gc=", // Microsoft IT TLS CA 5 - 2024-05-20 12:53:03 }, time.Date(2020, time.March, 30, 17, 48, 56, 0, time.UTC), time.Date(2024, time.March, 05, 20, 00, 00, 00, time.UTC), ) }
