Regenerate the set of Windows Known Roots to more comprehensively cov…

…er various versions of the root store (e.g. if the user disabled root autoupdates), and switch to SHA-256 This ensures more CAs are recognized as publicly trusted CAs and thus constrained to the Baseline Requirements. BUG=577980 Review URL: https://codereview.chromium.org/1543133002 Cr-Commit-Position: refs/heads/master@{#369775}
Denger-Network · Jan 15, 2016 · 08674ec · 08674ec
1 parent 076887c
commit 08674ec
Show file tree

Hide file tree

Showing 5 changed files with 1,890 additions and 840 deletions.
diff --git a/net/base/hash_value.cc b/net/base/hash_value.cc
@@ -9,6 +9,7 @@
 #include "base/sha1.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
+#include "crypto/sha2.h"
 
 namespace net {
 
@@ -120,12 +121,12 @@ const unsigned char* HashValue::data() const {
   }
 }
 
-bool IsSHA1HashInSortedArray(const SHA1HashValue& hash,
-                             const uint8_t* array,
-                             size_t array_byte_len) {
-  DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);
-  const size_t arraylen = array_byte_len / base::kSHA1Length;
-  return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,
+bool IsSHA256HashInSortedArray(const SHA256HashValue& hash,
+                               const uint8_t* array,
+                               size_t array_byte_len) {
+  DCHECK_EQ(0u, array_byte_len % crypto::kSHA256Length);
+  const size_t arraylen = array_byte_len / crypto::kSHA256Length;
+  return NULL != bsearch(hash.data, array, arraylen, crypto::kSHA256Length,
                          CompareSHA1Hashes);
 }
 

diff --git a/net/base/hash_value.h b/net/base/hash_value.h
@@ -113,12 +113,11 @@ class HashValuesEqual {
   const HashValue& fingerprint_;
 };
 
-
-// IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted
-// array of SHA1 hashes.
-bool IsSHA1HashInSortedArray(const SHA1HashValue& hash,
-                             const uint8_t* array,
-                             size_t array_byte_len);
+// IsSHA256HashInSortedArray returns true iff |hash| is in |array|, a sorted
+// array of SHA256 hashes.
+bool IsSHA256HashInSortedArray(const SHA256HashValue& hash,
+                               const uint8_t* array,
+                               size_t array_byte_len);
 
 }  // namespace net
 

diff --git a/net/cert/cert_verify_proc_win.cc b/net/cert/cert_verify_proc_win.cc
@@ -281,9 +281,9 @@ bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) {
   PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
   PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext;
 
-  SHA1HashValue hash = X509Certificate::CalculateFingerprint(cert);
-  return IsSHA1HashInSortedArray(
-      hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
+  SHA256HashValue hash = X509Certificate::CalculateFingerprint256(cert);
+  return IsSHA256HashInSortedArray(hash, &kKnownRootCertSHA256Hashes[0][0],
+                                   sizeof(kKnownRootCertSHA256Hashes));
 }
 
 // Saves some information about the certificate chain |chain_context| in