commit 41828ee6c38317087dea1e534ef22cf5b29646b3 Author: David Fifield david@bamsoftware.com Date: Tue Aug 27 20:39:54 2013 -0700
Add kSPKIHash_GoogleG2 to acceptable pins.
I see this public key hash in the depth-3 certificate chain mentioned in the previous commit. It corresponds to kSPKIHash_GoogleG2 in the Chromium source. Two of the three hashes, in fact, are present in transport_security_state_static.h:
"\x99\x9f\x53\xda\x88\xaf\xc3\xb1\xd2\x8f\x69\x56\x64\xc2\x0c\x81\xd8\xf7\xc5\xec" "\x43\xda\xd6\x30\xee\x53\xf8\xa9\x80\xca\x6e\xfd\x85\xf4\x6a\xa3\x79\x90\xe0\xea" # kSPKIHash_GoogleG2 "\xc0\x7a\x98\x68\x8d\x89\xfb\xab\x05\x64\x0c\x11\x7d\xaa\x7d\x65\xb8\xca\xcc\x4e" # kSPKIHash_GeoTrustGlobal
Both of them are present in kGoogleAcceptableCerts. Either one would make a satisfactory pin. Unsure of what to do, I'm adding the one closer to the leaf.
For the record, the previously seen depth-2 public key hashes are:
"\x81\x83\x43\x65\xf1\x7e\xb3\xf4\x7e\x49\x8c\xeb\x16\x98\xcd\x59\x23\x95\xa1\x73" "\x40\xc5\x40\x1d\x6f\x8c\xba\xf0\x8b\x00\xed\xef\xb1\xee\x87\xd0\x05\xb3\xb9\xcd" # kSPKIHash_Google1024 --- flashproxy-reg-appspot | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/flashproxy-reg-appspot b/flashproxy-reg-appspot index 21a402a..c84f9e7 100755 --- a/flashproxy-reg-appspot +++ b/flashproxy-reg-appspot @@ -67,6 +67,8 @@ PUBKEY_SHA1 = ( # https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security... # kSPKIHash_Google1024 "\x40\xc5\x40\x1d\x6f\x8c\xba\xf0\x8b\x00\xed\xef\xb1\xee\x87\xd0\x05\xb3\xb9\xcd", + # kSPKIHash_GoogleG2 + "\x43\xda\xd6\x30\xee\x53\xf8\xa9\x80\xca\x6e\xfd\x85\xf4\x6a\xa3\x79\x90\xe0\xea", )
class options(object):
tor-commits@lists.torproject.org