[tor-commits] [obfs4/master] transports/meek_lite: Switch to pinning MS's CA intermediary certs
yawning at torproject.org
yawning at torproject.org
Mon Feb 4 04:21:05 UTC 2019
commit 0c371bcf8ef3c4103ea759eea01cf1337735ed7e
Author: Yawning Angel <yawning at schwanenlied.me>
Date: Mon Feb 4 04:20:15 2019 +0000
transports/meek_lite: Switch to pinning MS's CA intermediary certs
This should give me more time before I need to update this.
---
transports/meeklite/hpkp_lite.go | 40 +++++++++++++++++++++++++++-------------
1 file changed, 27 insertions(+), 13 deletions(-)
diff --git a/transports/meeklite/hpkp_lite.go b/transports/meeklite/hpkp_lite.go
index 24cb177..9063768 100644
--- a/transports/meeklite/hpkp_lite.go
+++ b/transports/meeklite/hpkp_lite.go
@@ -39,32 +39,42 @@ type pinEntry struct {
func (db *hpkpDatabase) HasPins(host string) (string, bool) {
h, err := normalizeHost(host)
- return h, (db.pins[host] != nil && err == nil)
+ if err == nil {
+ if entry := db.pins[host]; entry != nil {
+ if time.Now().Before(entry.expiry) {
+ return h, true
+ }
+ }
+ }
+ return h, false
}
func (db *hpkpDatabase) Validate(host string, chains [][]*x509.Certificate) bool {
- var ok bool
- if host, ok = db.HasPins(host); !ok {
+ host, err := normalizeHost(host)
+ if err != nil {
return false
}
-
entry := db.pins[host]
+ if entry == nil {
+ return false
+ }
if time.Now().After(entry.expiry) {
// If the pins are expired, assume that it is valid.
return true
}
+ // Search for an intersection between the pins and the cert chain.
for _, chain := range chains {
for _, cert := range chain {
derivedPin := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
derivedPinEncoded := base64.StdEncoding.EncodeToString(derivedPin[:])
- if !entry.digests[derivedPinEncoded] {
- return false
+ if entry.digests[derivedPinEncoded] {
+ return true
}
}
}
- return true
+ return false
}
func (db *hpkpDatabase) Add(host string, pins []string, expiry time.Time) {
@@ -93,15 +103,19 @@ func init() {
pins: make(map[string]*pinEntry),
}
- // Generated on 2019-02-04, expiry set to the expiration date
- // of the leaf, which is the earliest in the chain.
+ // Pin all of Microsoft's CA intermediary certificates for the
+ // Tor Browser Azure bridge.
+ //
+ // See: https://www.microsoft.com/pki/mscorp/cps/default.htm
builtinPinDB.Add(
"ajax.aspnetcdn.com",
[]string{
- "PPjoAKk+kCVr9VNPXJkyHXEKnIyd5t5NqpPL3zCvJOE=",
- "wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=",
- "Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=",
+ "CzdPous1hY3sIkO55pUH7vklXyIHVZAl/UnprSQvpEI=", // Microsoft IT SSL SHA2 - 2018-05-07 17:03:30
+ "xjXxgkOYlag7jCtR5DreZm9b61iaIhd+J3+b2LiybIw=", // Microsoft IT TLS CA 1 - 2024-05-20 12:51:28
+ "wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=", // Microsoft IT TLS CA 2 - 2024-05-20 12:51:57
+ "wUY9EOTJmS7Aj4fDVCu/KeE++mV7FgIcbn4WhMz1I2k=", // Microsoft IT TLS CA 4 - 2024-05-20 12:52:38
+ "RCbqB+W8nwjznTeP4O6VjqcwdxIgI79eBpnBKRr32gc=", // Microsoft IT TLS CA 5 - 2024-05-20 12:53:03
},
- time.Date(2020, time.March, 30, 17, 48, 56, 0, time.UTC),
+ time.Date(2024, time.March, 05, 20, 00, 00, 00, time.UTC),
)
}
More information about the tor-commits
mailing list