From 59eb561989f7a7b65c3e9b11d0ac062479013bf2 Mon Sep 17 00:00:00 2001 From: Peter Hartmann Date: Wed, 9 Jul 2014 16:22:44 +0200 Subject: [PATCH 47/74] QSslCertificate: blacklist NIC certificates from India Those intermediate certificates were used to issue "unauthorized" certificates according to http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html , and are by default trusted on Windows, so to be safe we blacklist them here. (backport of commit 916c9d469bd0df227dc3be97fcca27e3cf58144f) Change-Id: I22c6637895dcd21b1f7af73fdd5ca39d4747cf9e Reviewed-by: Richard J. Moore --- src/network/ssl/qsslcertificate.cpp | 4 ++++ .../blacklisted-nic-india-2007.pem | 25 +++++++++++++++++++++ .../blacklisted-nic-india-2011.pem | 26 ++++++++++++++++++++++ .../blacklisted-nic-india-2014.pem | 26 ++++++++++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2007.pem create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2011.pem create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2014.pem diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp index 254f45b..a015880 100644 --- a/src/network/ssl/qsslcertificate.cpp +++ b/src/network/ssl/qsslcertificate.cpp @@ -832,6 +832,10 @@ static const char *certificate_blacklist[] = { "2148", "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate "204199", "AC DG Tr\xC3\xA9sor SSL", // intermediate certificate linking back to ANSSI French National Security Agency + + "10115", "NIC Certifying Authority", // intermediate certificate from NIC India (2007) + "10130", "NIC CA 2011", // intermediate certificate from NIC India (2011) + "10161", "NIC CA 2014", // intermediate certificate from NIC India (2014) 0 }; diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2007.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2007.pem new file mode 100644 index 0000000..2106f66 --- /dev/null +++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2007.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENjCCAx6gAwIBAgICJ4MwDQYJKoZIhvcNAQEFBQAwOjELMAkGA1UEBhMCSU4x +EjAQBgNVBAoTCUluZGlhIFBLSTEXMBUGA1UEAxMOQ0NBIEluZGlhIDIwMDcwHhcN +MDcwNzAyMDY0MTU5WhcNMTUwNzA0MDYzMDAwWjCBsDELMAkGA1UEBhMCSU4xJDAi +BgNVBAoTG05hdGlvbmFsIEluZm9ybWF0aWNzIENlbnRyZTEOMAwGA1UECxMFTklD +Q0ExITAfBgNVBAMTGE5JQyBDZXJ0aWZ5aW5nIEF1dGhvcml0eTESMBAGA1UEBxMJ +TmV3IERlbGhpMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGNhbWFpbC5uaWMuaW4x +DjAMBgNVBAgTBURlbGhpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +wLRKDEWWC1iWcxpVgA7GJEjQVjGIMx9XPLoaMKXiEQdajHgmjKdOhlFkSWiHgiCS +Uo39U0/UoC4rAYzBCcfHWdAGjXNs7dt/cz+muK2aMoPoAgXWLF2A48CJMrTcyNFE +HryIYJeCiK8DTlEhBxL8II9VBx8qKSquizh4MQTmpqvfjHNqd6qCHF6q8W439io5 +kVIFnGNd/p0V5HFv0OpWeF/IpKJA1m1lb729FwfsVpqipf7DLVQUKtSjK/32RDtB +hnAmkDlW6IZRPs2F896A5COPSDjJlAeUX8JqDnBOr64bPRgUy0VDnW/soRB3knkn +5w5ueXj3DrgONtjGcBSwVwIDAQABo4HOMIHLMA8GA1UdEwEB/wQFMAMBAf8wEQYD +VR0OBAoECEwne24Nsv9UMBMGA1UdIwQMMAqACE8ewFgn2LjkMAsGA1UdDwQEAwIB +BjCBggYDVR0fBHsweTB3oHWgc4ZxbGRhcDovL25yZGMuY2NhLmdvdi5pbjozODkv +Y249Q0NBIEluZGlhIDIwMDcsb3U9Q0NBIEluZGlhIDIwMDcsbz1JbmRpYSBQS0ks +Yz1JTj9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeT8wDQYJKoZIhvcN +AQEFBQADggEBAKx6RkVgMGQADgl4jTy3qBDq8nvkegDaDnviTUsGzsR6RpooT0xd +wuKiRU0I7p2gAo6uBTMEZtS+XWJz+7xlfo4fao5XIU4e1fxkQuxddM23/J7M4+Uz +3pL7ziK5RcVizhQqz3IjSH440/OoFhUBT5d5WWN0hliEcr7+6nLPAOcAX/qR509a +Djd/aonfyQFCMyfiPpYLx5ElTuqUZeHApJ58+Iprwbu3EIux+C+mfS8QCMY+WYje +aocCIwIutrmoxIXxGy9yV5OKIe2+4wsCT8aNin+6AV7qNTmFVhp+MF50v69ONTO7 +w2Sa+ire2N5FgklMW2WTCi8d8rwLzaWuse4= +-----END CERTIFICATE----- diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2011.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2011.pem new file mode 100644 index 0000000..d3a8c10 --- /dev/null +++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2011.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEWzCCA0OgAwIBAgICJ5IwDQYJKoZIhvcNAQELBQAwOjELMAkGA1UEBhMCSU4x +EjAQBgNVBAoTCUluZGlhIFBLSTEXMBUGA1UEAxMOQ0NBIEluZGlhIDIwMTEwHhcN +MTEwMzExMDgxNTExWhcNMTYwMzExMDYzMDAwWjCByDELMAkGA1UEBhMCSU4xJDAi +BgNVBAoTG05hdGlvbmFsIEluZm9ybWF0aWNzIENlbnRyZTEdMBsGA1UECxMUQ2Vy +dGlmeWluZyBBdXRob3JpdHkxDzANBgNVBBETBjExMDAwMzEOMAwGA1UECBMFRGVs +aGkxHjAcBgNVBAkTFUxvZGhpIFJvYWQsIE5ldyBEZWxoaTEdMBsGA1UEMwwUQS1C +bG9jaywgQ0dPIENvbXBsZXgxFDASBgNVBAMTC05JQyBDQSAyMDExMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7J/N88MoXcCHTz4A5DKF59+8kvSnriGr +TEowLSa5NCvH+o89+Mf7V260kKZJ/hQox5RG/F8/gY7u9ziLeypbedeG8EIl88HC +4x9hT0SNLsrj9qo90waDuGYB4/KQ8q5E6ivVxxV0epzQfFA5A5biKltPBbku/M4D +iZ+TqBbHxo6nRUEZoukJi0+JLykGI4VpJlQBzow04omxQUZHzvCffo6QvN6FdzZ0 +MopwqaggyfHDFu9o4elCR9Kd/obYlgXAHLYwJlN0pybbe2WpKj81/pxDhKgxrVN+ +OZaI5OMBBkjDRQG+ZyEnQb8XYMNPJbOgQGYgsRdPPjIn7poTzxe7SQIDAQABo4Hb +MIHYMBIGA1UdEwEB/wQIMAYBAf8CAQEwEQYDVR0OBAoECE5VT66z36FmMBIGA1Ud +IAQLMAkwBwYFYIJkZAIwEwYDVR0jBAwwCoAITQeoY/LbHN8wLgYIKwYBBQUHAQEE +IjAgMB4GCCsGAQUFBzABhhJodHRwOi8vb2N2cy5nb3YuaW4wDgYDVR0PAQH/BAQD +AgEGMEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9jY2EuZ292LmluL3J3L3Jlc291 +cmNlcy9DQ0FJbmRpYTIwMTFMYXRlc3QuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5 +LCqtHbxfO72KRWJbW9dAHNh2xh8n7wstNgSPHLbjL5B0l7RZlCFauy4fjc2faMiB +xnOq5oEXeIZBrT2NkuEymQ8f0Pzm3pcXrMkFrj78SiA07/cPQShBKKpw39t6puJV +8ykiVZMZvSCjCzzZZlVO12b2ChADkf6wtseftx5O/zBsqP3Y2+3+KvEeDVtuseKu +FV2OxSsqSfffJq7IYTwpRPOVzHGJnjV3Igtj3zAzZm8CWxRM/yhnkGyVc+xz/T7o +WY0870eciR+bmLjZ9j0opudZR6e+lCsMHH2Lxc8C/0XRcCzcganxfWCb/fb0gx44 +iY0a+wWCVebjuyKU/BXk +-----END CERTIFICATE----- diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2014.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2014.pem new file mode 100644 index 0000000..5467086 --- /dev/null +++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-nic-india-2014.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEWzCCA0OgAwIBAgICJ7EwDQYJKoZIhvcNAQELBQAwOjELMAkGA1UEBhMCSU4x +EjAQBgNVBAoTCUluZGlhIFBLSTEXMBUGA1UEAxMOQ0NBIEluZGlhIDIwMTQwHhcN +MTQwMzA1MTExNTI0WhcNMjQwMzA1MDYzMDAwWjCByDELMAkGA1UEBhMCSU4xJDAi +BgNVBAoTG05hdGlvbmFsIEluZm9ybWF0aWNzIENlbnRyZTEdMBsGA1UECxMUQ2Vy +dGlmeWluZyBBdXRob3JpdHkxDzANBgNVBBETBjExMDAwMzEOMAwGA1UECBMFRGVs +aGkxHjAcBgNVBAkTFUxvZGhpIFJvYWQsIE5ldyBEZWxoaTEdMBsGA1UEMxMUQS1C +bG9jaywgQ0dPIENvbXBsZXgxFDASBgNVBAMTC05JQyBDQSAyMDE0MIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/OQ56Ge9MhJiBwtOlCJP4p5gjcCuqkQ2 +6BCSQgfAsxyNxAwtL1f0h3d5KNFIInIG2Y9PwBgUrgavOWy2cZICxgXIGaOzK5bI +TyGhxYMPUzkazGppfj0ScW7Ed/kjeDnic3WlYkPwtNaV1qwTElr8zqPUtT27ZDqd +6upor9MICngXAC1tHjhPuGrGtu4i6FMPrmkofwdh8dkuRzU/OPjf9lA+E9Qu0Nvq +soI9grJA0etgRfn9juR4X3KTG21qHnza50PpMYC4+vh8jAnIT7Kcz8Ggr4eghkvP ++iz2yEtIcV9M1xeo98XU/jxuYS7LeWtO79jkiqCIqgI8T3x7LHuCaQIDAQABo4Hb +MIHYMBIGA1UdEwEB/wQIMAYBAf8CAQEwEQYDVR0OBAoECEZwyi8lTsNHMBIGA1Ud +IAQLMAkwBwYFYIJkZAIwEwYDVR0jBAwwCoAIQrjFz22zV+EwLgYIKwYBBQUHAQEE +IjAgMB4GCCsGAQUFBzABhhJodHRwOi8vb2N2cy5nb3YuaW4wDgYDVR0PAQH/BAQD +AgEGMEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9jY2EuZ292LmluL3J3L3Jlc291 +cmNlcy9DQ0FJbmRpYTIwMTRMYXRlc3QuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCB +i3iJeUlkfjY96HgfBIUEsLi+knO3VUrxDmwps1YyhgRSt22NQLZ4jksSWLI2EQbn +9k5tH8rwSbsOWf+TZH7jpaKAVSYi1GhEbGR/C2ZeFiWATwtPWKoVGwx/ksUO9YPM +zf0wh6fDIuyBJIs/nuN93+L2ib+TS5viNky+HrR3XyqE0z43W5bbzMbido3lbwgr +drMWD6hCNSZs888L0Se4rn2ei0aPmHmxjDjbExF3NF6m2uYC/wAR4cVIzMvvptFY +n+SAdG/pwkKHaMVncB/cxxEWiKzOxVpjBsM4N19lpxp2RU/n+x7xRK3WTQvNAZdU +7pcAYmZIXPu/ES9qpK4f +-----END CERTIFICATE----- -- 1.9.3