├── AUTHORS ├── LICENSE ├── README └── domestic_roots.patch /AUTHORS: -------------------------------------------------------------------------------- 1 | The following authors have created the source code of "Domestic roots patch" 2 | published and distributed by YANDEX LLC as the owner: 3 | 4 | Vitaly Kalchenko riosvk@yandex-team.ru 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2022, YANDEX LLC 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, are permitted provided 5 | that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and 8 | the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and 11 | the following disclaimer in the documentation and/or other materials provided with the distribution. 12 | 13 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote 14 | products derived from this software without specific prior written permission. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 17 | INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 19 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 21 | WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 22 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | This software is licensed under the terms in the LICENSE file in the root folder. This software is a patch 2 | for Chromium (Copyright 2015 The Chromium Authors. All rights reserved) which can be found at: 3 | https://chromium.googlesource.com/?format=HTML and is licensed under the following terms: 4 | 5 | Redistribution and use in source and binary forms, with or without modification, are permitted provided 6 | that the following conditions are met: 7 | 8 | Redistributions of source code must retain the above copyright notice, this list of conditions and the 9 | following disclaimer. 10 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 11 | following disclaimer in the documentation and/or other materials provided with the distribution. 12 | 13 | Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promote 14 | products derived from this software without specific prior written permission. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY 17 | EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 18 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 19 | THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 20 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 21 | PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /domestic_roots.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc 2 | index a8b9d9499109e..26737c439d869 100644 3 | --- a/chrome/browser/net/system_network_context_manager.cc 4 | +++ b/chrome/browser/net/system_network_context_manager.cc 5 | @@ -900,7 +900,9 @@ void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( 6 | bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() { 7 | if (certificate_transparency_enabled_for_testing_.has_value()) 8 | return certificate_transparency_enabled_for_testing_.value(); 9 | -#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) 10 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 11 | +#if 1 || BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) 12 | +// Copyright 2017 The Chromium Authors. All rights reserved. 13 | // TODO(carlosil): Figure out if we can/should remove the OFFICIAL_BUILD and 14 | // GOOGLE_CHROME_BRANDING checks now that enforcement does not rely on build 15 | // dates, and allow embedders to enforce. 16 | diff --git a/chrome/browser/ssl/domestic_roots_browsertest.cc b/chrome/browser/ssl/domestic_roots_browsertest.cc 17 | new file mode 100644 18 | index 0000000000000..d610c832d08e3 19 | --- /dev/null 20 | +++ b/chrome/browser/ssl/domestic_roots_browsertest.cc 21 | @@ -0,0 +1,90 @@ 22 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 23 | + 24 | +#include "base/test/scoped_feature_list.h" 25 | +#include "chrome/browser/ui/browser.h" 26 | +#include "chrome/browser/ui/tabs/tab_strip_model.h" 27 | +#include "chrome/test/base/in_process_browser_test.h" 28 | +#include "chrome/test/base/ui_test_utils.h" 29 | +#include "content/public/common/content_features.h" 30 | +#include "content/public/test/browser_test.h" 31 | +#include "content/public/test/browser_test_utils.h" 32 | +#include "content/public/test/test_navigation_observer.h" 33 | +#include "net/base/domestic_roots.h" 34 | +#include "net/cert/x509_certificate.h" 35 | +#include "net/dns/mock_host_resolver.h" 36 | +#include "net/test/embedded_test_server/embedded_test_server.h" 37 | + 38 | +namespace { 39 | +class ScopedAllowlistedDomesticRootHost { 40 | + public: 41 | + explicit ScopedAllowlistedDomesticRootHost(std::string hostname) 42 | + : hostname_(std::move(hostname)) { 43 | + net::SetAllowlistedDomesticRootHostForTesting(&hostname_); 44 | + } 45 | + ~ScopedAllowlistedDomesticRootHost() { 46 | + net::SetAllowlistedDomesticRootHostForTesting(nullptr); 47 | + } 48 | + 49 | + private: 50 | + std::string hostname_; 51 | +}; 52 | +} // namespace 53 | + 54 | +class DomesticRootsTest : public InProcessBrowserTest { 55 | + public: 56 | + DomesticRootsTest() { 57 | + scoped_feature_list_.InitAndEnableFeature( 58 | + features::kNetworkServiceInProcess); 59 | + } 60 | + void SetUpOnMainThread() override { 61 | + host_resolver()->AddRule("*.example.com", "127.0.0.1"); 62 | + 63 | + net::EmbeddedTestServer::ServerCertificateConfig cert_config; 64 | + cert_config.dns_names.push_back("test.example.com"); 65 | + cert_config.generate_root_cert = true; 66 | + 67 | + https_server_.SetSSLConfig(cert_config); 68 | + https_server_.ServeFilesFromSourceDirectory(GetChromeTestDataDir()); 69 | + 70 | + ASSERT_TRUE(https_server_.Start()); 71 | + 72 | + test_domestic_roots_.push_back(https_server_.GetGeneratedRootCertificate()); 73 | + 74 | + net::SetDomesticRootsForTesting(&test_domestic_roots_); 75 | + } 76 | + 77 | + void TearDownOnMainThread() override { 78 | + net::SetDomesticRootsForTesting(nullptr); 79 | + } 80 | + 81 | + protected: 82 | + bool IsPageLoaded() { 83 | + std::u16string title; 84 | + ui_test_utils::GetCurrentTabTitle(browser(), &title); 85 | + return title == u"OK"; 86 | + } 87 | + 88 | + base::test::ScopedFeatureList scoped_feature_list_; 89 | + 90 | + net::EmbeddedTestServer https_server_{net::EmbeddedTestServer::TYPE_HTTPS}; 91 | + net::CertificateList test_domestic_roots_; 92 | +}; 93 | + 94 | +IN_PROC_BROWSER_TEST_F(DomesticRootsTest, AllowlistedHost) { 95 | + ScopedAllowlistedDomesticRootHost allowlisted_host{"test.example.com"}; 96 | + auto url = https_server_.GetURL("test.example.com", "/simple.html"); 97 | + ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), url)); 98 | + 99 | + EXPECT_TRUE(IsPageLoaded()); 100 | +} 101 | + 102 | +IN_PROC_BROWSER_TEST_F(DomesticRootsTest, NonAllowlistedHost) { 103 | + content::TestNavigationObserver nav_observer( 104 | + browser()->tab_strip_model()->GetActiveWebContents(), 1); 105 | + auto url = https_server_.GetURL("test.example.com", "/simple.html"); 106 | + ASSERT_TRUE(ui_test_utils::NavigateToURL(browser(), url)); 107 | + 108 | + EXPECT_FALSE(IsPageLoaded()); 109 | + EXPECT_EQ(nav_observer.last_net_error_code(), 110 | + net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED); 111 | +} 112 | diff --git a/chrome/test/BUILD.gn b/chrome/test/BUILD.gn 113 | index 5d37989dfd49e..71fc1e67f6593 100644 114 | --- a/chrome/test/BUILD.gn 115 | +++ b/chrome/test/BUILD.gn 116 | @@ -2070,6 +2070,9 @@ if (!is_android) { 117 | "../browser/ssl/known_interception_disclosure_infobar_browsertest.cc", 118 | "../browser/ssl/known_interception_disclosure_ui_browsertest.cc", 119 | "../browser/ssl/ocsp_browsertest.cc", 120 | +# Copyright (C) 2022. YANDEX,LLC. All rights reserved. 121 | + "../browser/ssl/domestic_roots_browsertest.cc", 122 | +# Copyright 2014 The Chromium Authors. All rights reserved. 123 | "../browser/ssl/security_state_tab_helper_browsertest.cc", 124 | "../browser/ssl/ssl_browsertest.cc", 125 | "../browser/ssl/ssl_fenced_frame_browsertest.cc", 126 | diff --git a/components/certificate_transparency/chrome_require_ct_delegate.cc b/components/certificate_transparency/chrome_require_ct_delegate.cc 127 | index 76356d2f34a98..96e73db764b98 100644 128 | --- a/components/certificate_transparency/chrome_require_ct_delegate.cc 129 | +++ b/components/certificate_transparency/chrome_require_ct_delegate.cc 130 | @@ -26,6 +26,9 @@ 131 | #include "components/url_formatter/url_fixer.h" 132 | #include "components/url_matcher/url_matcher.h" 133 | #include "crypto/sha2.h" 134 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 135 | +#include "net/base/domestic_roots.h" 136 | +// Copyright 2016 The Chromium Authors. All rights reserved. 137 | #include "net/base/hash_value.h" 138 | #include "net/base/host_port_pair.h" 139 | #include "net/cert/asn1_util.h" 140 | @@ -183,6 +186,21 @@ ChromeRequireCTDelegate::IsCTRequiredForHost( 141 | : CTRequirementLevel::NOT_REQUIRED; 142 | } 143 | 144 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 145 | + const auto& domestic_roots = net::GetDomesticRoots(); 146 | + const auto& root_cert = chain->intermediate_buffers().rbegin(); 147 | + if (root_cert != chain->intermediate_buffers().rend()) { 148 | + for (const auto& domestic_root : domestic_roots) { 149 | + if (net::x509_util::CryptoBufferEqual(root_cert->get(), 150 | + domestic_root->cert_buffer())) { 151 | + return net::IsAllowlistedDomesticRootHost(hostname) 152 | + ? CTRequirementLevel::NOT_REQUIRED 153 | + : CTRequirementLevel::REQUIRED; 154 | + } 155 | + } 156 | + } 157 | +// Copyright 2016 The Chromium Authors. All rights reserved. 158 | + 159 | // Compute >= 2018-05-01, rather than deal with possible fractional 160 | // seconds. 161 | const base::Time kMay_1_2018 = 162 | diff --git a/components/certificate_transparency/chrome_require_ct_delegate_unittest.cc b/components/certificate_transparency/chrome_require_ct_delegate_unittest.cc 163 | index 0d4ee5d705889..42624a2416543 100644 164 | --- a/components/certificate_transparency/chrome_require_ct_delegate_unittest.cc 165 | +++ b/components/certificate_transparency/chrome_require_ct_delegate_unittest.cc 166 | @@ -16,6 +16,9 @@ 167 | #include "components/certificate_transparency/pref_names.h" 168 | #include "components/prefs/pref_registry_simple.h" 169 | #include "components/prefs/testing_pref_service.h" 170 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 171 | +#include "net/base/domestic_roots.h" 172 | +// Copyright 2016 The Chromium Authors. All rights reserved. 173 | #include "net/base/hash_value.h" 174 | #include "net/cert/x509_certificate.h" 175 | #include "net/cert/x509_util.h" 176 | @@ -75,6 +78,44 @@ TEST_F(ChromeRequireCTDelegateTest, DelegateChecksRequired) { 177 | delegate.IsCTRequiredForHost("google.com", cert_.get(), hashes_)); 178 | } 179 | 180 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 181 | +TEST_F(ChromeRequireCTDelegateTest, DomesticRoot) { 182 | + using CTRequirementLevel = 183 | + net::TransportSecurityState::RequireCTDelegate::CTRequirementLevel; 184 | + 185 | + auto root_cert = net::CreateCertificateChainFromFile( 186 | + net::GetTestCertsDirectory(), "root_ca_cert.pem", 187 | + net::X509Certificate::FORMAT_PEM_CERT_SEQUENCE); 188 | + ASSERT_TRUE(root_cert); 189 | + 190 | + std::vector> intermediates; 191 | + intermediates.emplace_back(bssl::UpRef(root_cert->cert_buffer())); 192 | + 193 | + cert_ = net::X509Certificate::CreateFromBuffer( 194 | + bssl::UpRef(cert_->cert_buffer()), std::move(intermediates)); 195 | + ASSERT_TRUE(cert_); 196 | + 197 | + ChromeRequireCTDelegate delegate; 198 | + EXPECT_EQ(CTRequirementLevel::DEFAULT, 199 | + delegate.IsCTRequiredForHost("example.com", cert_.get(), hashes_)); 200 | + 201 | + net::CertificateList roots{root_cert}; 202 | + net::SetDomesticRootsForTesting(&roots); 203 | + 204 | + EXPECT_EQ(CTRequirementLevel::REQUIRED, 205 | + delegate.IsCTRequiredForHost("example.com", cert_.get(), hashes_)); 206 | + 207 | + std::string hostname{"example.com"}; 208 | + net::SetAllowlistedDomesticRootHostForTesting(&hostname); 209 | + 210 | + EXPECT_EQ(CTRequirementLevel::NOT_REQUIRED, 211 | + delegate.IsCTRequiredForHost("example.com", cert_.get(), hashes_)); 212 | + 213 | + net::SetAllowlistedDomesticRootHostForTesting(nullptr); 214 | + net::SetDomesticRootsForTesting(nullptr); 215 | +} 216 | +// Copyright 2016 The Chromium Authors. All rights reserved. 217 | + 218 | TEST_F(ChromeRequireCTDelegateTest, DelegateChecksExcluded) { 219 | using CTRequirementLevel = 220 | net::TransportSecurityState::RequireCTDelegate::CTRequirementLevel; 221 | diff --git a/net/BUILD.gn b/net/BUILD.gn 222 | index 029d409152339..6b0ec6fc4cf8b 100644 223 | --- a/net/BUILD.gn 224 | +++ b/net/BUILD.gn 225 | @@ -235,6 +235,10 @@ component("net") { 226 | "base/registry_controlled_domains/registry_controlled_domain.h", 227 | "base/request_priority.cc", 228 | "base/request_priority.h", 229 | +# Copyright (C) 2022. YANDEX,LLC. All rights reserved. 230 | + "base/domestic_roots.cc", 231 | + "base/domestic_roots.h", 232 | +# Copyright (c) 2013 The Chromium Authors. All rights reserved. 233 | "base/scheme_host_port_matcher.cc", 234 | "base/scheme_host_port_matcher.h", 235 | "base/scheme_host_port_matcher_result.h", 236 | @@ -4047,6 +4051,9 @@ test("net_unittests") { 237 | "base/proxy_server_unittest.cc", 238 | "base/proxy_string_util_unittest.cc", 239 | "base/registry_controlled_domains/registry_controlled_domain_unittest.cc", 240 | +# Copyright (C) 2022. YANDEX,LLC. All rights reserved. 241 | + "base/domestic_roots_unittest.cc", 242 | +# Copyright (c) 2013 The Chromium Authors. All rights reserved. 243 | "base/scheme_host_port_matcher_rule_unittest.cc", 244 | "base/scheme_host_port_matcher_unittest.cc", 245 | "base/schemeful_site_unittest.cc", 246 | diff --git a/net/base/domestic_roots.cc b/net/base/domestic_roots.cc 247 | new file mode 100644 248 | index 0000000000000..36e6fe23cc28d 249 | --- /dev/null 250 | +++ b/net/base/domestic_roots.cc 251 | @@ -0,0 +1,1420 @@ 252 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 253 | + 254 | +#include "net/base/domestic_roots.h" 255 | + 256 | +#include "base/containers/span.h" 257 | +#include "base/no_destructor.h" 258 | +#include "base/strings/string_piece_forward.h" 259 | +#include "base/strings/string_util.h" 260 | +#include "net/cert/x509_certificate.h" 261 | + 262 | +namespace net { 263 | + 264 | +namespace { 265 | + 266 | +// Russian Trusted Root CA 267 | +constexpr char kDomesticRootCert[] = 268 | + R"(-----BEGIN CERTIFICATE----- 269 | +MIIFwjCCA6qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCUlUx 270 | +PzA9BgNVBAoMNlRoZSBNaW5pc3RyeSBvZiBEaWdpdGFsIERldmVsb3BtZW50IGFu 271 | +ZCBDb21tdW5pY2F0aW9uczEgMB4GA1UEAwwXUnVzc2lhbiBUcnVzdGVkIFJvb3Qg 272 | +Q0EwHhcNMjIwMzAxMjEwNDE1WhcNMzIwMjI3MjEwNDE1WjBwMQswCQYDVQQGEwJS 273 | +VTE/MD0GA1UECgw2VGhlIE1pbmlzdHJ5IG9mIERpZ2l0YWwgRGV2ZWxvcG1lbnQg 274 | +YW5kIENvbW11bmljYXRpb25zMSAwHgYDVQQDDBdSdXNzaWFuIFRydXN0ZWQgUm9v 275 | +dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMfFOZ8pUAL3+r2n 276 | +qqE0Zp52selXsKGFYoG0GM5bwz1bSFtCt+AZQMhkWQheI3poZAToYJu69pHLKS6Q 277 | +XBiwBC1cvzYmUYKMYZC7jE5YhEU2bSL0mX7NaMxMDmH2/NwuOVRj8OImVa5s1F4U 278 | +zn4Kv3PFlDBjjSjXKVY9kmjUBsXQrIHeaqmUIsPIlNWUnimXS0I0abExqkbdrXbX 279 | +YwCOXhOO2pDUx3ckmJlCMUGacUTnylyQW2VsJIyIGA8V0xzdaeUXg0VZ6ZmNUr5Y 280 | +Ber/EAOLPb8NYpsAhJe2mXjMB/J9HNsoFMBFJ0lLOT/+dQvjbdRZoOT8eqJpWnVD 281 | +U+QL/qEZnz57N88OWM3rabJkRNdU/Z7x5SFIM9FrqtN8xewsiBWBI0K6XFuOBOTD 282 | +4V08o4TzJ8+Ccq5XlCUW2L48pZNCYuBDfBh7FxkB7qDgGDiaftEkZZfApRg2E+M9 283 | +G8wkNKTPLDc4wH0FDTijhgxR3Y4PiS1HL2Zhw7bD3CbslmEGgfnnZojNkJtcLeBH 284 | +BLa52/dSwNU4WWLubaYSiAmA9IUMX1/RpfpxOxd4Ykmhz97oFbUaDJFipIggx5sX 285 | +ePAlkTdWnv+RWBxlJwMQ25oEHmRguNYf4Zr/Rxr9cS93Y+mdXIZaBEE0KS2iLRqa 286 | +OiWBki9IMQU4phqPOBAaG7A+eP8PAgMBAAGjZjBkMB0GA1UdDgQWBBTh0YHlzlpf 287 | +BKrS6badZrHF+qwshzAfBgNVHSMEGDAWgBTh0YHlzlpfBKrS6badZrHF+qwshzAS 288 | +BgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF 289 | +AAOCAgEAALIY1wkilt/urfEVM5vKzr6utOeDWCUczmWX/RX4ljpRdgF+5fAIS4vH 290 | +tmXkqpSCOVeWUrJV9QvZn6L227ZwuE15cWi8DCDal3Ue90WgAJJZMfTshN4OI8cq 291 | +W9E4EG9wglbEtMnObHlms8F3CHmrw3k6KmUkWGoa+/ENmcVl68u/cMRl1JbW2bM+ 292 | +/3A+SAg2c6iPDlehczKx2oa95QW0SkPPWGuNA/CE8CpyANIhu9XFrj3RQ3EqeRcS 293 | +AQQod1RNuHpfETLU/A2gMmvn/w/sx7TB3W5BPs6rprOA37tutPq9u6FTZOcG1Oqj 294 | +C/B7yTqgI7rbyvox7DEXoX7rIiEqyNNUguTk/u3SZ4VXE2kmxdmSh3TQvybfbnXV 295 | +4JbCZVaqiZraqc7oZMnRoWrXRG3ztbnbes/9qhRGI7PqXqeKJBztxRTEVj8ONs1d 296 | +WN5szTwaPIvhkhO3CO5ErU2rVdUr89wKpNXbBODFKRtgxUT70YpmJ46VVaqdAhOZ 297 | +D9EUUn4YaeLaS8AjSF/h7UkjOibNc4qVDiPP+rkehFWM66PVnP1Msh93tc+taIfC 298 | +EYVMxjh8zNbFuoc7fzvvrFILLe7ifvEIUqSVIC/AzplM/Jxw7buXFeGP1qVCBEHq 299 | +391d/9RAfaZ12zkwFsl+IKwE/OZxW8AHa9i1p4GO0YSNuczzEm4= 300 | +-----END CERTIFICATE----- 301 | +)"; 302 | + 303 | +// The final version of allowlist, locked at May 19, 2022. All further 304 | +// certificates should contain SCTs. 305 | +constexpr base::StringPiece kDomesticRootAllowlist[] = { 306 | + "131.ru", 307 | + "1c.ru", 308 | + "1cbiz.ru", 309 | + "1cfresh.com", 310 | + "1cnul.ru", 311 | + "1erc.ru", 312 | + "1forma.ru", 313 | + "22edu.ru", 314 | + "24farmacia.ru", 315 | + "2gis.by", 316 | + "2gis.com", 317 | + "2gis.one", 318 | + "2gis.ru", 319 | + "491shkola.spb.ru", 320 | + "absolutbank.ru", 321 | + "absolutins.ru", 322 | + "acron.ru", 323 | + "admin.tomsk.ru", 324 | + "admoblkaluga.ru", 325 | + "admtomsk.ru", 326 | + "advert-technology.com", 327 | + "advert-technology.ru", 328 | + "aeroexpress.ru", 329 | + "afisha.ru", 330 | + "agregatoreat.ru", 331 | + "aicloud.sbcp.ru", 332 | + "akbars.ru", 333 | + "akcept.ru", 334 | + "aksayland.ru", 335 | + "albank.ru", 336 | + "alefbank.ru", 337 | + "alfaacademzdrav.ru", 338 | + "alfacapital.ru", 339 | + "alfahealth.ru", 340 | + "alfastrah.com", 341 | + "alfastrah.ru", 342 | + "alianta.ru", 343 | + "amelia-st.ru", 344 | + "amocrm.ru", 345 | + "amplisens.ru", 346 | + "ampnuts.com", 347 | + "ampnuts.ru", 348 | + "amurobl.ru", 349 | + "analytics.inoffice.services", 350 | + "angaragrupp.ru", 351 | + "ao-rr.ru", 352 | + "apchr.ru", 353 | + "apkbank.ru", 354 | + "april-capital.ru", 355 | + "aresbank.ru", 356 | + "asfk-support.ru", 357 | + "asko-center.ru", 358 | + "aspcom.biz", 359 | + "astrovolga.ru", 360 | + "atlantmetall.ru", 361 | + "atlascard.ru", 362 | + "aton.ru", 363 | + "attachmail.ru", 364 | + "avangard.ru", 365 | + "aviashelf.ru", 366 | + "avtogradbank.ru", 367 | + "avtotehnik.com", 368 | + "ax-team.com", 369 | + "ax-team.ru", 370 | + "axion.ru", 371 | + "ayya.tech", 372 | + "b2b-center.ru", 373 | + "bank131.ru", 374 | + "bankermak.ru", 375 | + "bankline.ru", 376 | + "bankofpartners.cn", 377 | + "bankofpartners.com", 378 | + "bankofpartners.kz", 379 | + "bankofpartners.ru", 380 | + "bankorange.ru", 381 | + "bankperm.ru", 382 | + "bankro.space", 383 | + "bankvl.ru", 384 | + "bbp.one", 385 | + "bbr.ru", 386 | + "bc-electromera.ru", 387 | + "belkult.ru", 388 | + "belspravka.ru", 389 | + "best2pay.net", 390 | + "besteffortsbank.ru", 391 | + "bestofpartners.cn", 392 | + "bestofpartners.com", 393 | + "bgfbank.ru", 394 | + "bias.ru", 395 | + "biblioteka29.ru", 396 | + "billing.ru", 397 | + "billing74.ru", 398 | + "billing74info.ru", 399 | + "bm-bank.ru", 400 | + "bobcat-pro.ru", 401 | + "bratsk.city", 402 | + "bresler.ru", 403 | + "bris-cloud.ru", 404 | + "broker-sb.ru", 405 | + "bsoinsur.online", 406 | + "bsoinsur.ru", 407 | + "bstu.ru", 408 | + "btlabs.ru", 409 | + "buhphone.ru", 410 | + "cap.ru", 411 | + "capitalkredit.ru", 412 | + "cardio.ru", 413 | + "cashtoyou.ru", 414 | + "cbch.ru", 415 | + "cbr.ru", 416 | + "cbrca.ru", 417 | + "ccb.com", 418 | + "ccbrussia.ru", 419 | + "cchgeu.ru", 420 | + "centr-invest.ru", 421 | + "centrinvest.ru", 422 | + "cetelem-bank.ru", 423 | + "cetelem.ru", 424 | + "cfb.ru", 425 | + "cfmc.ru", 426 | + "cge48.ru", 427 | + "championat.com", 428 | + "chance48.ru", 429 | + "chelinvest.ru", 430 | + "citto.ru", 431 | + "cmd-online.ru", 432 | + "cmd.su", 433 | + "cmirit.ru", 434 | + "cmrbank.ru", 435 | + "cnshb.ru", 436 | + "cobrain.ai", 437 | + "cobrain.io", 438 | + "commim.spb.ru", 439 | + "conceptgroup.ru", 440 | + "corpkometa.ru", 441 | + "cp.sbercloud.dev", 442 | + "cplsb.ru", 443 | + "crediteurope.ru", 444 | + "creditural.ru", 445 | + "crie.ru", 446 | + "crimearw.ru", 447 | + "crm.sberclass.ru", 448 | + "crpt.ru", 449 | + "cryptocom.ru", 450 | + "cryptopro.ru", 451 | + "cscampus.ru", 452 | + "csdnevnik.ru", 453 | + "csmoisport.ru", 454 | + "csr43.ru", 455 | + "custody.ru", 456 | + "customs.gov.ru", 457 | + "czko.ru", 458 | + "d-cd.net", 459 | + "dbo.szrcvtb.ru", 460 | + "dcapital.ru", 461 | + "dekart.ru", 462 | + "delfin-tour.ru", 463 | + "delikateska.ru", 464 | + "delo.ru", 465 | + "deltacredit.ru", 466 | + "dengisrazy.ru", 467 | + "denizbank.ru", 468 | + "depository.ru", 469 | + "derzhava.ru", 470 | + "detinso.ru", 471 | + "digitalreg.ru", 472 | + "dnevnik.ru", 473 | + "dobrozaim.ru", 474 | + "docdoc.pro", 475 | + "docdoc.ru", 476 | + "docdoc.tel", 477 | + "doktor.kr", 478 | + "domclick.ru", 479 | + "donland.ru", 480 | + "donses.ru", 481 | + "drive2.ru", 482 | + "driveclick.ru", 483 | + "ds89.ru", 484 | + "dtb1.ru", 485 | + "dtln.ru", 486 | + "dtnetwork.ru", 487 | + "dtrading.ru", 488 | + "dvbank.ru", 489 | + "e-signature.pro", 490 | + "eapteka.ru", 491 | + "eatpbank.ru", 492 | + "econs.online", 493 | + "edmon.ru", 494 | + "edu22.info", 495 | + "efbank.ru", 496 | + "egais.plus", 497 | + "energotransbank.com", 498 | + "englishteachers.ru", 499 | + "erkapharm.su", 500 | + "esphere.ru", 501 | + "etton.net", 502 | + "etton.ru", 503 | + "euroalliance.ru", 504 | + "evotor.ru", 505 | + "evotorpay.ru", 506 | + "evrofinance.ru", 507 | + "exiar.ru", 508 | + "eximbank.ru", 509 | + "expobank.org", 510 | + "expobank.ru", 511 | + "exportcenter.ru", 512 | + "ext2cs.cardstandard.ru", 513 | + "facef.ru", 514 | + "factoring.ru", 515 | + "faktura.ru", 516 | + "feonet.net", 517 | + "fes.nspk.ru", 518 | + "ffin.ru", 519 | + "fiberside.ru", 520 | + "finam.ru", 521 | + "finambank.ru", 522 | + "finandauto.ru", 523 | + "fincult.info", 524 | + "finproinvest.com", 525 | + "finproinvest.ru", 526 | + "fintender.ru", 527 | + "finuslugi.ru", 528 | + "first-am.ru", 529 | + "fkr78.ru", 530 | + "flamp.ru", 531 | + "fomsrt.ru", 532 | + "fonbet.ru", 533 | + "fonema.ru", 534 | + "fontvielle.ru", 535 | + "forabank.ru", 536 | + "forus.ru", 537 | + "freedom24.ru", 538 | + "frhc.group", 539 | + "fs-mdlp.ru", 540 | + "fsin.gov.ru", 541 | + "fso.gov.ru", 542 | + "ft-crypto.ru", 543 | + "g45.tambov.gov.ru", 544 | + "gasu.gov.ru", 545 | + "gasu.ru", 546 | + "gazeks.com", 547 | + "gazeta.ru", 548 | + "gazfond-pn.ru", 549 | + "gdou26skazka.ru", 550 | + "gebank.ru", 551 | + "gemotest.ru", 552 | + "geopolis.ru", 553 | + "geosteering.ru", 554 | + "getfinance.ru", 555 | + "gi-bank.ru", 556 | + "gidapteka.ru", 557 | + "gimnazist1.ru", 558 | + "gis-tek.ru", 559 | + "gisogdro.ru", 560 | + "givc.ru", 561 | + "gk-rossiya.ru", 562 | + "gkp1.ru", 563 | + "gorbank.spb.ru", 564 | + "gorinfo.net", 565 | + "gorod74.ru", 566 | + "gosuslugi.ru", 567 | + "gov39.ru", 568 | + "gov74.ru", 569 | + "government.ru", 570 | + "gpbspace.ru", 571 | + "gpkk.ru", 572 | + "gpm.ru", 573 | + "grandsmeta.store", 574 | + "greatcircus.ru", 575 | + "grfc.ru", 576 | + "groteck.ru", 577 | + "gsnspb.ru", 578 | + "gutagroup.ru", 579 | + "h43.ru", 580 | + "halva.express", 581 | + "halvacard.ru", 582 | + "halvaclick.ru", 583 | + "halvapridi.ru", 584 | + "hh.ru", 585 | + "hmnpf.ru", 586 | + "iac.spb.ru", 587 | + "ibam.ru", 588 | + "icard-prod.ru", 589 | + "icard.cards", 590 | + "id-solutions.ru", 591 | + "idpoint.ru", 592 | + "iep.ru", 593 | + "ihead.ru", 594 | + "iitrust.info", 595 | + "iitrust.link", 596 | + "iitrust.lk", 597 | + "iitrust.online", 598 | + "iitrust.ru", 599 | + "iitrust.site", 600 | + "ikb-rs.ru", 601 | + "ikir.ru", 602 | + "imgsmail.ru", 603 | + "in-bank.ru", 604 | + "incomsib.ru", 605 | + "infarktanet.ru", 606 | + "infodec.ru", 607 | + "infosysco.ru", 608 | + "ingos-m.ru", 609 | + "ingos.ru", 610 | + "ingospensiya.ru", 611 | + "intbel.ru", 612 | + "integro.ru", 613 | + "intercomp.az", 614 | + "intercomp.kz", 615 | + "intercomp.ru", 616 | + "intercompglobal.com", 617 | + "investkuban.ru", 618 | + "investpay.ru", 619 | + "ipb.ru", 620 | + "ipc.tsc.ru", 621 | + "ippay.ru", 622 | + "ippay.su", 623 | + "ircsm.ru", 624 | + "isiao.gov.spb.ru", 625 | + "it-expertise.ru", 626 | + "it-uk.ru", 627 | + "itb.ru", 628 | + "itc48.ru", 629 | + "itgkh.ru", 630 | + "iticapital.ru", 631 | + "ittrade.ru", 632 | + "ivi.ru", 633 | + "kamaz.org", 634 | + "kamaz.ru", 635 | + "kaplife.ru", 636 | + "kbki.ru", 637 | + "kebrus.ru", 638 | + "kemsu.ru", 639 | + "kges.ru", 640 | + "khv27.ru", 641 | + "kilbil.ru", 642 | + "km-bank.ru", 643 | + "kolobox.ru", 644 | + "komiaviatrans.ru", 645 | + "kommersant.ru", 646 | + "kpbs.ru", 647 | + "krascor.ru", 648 | + "krasgmu.ru", 649 | + "krasnipi.ru", 650 | + "krasnodar.ru", 651 | + "kremlin.ru", 652 | + "kremlinbank.ru", 653 | + "ksu.edu.ru", 654 | + "kubanfarm.ru", 655 | + "kurgan-telecom.net", 656 | + "kuzbasshimbank.ru", 657 | + "kv-gelendzhik.ru", 658 | + "labtest.ru", 659 | + "ldskapustin.ru", 660 | + "lenta.ru", 661 | + "libyaya.ru", 662 | + "licey7minusa.ru", 663 | + "lifeingos.ru", 664 | + "lifepoint.club", 665 | + "lightcab.ru", 666 | + "livejournal.com", 667 | + "lk.sberpb.ru", 668 | + "lmsic.com", 669 | + "lockobank.ru", 670 | + "lockomarket.ru", 671 | + "logoped-tinao.ru", 672 | + "lti-gti.ru", 673 | + "mail.ru", 674 | + "makc.ru", 675 | + "makclife.ru", 676 | + "makcm.ru", 677 | + "mari-el.gov.ru", 678 | + "maritimebank.com", 679 | + "markhotel.ru", 680 | + "materiamedica.ru", 681 | + "matrixmobile.ru", 682 | + "mbkuban.ru", 683 | + "mddc.ai", 684 | + "mddc.ru", 685 | + "mednsk.ru", 686 | + "metrolonline.ru", 687 | + "mgsu.ru", 688 | + "mil.ru", 689 | + "mineco04.ru", 690 | + "minsport.gov.ru", 691 | + "minstroyrf.ru", 692 | + "mintrud.gov.ru", 693 | + "misrv.com", 694 | + "mitcoms.ru", 695 | + "mkb-am.ru", 696 | + "mkb-broker.ru", 697 | + "mksmail.ru", 698 | + "mng.sbercloud.tech", 699 | + "mnpf-akvilon.ru", 700 | + "modernsys.ru", 701 | + "modulbank.ru", 702 | + "moesk.ru", 703 | + "moex.com", 704 | + "moezdo.ru", 705 | + "moisport.ru", 706 | + "molnet.ru", 707 | + "moneta.ru", 708 | + "mont.ru", 709 | + "mos.ru", 710 | + "moscombank.ru", 711 | + "moscoms.ru", 712 | + "moskb.ru", 713 | + "mosoblbank.ru", 714 | + "mospolytech.ru", 715 | + "mrz.ru", 716 | + "ms-box.ru", 717 | + "mse.ru", 718 | + "mtcfinance.ru", 719 | + "mtx.ru", 720 | + "murmankukla.ru", 721 | + "mysbertips.ru", 722 | + "myspar.ru", 723 | + "myworkcard.ru", 724 | + "mzdorovie.com", 725 | + "n1.ru", 726 | + "n3health.ru", 727 | + "na-lenskoy.ru", 728 | + "napolke.ru", 729 | + "nbdbank.ru", 730 | + "ncfu.net", 731 | + "ncfu.ru", 732 | + "neisri.ru", 733 | + "netpost.ru", 734 | + "nexign-systems.com", 735 | + "nexign.com", 736 | + "ngp1.ru", 737 | + "niac.ru", 738 | + "nic.ru", 739 | + "nii-vektor.ru", 740 | + "nipbank.ru", 741 | + "nko-rr.ru", 742 | + "north-east.ru", 743 | + "norvikbank.online", 744 | + "norvikbank.ru", 745 | + "novikom.ru", 746 | + "novobank.ru", 747 | + "novokib.ru", 748 | + "npc.ba", 749 | + "npf-sng.ru", 750 | + "npf-transneft.ru", 751 | + "npfb.ru", 752 | + "npfsb.ru", 753 | + "npfsberbanka.ru", 754 | + "npfsocium.ru", 755 | + "nsd.ru", 756 | + "nsg-ins.ru", 757 | + "nso.ru", 758 | + "nsrz.ru", 759 | + "nucrf.ru", 760 | + "nvkvd.ru", 761 | + "nvtc.ru", 762 | + "o-courier.ru", 763 | + "oao-ntek.ru", 764 | + "oboronregistr.ru", 765 | + "office-mob.ru", 766 | + "office-mobile.ru", 767 | + "ofukem.ru", 768 | + "okbhmao.ru", 769 | + "ombsk.biz", 770 | + "omk.ru", 771 | + "oneclickmoney.ru", 772 | + "open-s.info", 773 | + "open-s.su", 774 | + "open.ru", 775 | + "openfactoring.ru", 776 | + "ores-karelia.ru", 777 | + "ores-ptz.ru", 778 | + "ot.ru", 779 | + "oviont.ru", 780 | + "ozon-dostavka.ru", 781 | + "ozon.ru", 782 | + "paritet.ru", 783 | + "pay47.ru", 784 | + "payanyway.ru", 785 | + "payhd.ru", 786 | + "payhd.su", 787 | + "payment.ru", 788 | + "paymgate.ru", 789 | + "pba.su", 790 | + "pcbk.ru", 791 | + "pcr.ru", 792 | + "peremena.group", 793 | + "perinatal-tula.ru", 794 | + "pervbank.ru", 795 | + "petrsu.ru", 796 | + "pharma-soft.ru", 797 | + "phyche.ac.ru", 798 | + "pkg.sbercloud.tech", 799 | + "planar-elements.ru", 800 | + "plat-forma.ru", 801 | + "pluspay.ru", 802 | + "pnpi.nrcki.ru", 803 | + "pnpi.nw.ru", 804 | + "pnzgu.ru", 805 | + "podzemng.ru", 806 | + "poi.dvo.ru", 807 | + "prim-edu.ru", 808 | + "prime.infotecs.ru", 809 | + "primorsky.ru", 810 | + "private-banking.ru", 811 | + "prostobank.online", 812 | + "psati.ru", 813 | + "psbank.ru", 814 | + "psbnk.msk.ru", 815 | + "psbst.ru", 816 | + "pskov.ru", 817 | + "psuti.ru", 818 | + "py28.ru", 819 | + "raif.ru", 820 | + "raiffeisen-capital.ru", 821 | + "raiffeisen.ru", 822 | + "ramako.ru", 823 | + "rambler.ru", 824 | + "rapida.ru", 825 | + "rawenstvo.ru", 826 | + "rcitsakha.ru", 827 | + "rdb.ru", 828 | + "realistbank.ru", 829 | + "reg60.ru", 830 | + "reggarant.ru", 831 | + "region.broker", 832 | + "region.ru", 833 | + "regkrc.ru", 834 | + "renlife.ru", 835 | + "rentabank.ru", 836 | + "reso-life.ru", 837 | + "reso.ru", 838 | + "resocreditbank.ru", 839 | + "restospace.com", 840 | + "retailiqa.ru", 841 | + "rgs.ru", 842 | + "rgsbank.ru", 843 | + "risp.ru", 844 | + "rlisystems.ru", 845 | + "rmk.stavedu.ru", 846 | + "rncb.ru", 847 | + "rnrc.ru", 848 | + "rop.ru", 849 | + "rosbank-auto.ru", 850 | + "rosbank-capital.ru", 851 | + "rosbank-dom.ru", 852 | + "rosbank-leasing.ru", 853 | + "rosbank.ru", 854 | + "roscartography.ru", 855 | + "roscongress.org", 856 | + "rosfon.com", 857 | + "rosfondom.ru", 858 | + "roskazna.gov.ru", 859 | + "roskazna.ru", 860 | + "rosmintrud.ru", 861 | + "rosminzdrav.ru", 862 | + "rosomz.ru", 863 | + "rosseti-kuban.ru", 864 | + "rosseti-yug.ru", 865 | + "rossetimr.ru", 866 | + "rostatus.ru", 867 | + "royal-bank.ru", 868 | + "rrb.ru", 869 | + "rrbank.ru", 870 | + "rrtp.ru", 871 | + "rshb-ins.ru", 872 | + "rshb.ru", 873 | + "rshbins-life.ru", 874 | + "rshbins.ru", 875 | + "rsue.ru", 876 | + "rt-dc.ru", 877 | + "rt-solar.ru", 878 | + "rt.ru", 879 | + "rtlq.ru", 880 | + "rts-tender.ru", 881 | + "ruhiv.ru", 882 | + "runa.ru", 883 | + "ruru.ru", 884 | + "rusfinance.ru", 885 | + "rusfincorp.ru", 886 | + "rusfund.ru", 887 | + "rustest.ru", 888 | + "rzb.ru", 889 | + "s2b.tech", 890 | + "saby.dev", 891 | + "saby.ru", 892 | + "sabyc.ru", 893 | + "sabyd.ru", 894 | + "sabyget.ru", 895 | + "sabytrade.ru", 896 | + "sadikclick.ru", 897 | + "sakha.gov.ru", 898 | + "samregion.ru", 899 | + "sapod.ru", 900 | + "sarnotary.ru", 901 | + "sbbank.ru", 902 | + "sbbuild.ru", 903 | + "sbdevelop.ru", 904 | + "sber-am.ru", 905 | + "sber-solutions.az", 906 | + "sber-solutions.com", 907 | + "sber-solutions.group", 908 | + "sber-solutions.kz", 909 | + "sber-solutions.ru", 910 | + "sber-zvuk.com", 911 | + "sber.education", 912 | + "sber.insure", 913 | + "sber.me", 914 | + "sber.university", 915 | + "sber247.ru", 916 | + "sber9may.ru", 917 | + "sberanalytics.ru", 918 | + "sberautopark.ru", 919 | + "sberautopodpiska.ru", 920 | + "sberavtopark.ru", 921 | + "sberavtopodpiska.ru", 922 | + "sberbank-factoring.ru", 923 | + "sberbank-university.ru", 924 | + "sberbankaktivno.ru", 925 | + "sberbankins.ru", 926 | + "sberbankvmeste.ru", 927 | + "sberbuild.ru", 928 | + "sbercar.ru", 929 | + "sbercloud.ru", 930 | + "sberdevices.ru", 931 | + "sberdisk.biz", 932 | + "sberdisk.ru", 933 | + "sberfactoring.ru", 934 | + "sberfiles.com", 935 | + "sberfn.ru", 936 | + "sberhealth.pro", 937 | + "sberhealth.ru", 938 | + "sberins.ru", 939 | + "sberlogistics.ru", 940 | + "sbermarketing.ru", 941 | + "sbermed.ai", 942 | + "sbermedai.ru", 943 | + "sbermobile.ru", 944 | + "sberuniversity.online", 945 | + "sbervmeste.ru", 946 | + "sberxba.ru", 947 | + "sberzdorovie.ru", 948 | + "sberzdorovye.ru", 949 | + "sbfc.ru", 950 | + "sbibankllc.ru", 951 | + "sbis.link", 952 | + "sbis.ru", 953 | + "sblogistica.ru", 954 | + "sbnk.ru", 955 | + "sbp-med.ru", 956 | + "sbrf-capital.ru", 957 | + "sbrf.ru", 958 | + "sbspasibo.ru", 959 | + "sc490-spb.ru", 960 | + "scaling.sbc.space", 961 | + "scb-vdi.ru", 962 | + "school-134.ru", 963 | + "sdco.ru", 964 | + "sdkgarant.ru", 965 | + "sdm.ru", 966 | + "secgw.ru", 967 | + "senat.cloud", 968 | + "sergeykhotimskiy.ru", 969 | + "sermet.ru", 970 | + "servis-reestr.ru", 971 | + "sfn-am.ru", 972 | + "shakhty-gorod.ru", 973 | + "shiptor.ru", 974 | + "sibnet.ru", 975 | + "sinara.ru", 976 | + "sineft.ru", 977 | + "sistemagorod.ru", 978 | + "skbbank.ru", 979 | + "skblab.ru", 980 | + "skc-fmba.ru", 981 | + "skgelios.ru", 982 | + "slavbank.ru", 983 | + "slbank.ru", 984 | + "slon-e.ru", 985 | + "smart-uk.ru", 986 | + "smartc-sbrf.ru", 987 | + "smartmed.center", 988 | + "smpbank.ru", 989 | + "smrtc.ru", 990 | + "sngb.ru", 991 | + "sog.ru", 992 | + "sogaz-med.ru", 993 | + "soglasie.ru", 994 | + "solarlab.ru", 995 | + "solarsecurity.ru", 996 | + "solbum.ru", 997 | + "solid.com.ru", 998 | + "solid.ru", 999 | + "solidbroker.ru", 1000 | + "solidsk.ru", 1001 | + "sopomosch.ru", 1002 | + "sos112prim.ru", 1003 | + "sov-teh.com", 1004 | + "sovcombank-leasing.ru", 1005 | + "sovcombank.business", 1006 | + "sovcombank.credit", 1007 | + "sovcombank.group", 1008 | + "sovcombank.ru", 1009 | + "sovcomins.ru", 1010 | + "sovcomlife.ru", 1011 | + "sovlink.ru", 1012 | + "spas-ipoteka.ru", 1013 | + "spasibo.digital", 1014 | + "spasibosb.ru", 1015 | + "spasibosberbank.travel", 1016 | + "spasibotest.ru", 1017 | + "spasskievorota.ru", 1018 | + "spb112.ru", 1019 | + "spbexchange.ru", 1020 | + "specped.ru", 1021 | + "sppltd.org", 1022 | + "sppltd.ru", 1023 | + "sravni.market", 1024 | + "src-planeta.ru", 1025 | + "srmfc.ru", 1026 | + "star-pro.ru", 1027 | + "stavkray.ru", 1028 | + "stavregion.ru", 1029 | + "strelkacard.ru", 1030 | + "sura-ib.ru", 1031 | + "svet17.ru", 1032 | + "svg.ru", 1033 | + "svp.sbercloud.dev", 1034 | + "sweets-shop.ru", 1035 | + "syktsu.ru", 1036 | + "symptomcheker.ru", 1037 | + "sz.gkovd.ru", 1038 | + "t-tel.ru", 1039 | + "t72.ru", 1040 | + "tag-me.ru", 1041 | + "tagme.space", 1042 | + "taifnk.ru", 1043 | + "tax23.ru", 1044 | + "tcinet.ru", 1045 | + "technolog.edu.ru", 1046 | + "technologiya.ru", 1047 | + "tele2.ru", 1048 | + "tele2med.ru", 1049 | + "tensor.ru", 1050 | + "tes.ru", 1051 | + "tfi-urfo.ru", 1052 | + "tfomseao.ru", 1053 | + "thlotos.com", 1054 | + "timerbank.ru", 1055 | + "tinaki.ru", 1056 | + "titins.ru", 1057 | + "tivision.ru", 1058 | + "tkbbank.ru", 1059 | + "tkbip.ru", 1060 | + "tomsk.gov.ru", 1061 | + "torgi.gov.ru", 1062 | + "torgi223.ru", 1063 | + "tot.technology", 1064 | + "tradernet.ru", 1065 | + "transneft.ru", 1066 | + "transoil.com", 1067 | + "transstroybank.ru", 1068 | + "tuvsu.ru", 1069 | + "tyumen-polis.ru", 1070 | + "uecard.ru", 1071 | + "ufb.ru", 1072 | + "ugmk-telecom.ru", 1073 | + "ugpss48.ru", 1074 | + "ugsk.ru", 1075 | + "ulregion.ru", 1076 | + "unityre.ru", 1077 | + "upravkom.ru", 1078 | + "upravlyaem.ru", 1079 | + "uralsib.ru", 1080 | + "uriit.ru", 1081 | + "uszn-taganrog.ru", 1082 | + "utmn.ru", 1083 | + "v2b.ru", 1084 | + "vgasu.vrn.ru", 1085 | + "vitains.ru", 1086 | + "vniigaz.ru", 1087 | + "voiptools.ru", 1088 | + "volga-capital.ru", 1089 | + "vorkuta.ru", 1090 | + "vp.ru", 1091 | + "vrnds.ru", 1092 | + "vsa.ru", 1093 | + "vseplatezhi.ru", 1094 | + "vtb.com", 1095 | + "vtb.ru", 1096 | + "vtb24.ru", 1097 | + "vtbbo.ru", 1098 | + "vtbnpf.ru", 1099 | + "vtbr.ru", 1100 | + "vtbsd.ru", 1101 | + "vtbstrana.ru", 1102 | + "vtkbank.ru", 1103 | + "vysota-bonus.ru", 1104 | + "vzljot.ru", 1105 | + "wasaby.dev", 1106 | + "wineexpress.ru", 1107 | + "xn-----7kcackduzn2bc8avjg.xn--p1ai", 1108 | + "xn----7sbanj0ai9al2a.xn--p1ai", 1109 | + "xn----7sbapuabrmfgqwngje3etj.xn--p1ai", 1110 | + "xn----7sbbfrodpunestbpv6a7knb.xn--p1ai", 1111 | + "xn----7sbbg4agcddf6aammjdhk1r.xn--p1ai", 1112 | + "xn----8sbabidrwm9ab6atjf.xn--p1ai", 1113 | + "xn----8sbalgtaqconcpuji4ai0e.xn--p1ai", 1114 | + "xn----8sbcgzpu.xn--p1ai", 1115 | + "xn--80aa2abfodnqc1e7a6c.xn--80asehdb", 1116 | + "xn--80aaabuuaqgs5ajv.xn--p1ai", 1117 | + "xn--80aafyfbdcf3aallidhj1q.xn--p1ai", 1118 | + "xn--80aapjlqdvtdo.xn--p1ai", 1119 | + "xn--80abfumr.xn--p1ai", 1120 | + "xn--80adxhks.xn--p1ai", 1121 | + "xn--80aishalwf.xn--p1ai", 1122 | + "xn--80akicokc0aablc.xn--p1ai", 1123 | + "xn--90acfdcj4caode5l.xn--p1ai", 1124 | + "xn--90ae9be.xn--p1ai", 1125 | + "xn--90anlfbebar6i.xn--p1ai", 1126 | + "xn--90arfhfch6b.xn--p1ai", 1127 | + "xn--90axmqc.xn--p1ai", 1128 | + "xn--b1agzlht.xn--p1ai", 1129 | + "xn--d1aarbrc.xn--p1ai", 1130 | + "yoobusiness.ru", 1131 | + "yookassa.com", 1132 | + "yookassa.ru", 1133 | + "yoomoney.com", 1134 | + "yoomoney.ru", 1135 | + "yooteam.ru", 1136 | + "yuginterseti.ru", 1137 | + "z-it.ru", 1138 | + "zakaznso.ru", 1139 | + "zakupki.gov.ru", 1140 | + "zao-srk.ru", 1141 | + "zappstore.pro", 1142 | + "zolla.com", 1143 | + "zolla.ru", 1144 | + "zpp.spb.ru", 1145 | + "zsnso.ru", 1146 | + "09.rospotrebnadzor.ru", 1147 | + "1cfresh.ru", 1148 | + "1class.petersburgedu.ru", 1149 | + "1elecsnet.ru", 1150 | + "22-1.ru", 1151 | + "22.ctlog.digital.gov.ru", 1152 | + "23.ctlog.digital.gov.ru", 1153 | + "26gosuslugi.ru", 1154 | + "36.rospotrebnadzor.ru", 1155 | + "3ds.mmbank.ru", 1156 | + "43.rospotrebnadzor.ru", 1157 | + "45.rospotrebnadzor.ru", 1158 | + "52.rospotrebnadzor.ru", 1159 | + "56.rospotrebnadzor.ru", 1160 | + "acs1.vbank.ru", 1161 | + "acs2.smpcards.ru", 1162 | + "acs2.vbank.ru", 1163 | + "acstest.smpcards.ru", 1164 | + "acstest.vbank.ru", 1165 | + "acsv2.cardstandard.ru", 1166 | + "admin.bp.minpromtorg.gov.ru", 1167 | + "admin.budget.minpromtorg.gov.ru", 1168 | + "admin.kids.minpromtorg.gov.ru", 1169 | + "akibank.ru", 1170 | + "aml.vbank.ru", 1171 | + "andreytravnikov.ru", 1172 | + "ank-pki.ru", 1173 | + "aonb.astranet.ru", 1174 | + "apadp.openbank.ru", 1175 | + "api.sbercloud.tech", 1176 | + "api1.openbank.ru", 1177 | + "ard.moscow", 1178 | + "armdoo.petersburgedu.ru", 1179 | + "aslife.ru", 1180 | + "aso.bashkortostan.ru", 1181 | + "asoft.su", 1182 | + "atb.su", 1183 | + "atk26.ru", 1184 | + "auth.sbercloud.tech", 1185 | + "autodiscover.ffcorp.ru", 1186 | + "autodiscover.investcapitalbank.ru", 1187 | + "autodiscover.rubytech.ru", 1188 | + "autodiscovery.a-sbrf.ru", 1189 | + "autodiscovery.barus.ooo", 1190 | + "autodiscovery.baruscorp.ru", 1191 | + "autodiscovery.infoteh.ooo", 1192 | + "autodiscovery.infotehdc.ru", 1193 | + "autodiscovery.sbcc.ru", 1194 | + "avangard-garant.ru", 1195 | + "aversbank.ru", 1196 | + "aviars.ru", 1197 | + "avitek.ru", 1198 | + "awad1.voz.ru", 1199 | + "awad2.voz.ru", 1200 | + "awens.voz.ru", 1201 | + "awgate.vbank.ru", 1202 | + "awseg1.voz.ru", 1203 | + "awseg2.voz.ru", 1204 | + "baltinvestbank.com", 1205 | + "baltinvestbank.ru", 1206 | + "bank.woori.ru", 1207 | + "bankro.tech", 1208 | + "banksoyuz.ru", 1209 | + "bashgaz.ru", 1210 | + "bca.umbank.ru", 1211 | + "bcu.umbank.ru", 1212 | + "billing-api.sbercloud.store", 1213 | + "billing.sbercloud.store", 1214 | + "biz360.ru", 1215 | + "bonus-spasibo.ru", 1216 | + "bspb.ru", 1217 | + "c2b-sbp.openbank.ru", 1218 | + "ca.centerit35.ru", 1219 | + "cabinet.udomlya.ru", 1220 | + "cbr-day.ru", 1221 | + "cbr-online.ru", 1222 | + "cbr2021.online", 1223 | + "cbtest.vbank.ru", 1224 | + "ccb.ru", 1225 | + "cespi.directum.ru", 1226 | + "chechnya.gov.ru", 1227 | + "chsk.ru", 1228 | + "chukotka-gov.ru", 1229 | + "cloudm.voz.ru", 1230 | + "co-ise.somecorp.ru", 1231 | + "co-sfb2019ed01.somecorp.ru", 1232 | + "co-sfb2019s01.somecorp.ru", 1233 | + "coalmetbank.ru", 1234 | + "cryptexpert.ru", 1235 | + "cryptomir.nspk.ru", 1236 | + "csenter.ru", 1237 | + "cub-finance.ru", 1238 | + "data-fusion.ru", 1239 | + "databank.ru", 1240 | + "dbo.ekt.uralsibbank.ru", 1241 | + "dbo.nsk.uralsibbank.ru", 1242 | + "dbo.ofc.ru", 1243 | + "dbo.spb.uralsibbank.ru", 1244 | + "dbo.ufa.uralsibbank.ru", 1245 | + "dbo.uralsibbank.ru", 1246 | + "dbo.urd.uralsibbank.ru", 1247 | + "dbo.vbank.ru", 1248 | + "dbo2.kuzbank.ru", 1249 | + "dbo5.kuzbank.ru", 1250 | + "dbogate.ofc.ru", 1251 | + "dboul.baltinvest.com", 1252 | + "dboul.baltinvest.ru", 1253 | + "ddei.voz.ru", 1254 | + "ddei1.voz.ru", 1255 | + "ddei2.voz.ru", 1256 | + "demo.bifit.ru", 1257 | + "demoadmin.visitorcontrol.ru", 1258 | + "demodbo.ofc.ru", 1259 | + "demodbo.vbank.ru", 1260 | + "dialin.voz.ru", 1261 | + "disk.sbercloud.tech", 1262 | + "divrating.ru", 1263 | + "dni-fg.ru", 1264 | + "do.ipk19.ru", 1265 | + "dokhodchivo.ru", 1266 | + "dol-igra.ru", 1267 | + "doligra.ru", 1268 | + "dsworks.ru", 1269 | + "ekvant.baltinvest.com", 1270 | + "elecsnet.ru", 1271 | + "emb.ru", 1272 | + "engburo.ru", 1273 | + "epid-oki.ru", 1274 | + "erul.gov.ru", 1275 | + "es.ptz.ru", 1276 | + "esed-redos.kodeks.ru", 1277 | + "esmtp.voz.ru", 1278 | + "expertiza.spb.ru", 1279 | + "extapi1c.sbercloud.tech", 1280 | + "factoring.ofc.ru", 1281 | + "fcsm.ru", 1282 | + "ffms.ru", 1283 | + "finopolis.ru", 1284 | + "finzachet.ru", 1285 | + "forshtadt.ru", 1286 | + "funds-custody.ru", 1287 | + "gazprombank.investments", 1288 | + "gazprombank.ru", 1289 | + "gcup.spb.ru", 1290 | + "geliuscap.ru", 1291 | + "genbank.ru", 1292 | + "ggnp-sales.ru", 1293 | + "ggnpsales.ru", 1294 | + "gibank.ru", 1295 | + "git.sbercloud.tech", 1296 | + "gpb.ru", 1297 | + "gpbin.app", 1298 | + "granatpay.ru", 1299 | + "grasaro.ru", 1300 | + "guestportal.somecorp.ru", 1301 | + "gupti.ru", 1302 | + "gutains.ru", 1303 | + "gutapay.ru", 1304 | + "gw1.zcloud.ru", 1305 | + "hepreg.ru", 1306 | + "hivresist.ru", 1307 | + "ibank-1827.finsb.ru", 1308 | + "ibank-nbsrf.ru", 1309 | + "ibank.bankmaxima.ru", 1310 | + "ibank.bankrmp.ru", 1311 | + "ibank.doncombank.ru", 1312 | + "ibank.mbbru.ru", 1313 | + "ibank.mmbank.ru", 1314 | + "ibank.psib.ru", 1315 | + "ibank.sistemabank.ru", 1316 | + "ibank.tagbank.ru", 1317 | + "ibank.tpsb.com.ru", 1318 | + "ibank2.bankmaxima.ru", 1319 | + "ibank2.pskb.com", 1320 | + "ibank2.rostfinance.ru", 1321 | + "ibank2test-m.osdo.mmbank.ru", 1322 | + "icbru.ru", 1323 | + "ifcongress.ru", 1324 | + "iktport.ru", 1325 | + "infteh.ru", 1326 | + "ingoauto.ru", 1327 | + "inkakhran.ru", 1328 | + "ipsec-cia.directum.ru", 1329 | + "ipsec-main.directum.ru", 1330 | + "ipsec-msk.directum.ru", 1331 | + "ipsec.directum.ru", 1332 | + "isnbank.ru", 1333 | + "iso20022.ru", 1334 | + "jira.sbercloud.tech", 1335 | + "jirasd.sbercloud.tech", 1336 | + "jirasm.sbercloud.tech", 1337 | + "kamkombank.ru", 1338 | + "kapmed.ru", 1339 | + "kaspersky.ru", 1340 | + "kbhmb.ru", 1341 | + "kk.bank", 1342 | + "kmbtraining.ru", 1343 | + "krasmed.ru", 1344 | + "ks.moscow", 1345 | + "kubankredit.ru", 1346 | + "ladoshkipay.ru", 1347 | + "line-invest.ru", 1348 | + "lk.alorbank.ru", 1349 | + "lk.beforts.ru", 1350 | + "lk.region-dk.ru", 1351 | + "lyncdiscover.voz.ru", 1352 | + "m1.zcloud.ru", 1353 | + "mail.a-sbrf.ru", 1354 | + "mail.admamr.ru", 1355 | + "mail.barus.ooo", 1356 | + "mail.baruscorp.ru", 1357 | + "mail.ffcorp.ru", 1358 | + "mail.infoteh.ooo", 1359 | + "mail.infotehdc.ru", 1360 | + "mail.rostfinance.ru", 1361 | + "mail.rubytech.ru", 1362 | + "mail.sbcc.ru", 1363 | + "mail.sivilab.ru", 1364 | + "mail.somecorp.ru", 1365 | + "mail.tjmport.ru", 1366 | + "mail2.rubytech.ru", 1367 | + "marsu.ru", 1368 | + "mb-partner.bm.ru", 1369 | + "mcbank.ru", 1370 | + "medexpress.ru", 1371 | + "meet.voz.ru", 1372 | + "mex1.voz.ru", 1373 | + "mex2.voz.ru", 1374 | + "migrakvota.gov.ru", 1375 | + "mili-rest.ru", 1376 | + "mlnt.ru", 1377 | + "mobile-api.av.admtyumen.ru", 1378 | + "mobile.vbank.ru", 1379 | + "money1c.com", 1380 | + "monitoring.sbercloud.dev", 1381 | + "mti-bank.ru", 1382 | + "muavr.ru", 1383 | + "mvs-bank.ru", 1384 | + "mydevices.somecorp.ru", 1385 | + "namex.org", 1386 | + "napolkelegal.ru", 1387 | + "nco-payu.ru", 1388 | + "newbank.ru", 1389 | + "nkkdc.ru", 1390 | + "non-tariff.gov.ru", 1391 | + "npazsnso.ru", 1392 | + "nrb.ru", 1393 | + "ns-bank.ru", 1394 | + "ns1.cit-sk.net", 1395 | + "ns1.ihordns.net", 1396 | + "ns2.cit-sk.net", 1397 | + "ns2.ihordns.net", 1398 | + "nsbank.ru", 1399 | + "nslvtec.ru", 1400 | + "nsopravo.ru", 1401 | + "octan.ru", 1402 | + "okbank.ru", 1403 | + "okotovske.ru", 1404 | + "olabank.ru", 1405 | + "olb.ru", 1406 | + "oms3ru.insp.ru", 1407 | + "online.baltinvest.com", 1408 | + "online.bank-mscb.ru", 1409 | + "online.nsk.su", 1410 | + "online.vbank.ru", 1411 | + "online2.bankcard.ru", 1412 | + "onlinebroker.ru", 1413 | + "onlinedev.vbank.ru", 1414 | + "open-cbr.ru", 1415 | + "oreka.ru", 1416 | + "ovaldbru.altx-soft.ru", 1417 | + "owa.rubytech.ru", 1418 | + "owa.spar-nn.ru", 1419 | + "owa.spar.nnov.ru", 1420 | + "owa.voz.ru", 1421 | + "parking.spb.ru", 1422 | + "partizansk.org", 1423 | + "partnercmd.ru", 1424 | + "pay.cardstandard.ru", 1425 | + "pay.rkcgkh.ru", 1426 | + "payctrl.vbank.ru", 1427 | + "payctrltest.vbank.ru", 1428 | + "pb.sbercloud.tech", 1429 | + "pda-kotovsk.ru", 1430 | + "pension-fg.ru", 1431 | + "petadm.ru", 1432 | + "pettown.ru", 1433 | + "pkica2.beeline.ru", 1434 | + "platiqr.ru", 1435 | + "pokupay.ru", 1436 | + "pol4.tomsk.ru", 1437 | + "portal.gos.sbercloud.dev", 1438 | + "portal.kuzbank.ru", 1439 | + "post.a-sbrf.ru", 1440 | + "ppfinsurance.ru", 1441 | + "pw.sbercloud.tech", 1442 | + "raif-am.ru", 1443 | + "raif-capital.ru", 1444 | + "raif-invest.ru", 1445 | + "raif-partners.ru", 1446 | + "raiffeisencapital.ru", 1447 | + "randi.ru", 1448 | + "rcg.agency", 1449 | + "rcmru.ru", 1450 | + "red-people.com", 1451 | + "relay.baltinvest.com", 1452 | + "relay.umecon.ru", 1453 | + "reparm.ru", 1454 | + "retail.kuzbank.ru", 1455 | + "retail5.kuzbank.ru", 1456 | + "rnko.ru", 1457 | + "room485.com", 1458 | + "rpnkirov.ru", 1459 | + "russ-invest.com", 1460 | + "rutls.leader-id.ru", 1461 | + "s-t.ru", 1462 | + "s3.gos.sbercloud.dev", 1463 | + "sber-agent.ru", 1464 | + "sber-impulse.com", 1465 | + "sber-impulse.ru", 1466 | + "sber-pravo.com", 1467 | + "sber-pravo.info", 1468 | + "sber-pravo.ru", 1469 | + "sber-pravo.tech", 1470 | + "sber-spief.ru", 1471 | + "sber-unity.ru", 1472 | + "sber.pro", 1473 | + "sber.ru", 1474 | + "sberactivno.ru", 1475 | + "sberbank-cib.com", 1476 | + "sberbank-cib.ru", 1477 | + "sberbank-pb.ru", 1478 | + "sberbank.com", 1479 | + "sberbank.ru", 1480 | + "sberbank1.ru", 1481 | + "sberbankactivno.ru", 1482 | + "sberbankspasibo.travel", 1483 | + "sberbb.ru", 1484 | + "sberbusiness.live", 1485 | + "sberclickstream.ru", 1486 | + "sbercloud.com", 1487 | + "sbercloud.org", 1488 | + "sbercrm.com", 1489 | + "sbercrm.ru", 1490 | + "sberegiplanetu.ru", 1491 | + "sberimpulse.com", 1492 | + "sberimpulse.ru", 1493 | + "sberindex.ru", 1494 | + "sberpravo.com", 1495 | + "sberpravo.info", 1496 | + "sberpravo.ru", 1497 | + "sberpravo.tech", 1498 | + "sberspasibo.ru", 1499 | + "sbertv.ru", 1500 | + "sberunity.ru", 1501 | + "sbrf-cib.ru", 1502 | + "sc.link", 1503 | + "school2.glolime.ru", 1504 | + "sdkgarant.online", 1505 | + "sentry.sbercloud.tech", 1506 | + "severgazbank.ru", 1507 | + "sevesk.ru", 1508 | + "sevnb.ru", 1509 | + "sfbext.voz.ru", 1510 | + "sibnet-download.ru", 1511 | + "sibsoc.com", 1512 | + "sibsoc.ru", 1513 | + "sign.beeline.ru", 1514 | + "sip.voz.ru", 1515 | + "sipgw.binatel.org", 1516 | + "sipgwauth.binatel.org", 1517 | + "sipreg.binatel.org", 1518 | + "sipsfb.voz.ru", 1519 | + "slavia-bank.com", 1520 | + "slavia-bank.ru", 1521 | + "slaviabank.com", 1522 | + "slaviabank.ru", 1523 | + "smartway.today", 1524 | + "smpgroup.ru", 1525 | + "smponbank.ru", 1526 | + "sobe.ru", 1527 | + "sobinka-city.ru", 1528 | + "softlab.ru", 1529 | + "sogaz-life-new.sandbox.zetest.site", 1530 | + "sogaz-life.ru", 1531 | + "solidbank.ru", 1532 | + "sonarplus.ru", 1533 | + "spasibo.market", 1534 | + "spasibosberbank.events", 1535 | + "spasibosberbank.online", 1536 | + "spasibosberbank.ru", 1537 | + "sponsor.somecorp.ru", 1538 | + "sponsor2.somecorp.ru", 1539 | + "strelkapay.ru", 1540 | + "svoedelo.blog", 1541 | + "swtmedia.ru", 1542 | + "tamcomsys.ru", 1543 | + "tavrich.ru", 1544 | + "tencar.ru", 1545 | + "test.ct-log.ru", 1546 | + "test.konversta.com", 1547 | + "test.konversta.ru", 1548 | + "test.krsk-sbit.ru", 1549 | + "testdbo.gorbank.spb", 1550 | + "testextapi1c.sbercloud.tech", 1551 | + "tigersoft.ru", 1552 | + "tochka.com", 1553 | + "tpsbank.tomsk.ru", 1554 | + "transportpay.ru", 1555 | + "travel2mich.ru", 1556 | + "uc.kadastr.ru", 1557 | + "ucparma.ru", 1558 | + "ufabank.ru", 1559 | + "uln-ix.ru", 1560 | + "vcbr.ru", 1561 | + "vdi.krsk-sbit.ru", 1562 | + "vipguest.somecorp.ru", 1563 | + "vozvratnalogov.online", 1564 | + "vpbx.binatel.org", 1565 | + "vpbxsip.binatel.org", 1566 | + "vpbxsiptrunk.binatel.org", 1567 | + "vpn.ffcorp.ru", 1568 | + "vpn.vbank.ru", 1569 | + "vsesrazu-raiffeisen.ru", 1570 | + "vtbcareer.com", 1571 | + "web-pacient.ru", 1572 | + "webconfsfb.voz.ru", 1573 | + "weber-facade.ru", 1574 | + "webservices.voz.ru", 1575 | + "wiki.sbercloud.tech", 1576 | + "wt.vektorpharm.ru", 1577 | + "www.altx-soft.ru", 1578 | + "www.electro-mpo.ru", 1579 | + "www.my.domrfbank.ru", 1580 | + "www.online.domrfbank.ru", 1581 | + "www.psbinvest.ru", 1582 | + "www.redcheck.ru", 1583 | + "www.rostfinance.ru", 1584 | + "www.rus-telecom.ru", 1585 | + "www.sbcc.ru", 1586 | + "www.smbbank.ru", 1587 | + "www.tavrich.ru.ru", 1588 | + "wwwscr.digitalaccess.ru", 1589 | + "xn----7sbbdd0brby6a0m.xn--p1ai", 1590 | + "xn----7sbbdrzkdqce2az7c0eo.xn--p1ai", 1591 | + "xn----8sbahbhzjefje2bh0c.xn--p1ai", 1592 | + "xn----8sbbgm1degce.xn--p1acf", 1593 | + "xn----8sbbgm1degce.xn--p1ai", 1594 | + "xn----ctbtwbliac6kg.xn--p1ai", 1595 | + "xn----otbfciegbepjfxsx.xn--p1ai", 1596 | + "xn--60-6kcdjn0djpdug.xn--p1ai", 1597 | + "xn--68-6kcms6d.xn--p1ai", 1598 | + "xn--80aabahoyob1afmqly.xn--p1ai", 1599 | + "xn--80aacd4aobv3a8l.xn--p1ai", 1600 | + "xn--80aacgalas3awh0amqckcv.xn--p1ai", 1601 | + "xn--80aacgvulkfjl.xn--p1ai", 1602 | + "xn--80aacovidocd0ax3c9dn.xn--p1ai", 1603 | + "xn--80aafazdif3amxndk1k.xn--p1ai", 1604 | + "xn--80aba0anrevc5c.xn--p1ai", 1605 | + "xn--80abek1cdgbe.xn--p1acf", 1606 | + "xn--80abek1cdgbe.xn--p1ai", 1607 | + "xn--80abekqlximhq.xn--p1ai", 1608 | + "xn--80abkczg7afy.xn--p1ai", 1609 | + "xn--80ablwmcepr1b.xn--p1ai", 1610 | + "xn--80abwairipka.xn--p1ai", 1611 | + "xn--80aeeyvbeh4e6a.xn--p1ai", 1612 | + "xn--90a5b.xn--p1ai", 1613 | + "xn--90aciba4b0afgk.xn--p1ai", 1614 | + "xn--90ad3ap.xn--p1ai", 1615 | + "xn--90axl.xn--p1ai", 1616 | + "xn--b1aook.xn--p1ai", 1617 | + "xn--c1ajbkjyncd.xn--p1ai", 1618 | + "zagorodtelecom.ru", 1619 | + "zhivagobank.ru", 1620 | + "zirax.com", 1621 | + "zskuzbass.ru", 1622 | +}; 1623 | + 1624 | +CertificateList* g_domestic_roots_for_testing; 1625 | +std::string* g_allowlisted_host_for_testing; 1626 | +} // namespace 1627 | + 1628 | +const CertificateList& GetDomesticRoots() { 1629 | + if (g_domestic_roots_for_testing) { 1630 | + return *g_domestic_roots_for_testing; 1631 | + } 1632 | + 1633 | +#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_MAC) 1634 | + static const base::NoDestructor domestic_roots( 1635 | + X509Certificate::CreateCertificateListFromBytes( 1636 | + base::as_bytes(base::make_span(kDomesticRootCert)), 1637 | + X509Certificate::FORMAT_PEM_CERT_SEQUENCE)); 1638 | +#else 1639 | + static const base::NoDestructor domestic_roots; 1640 | +#endif // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_MAC) 1641 | + 1642 | + return *domestic_roots; 1643 | +} 1644 | + 1645 | +bool IsAllowlistedDomesticRootHost(base::StringPiece hostname) { 1646 | + if (g_allowlisted_host_for_testing) { 1647 | + return hostname == *g_allowlisted_host_for_testing; 1648 | + } 1649 | + 1650 | + for (const auto& pattern : kDomesticRootAllowlist) { 1651 | + if (hostname == pattern) { 1652 | + return true; 1653 | + } 1654 | + if (hostname.size() > pattern.size() + 1 && 1655 | + base::EndsWith(hostname, pattern) && 1656 | + hostname[hostname.size() - pattern.size() - 1] == '.') { 1657 | + return true; 1658 | + } 1659 | + } 1660 | + return false; 1661 | +} 1662 | + 1663 | +void SetDomesticRootsForTesting(CertificateList* roots) { 1664 | + g_domestic_roots_for_testing = roots; 1665 | +} 1666 | + 1667 | +void SetAllowlistedDomesticRootHostForTesting(std::string* hostname) { 1668 | + g_allowlisted_host_for_testing = hostname; 1669 | +} 1670 | + 1671 | +} // namespace net 1672 | diff --git a/net/base/domestic_roots.h b/net/base/domestic_roots.h 1673 | new file mode 100644 1674 | index 0000000000000..cd7fe0cf24d5d 1675 | --- /dev/null 1676 | +++ b/net/base/domestic_roots.h 1677 | @@ -0,0 +1,19 @@ 1678 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1679 | +#ifndef NET_BASE_DOMESTIC_ROOTS_H_ 1680 | +#define NET_BASE_DOMESTIC_ROOTS_H_ 1681 | + 1682 | +#include "base/strings/string_piece.h" 1683 | +#include "net/base/net_export.h" 1684 | +#include "net/cert/x509_certificate.h" 1685 | + 1686 | +namespace net { 1687 | +const CertificateList& NET_EXPORT GetDomesticRoots(); 1688 | + 1689 | +bool NET_EXPORT IsAllowlistedDomesticRootHost(base::StringPiece hostname); 1690 | + 1691 | +void NET_EXPORT SetDomesticRootsForTesting(CertificateList* roots); 1692 | + 1693 | +void NET_EXPORT SetAllowlistedDomesticRootHostForTesting(std::string* hostname); 1694 | +} // namespace net 1695 | + 1696 | +#endif // NET_BASE_DOMESTIC_ROOTS_H_ 1697 | diff --git a/net/base/domestic_roots_unittest.cc b/net/base/domestic_roots_unittest.cc 1698 | new file mode 100644 1699 | index 0000000000000..8edb4c6184999 1700 | --- /dev/null 1701 | +++ b/net/base/domestic_roots_unittest.cc 1702 | @@ -0,0 +1,24 @@ 1703 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1704 | + 1705 | +#include "net/base/domestic_roots.h" 1706 | +#include "gtest/gtest.h" 1707 | +#include "testing/gtest/include/gtest/gtest.h" 1708 | + 1709 | +namespace net { 1710 | + 1711 | +TEST(DomesticRootsTest, GetDomesticRoots) { 1712 | + const auto& domestic_roots = GetDomesticRoots(); 1713 | + ASSERT_EQ(domestic_roots.size(), 1u); 1714 | + 1715 | + EXPECT_EQ(domestic_roots[0]->subject().GetDisplayName(), 1716 | + "Russian Trusted Root CA"); 1717 | +} 1718 | + 1719 | +TEST(DomesticRootsTest, Allowlist) { 1720 | + EXPECT_TRUE(IsAllowlistedDomesticRootHost("www.vtb.ru")); 1721 | + EXPECT_TRUE(IsAllowlistedDomesticRootHost("vtb.ru")); 1722 | + EXPECT_FALSE(IsAllowlistedDomesticRootHost("notfound.ru")); 1723 | + EXPECT_FALSE(IsAllowlistedDomesticRootHost("google.com")); 1724 | +} 1725 | + 1726 | +} // namespace net 1727 | \ No newline at end of file 1728 | diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc 1729 | index eaeb8416f8bcd..853d27e69cef9 100644 1730 | --- a/net/cert/cert_verify_proc.cc 1731 | +++ b/net/cert/cert_verify_proc.cc 1732 | @@ -13,6 +13,9 @@ 1733 | #include "base/metrics/histogram.h" 1734 | #include "base/metrics/histogram_functions.h" 1735 | #include "base/metrics/histogram_macros.h" 1736 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1737 | +#include "base/no_destructor.h" 1738 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1739 | #include "base/strings/strcat.h" 1740 | #include "base/strings/string_util.h" 1741 | #include "base/strings/stringprintf.h" 1742 | @@ -21,6 +24,9 @@ 1743 | #include "build/build_config.h" 1744 | #include "crypto/crypto_buildflags.h" 1745 | #include "crypto/sha2.h" 1746 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1747 | +#include "net/base/domestic_roots.h" 1748 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1749 | #include "net/base/features.h" 1750 | #include "net/base/net_errors.h" 1751 | #include "net/base/registry_controlled_domains/registry_controlled_domain.h" 1752 | @@ -567,10 +573,29 @@ int CertVerifyProc::Verify(X509Certificate* cert, 1753 | verify_result->Reset(); 1754 | verify_result->verified_cert = cert; 1755 | 1756 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1757 | + const auto& domestic_trust_anchors = GetDomesticRoots(); 1758 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1759 | + 1760 | DCHECK(crl_set); 1761 | - int rv = 1762 | - VerifyInternal(cert, hostname, ocsp_response, sct_list, flags, crl_set, 1763 | - additional_trust_anchors, verify_result, net_log); 1764 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1765 | + int rv = VerifyInternalWithDomesticAnchors( 1766 | + cert, hostname, ocsp_response, sct_list, flags, crl_set, 1767 | + additional_trust_anchors, verify_result, net_log, domestic_trust_anchors); 1768 | + 1769 | + if (verify_result->verified_cert && 1770 | + !verify_result->verified_cert->intermediate_buffers().empty()) { 1771 | + const auto& trust_anchor = 1772 | + verify_result->verified_cert->intermediate_buffers().back(); 1773 | + for (const auto& root : domestic_trust_anchors) { 1774 | + if (x509_util::CryptoBufferEqual(trust_anchor.get(), 1775 | + root->cert_buffer())) { 1776 | + verify_result->is_issued_by_known_root = true; 1777 | + break; 1778 | + } 1779 | + } 1780 | + } 1781 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1782 | 1783 | // Check for mismatched signature algorithms and unknown signature algorithms 1784 | // in the chain. Also fills in the has_* booleans for the digest algorithms 1785 | @@ -769,6 +794,23 @@ void CertVerifyProc::LogNameNormalizationMetrics( 1786 | NameNormalizationResult::kByteEqual); 1787 | } 1788 | 1789 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1790 | +int CertVerifyProc::VerifyInternalWithDomesticAnchors( 1791 | + X509Certificate* cert, 1792 | + const std::string& hostname, 1793 | + const std::string& ocsp_response, 1794 | + const std::string& sct_list, 1795 | + int flags, 1796 | + CRLSet* crl_set, 1797 | + const CertificateList& additional_trust_anchors, 1798 | + CertVerifyResult* verify_result, 1799 | + const NetLogWithSource& net_log, 1800 | + const CertificateList& domestic_trust_anchors) { 1801 | + return VerifyInternal(cert, hostname, ocsp_response, sct_list, flags, crl_set, 1802 | + additional_trust_anchors, verify_result, net_log); 1803 | +} 1804 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1805 | + 1806 | // CheckNameConstraints verifies that every name in |dns_names| is in one of 1807 | // the domains specified by |domains|. 1808 | static bool CheckNameConstraints(const std::vector& dns_names, 1809 | diff --git a/net/cert/cert_verify_proc.h b/net/cert/cert_verify_proc.h 1810 | index 32e9fb1f8b038..9de0f3e500389 100644 1811 | --- a/net/cert/cert_verify_proc.h 1812 | +++ b/net/cert/cert_verify_proc.h 1813 | @@ -189,6 +189,20 @@ class NET_EXPORT CertVerifyProc 1814 | CertVerifyResult* verify_result, 1815 | const NetLogWithSource& net_log) = 0; 1816 | 1817 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1818 | + virtual int VerifyInternalWithDomesticAnchors( 1819 | + X509Certificate* cert, 1820 | + const std::string& hostname, 1821 | + const std::string& ocsp_response, 1822 | + const std::string& sct_list, 1823 | + int flags, 1824 | + CRLSet* crl_set, 1825 | + const CertificateList& additional_trust_anchors, 1826 | + CertVerifyResult* verify_result, 1827 | + const NetLogWithSource& net_log, 1828 | + const CertificateList& domestic_trust_anchors); 1829 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1830 | + 1831 | // HasNameConstraintsViolation returns true iff one of |public_key_hashes| 1832 | // (which are hashes of SubjectPublicKeyInfo structures) has name constraints 1833 | // imposed on it and the names in |dns_names| are not permitted. 1834 | diff --git a/net/cert/cert_verify_proc_builtin.cc b/net/cert/cert_verify_proc_builtin.cc 1835 | index 86a588c84dbdf..03be7d920eb73 100644 1836 | --- a/net/cert/cert_verify_proc_builtin.cc 1837 | +++ b/net/cert/cert_verify_proc_builtin.cc 1838 | @@ -10,6 +10,9 @@ 1839 | 1840 | #include "base/logging.h" 1841 | #include "base/memory/raw_ptr.h" 1842 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1843 | +#include "base/notreached.h" 1844 | +// Copyright (c) 2017 The Chromium Authors. All rights reserved. 1845 | #include "base/strings/string_piece.h" 1846 | #include "base/values.h" 1847 | #include "crypto/sha2.h" 1848 | @@ -424,6 +427,20 @@ class CertVerifyProcBuiltin : public CertVerifyProc { 1849 | CertVerifyResult* verify_result, 1850 | const NetLogWithSource& net_log) override; 1851 | 1852 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1853 | + int VerifyInternalWithDomesticAnchors( 1854 | + X509Certificate* cert, 1855 | + const std::string& hostname, 1856 | + const std::string& ocsp_response, 1857 | + const std::string& sct_list, 1858 | + int flags, 1859 | + CRLSet* crl_set, 1860 | + const CertificateList& additional_trust_anchors, 1861 | + CertVerifyResult* verify_result, 1862 | + const NetLogWithSource& net_log, 1863 | + const CertificateList& domestic_trust_anchors) override; 1864 | +// Copyright (c) 2017 The Chromium Authors. All rights reserved. 1865 | + 1866 | scoped_refptr net_fetcher_; 1867 | std::unique_ptr system_trust_store_; 1868 | }; 1869 | @@ -722,7 +739,9 @@ bool CanTryAgainWithWeakerDigestPolicy(const CertPathBuilder::Result& result) { 1870 | cert_errors::kUnacceptableSignatureAlgorithm); 1871 | } 1872 | 1873 | -int CertVerifyProcBuiltin::VerifyInternal( 1874 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1875 | +int CertVerifyProcBuiltin::VerifyInternalWithDomesticAnchors( 1876 | +// Copyright (c) 2017 The Chromium Authors. All rights reserved. 1877 | X509Certificate* input_cert, 1878 | const std::string& hostname, 1879 | const std::string& ocsp_response, 1880 | @@ -731,7 +750,10 @@ int CertVerifyProcBuiltin::VerifyInternal( 1881 | CRLSet* crl_set, 1882 | const CertificateList& additional_trust_anchors, 1883 | CertVerifyResult* verify_result, 1884 | - const NetLogWithSource& net_log) { 1885 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1886 | + const NetLogWithSource& net_log, 1887 | + const CertificateList& domestic_trust_anchors) { 1888 | +// Copyright (c) 2017 The Chromium Authors. All rights reserved. 1889 | // VerifyInternal() is expected to carry out verifications using the current 1890 | // time stamp. 1891 | base::Time verification_time = base::Time::Now(); 1892 | @@ -799,6 +821,20 @@ int CertVerifyProcBuiltin::VerifyInternal( 1893 | }); 1894 | } 1895 | 1896 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1897 | + for (const auto& x509_cert : domestic_trust_anchors) { 1898 | + CertErrors parsing_errors; 1899 | + scoped_refptr cert = 1900 | + ParseCertificateFromBuffer(x509_cert->cert_buffer(), &parsing_errors); 1901 | + if (cert) 1902 | + trust_store.AddTrustAnchor(std::move(cert)); 1903 | + net_log.AddEvent( 1904 | + NetLogEventType::CERT_VERIFY_PROC_ADDITIONAL_TRUST_ANCHOR, [&] { 1905 | + return NetLogCertParams(x509_cert->cert_buffer(), parsing_errors); 1906 | + }); 1907 | + } 1908 | +// Copyright (c) 2017 The Chromium Authors. All rights reserved. 1909 | + 1910 | // Get the global dependencies. 1911 | const EVRootCAMetadata* ev_metadata = EVRootCAMetadata::GetInstance(); 1912 | 1913 | @@ -912,6 +948,22 @@ int CertVerifyProcBuiltin::VerifyInternal( 1914 | return error; 1915 | } 1916 | 1917 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1918 | +int CertVerifyProcBuiltin::VerifyInternal( 1919 | + X509Certificate* input_cert, 1920 | + const std::string& hostname, 1921 | + const std::string& ocsp_response, 1922 | + const std::string& sct_list, 1923 | + int flags, 1924 | + CRLSet* crl_set, 1925 | + const CertificateList& additional_trust_anchors, 1926 | + CertVerifyResult* verify_result, 1927 | + const NetLogWithSource& net_log) { 1928 | + NOTREACHED(); 1929 | + return ERR_UNEXPECTED; 1930 | +} 1931 | +// Copyright (c) 2017 The Chromium Authors. All rights reserved. 1932 | + 1933 | } // namespace 1934 | 1935 | CertVerifyProcBuiltinResultDebugData::CertVerifyProcBuiltinResultDebugData( 1936 | diff --git a/net/cert/cert_verify_proc_mac.cc b/net/cert/cert_verify_proc_mac.cc 1937 | index cd989623b4153..caa1ed76ceb1a 100644 1938 | --- a/net/cert/cert_verify_proc_mac.cc 1939 | +++ b/net/cert/cert_verify_proc_mac.cc 1940 | @@ -5,7 +5,13 @@ 1941 | #include "net/cert/cert_verify_proc_mac.h" 1942 | 1943 | #include 1944 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1945 | +#include 1946 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1947 | #include 1948 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1949 | +#include 1950 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1951 | #include 1952 | 1953 | #include 1954 | @@ -16,6 +22,9 @@ 1955 | #include "base/mac/mac_logging.h" 1956 | #include "base/mac/mac_util.h" 1957 | #include "base/mac/scoped_cftyperef.h" 1958 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1959 | +#include "base/notreached.h" 1960 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1961 | #include "base/strings/string_piece.h" 1962 | #include "base/synchronization/lock.h" 1963 | #include "crypto/mac_security_services_lock.h" 1964 | @@ -25,6 +34,9 @@ 1965 | #include "net/cert/asn1_util.h" 1966 | #include "net/cert/cert_status_flags.h" 1967 | #include "net/cert/cert_verifier.h" 1968 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1969 | +#include "net/cert/cert_verify_proc.h" 1970 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1971 | #include "net/cert/cert_verify_result.h" 1972 | #include "net/cert/crl_set.h" 1973 | #include "net/cert/ct_serialization.h" 1974 | @@ -568,6 +580,9 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array, 1975 | CFArrayRef sct_array_ref, 1976 | int flags, 1977 | CFArrayRef keychain_search_list, 1978 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1979 | + const CertificateList& domestic_trust_anchors, 1980 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 1981 | ScopedCFTypeRef* trust_ref, 1982 | SecTrustResultType* trust_result, 1983 | ScopedCFTypeRef* verified_chain, 1984 | @@ -585,6 +600,32 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array, 1985 | return NetErrorFromOSStatus(status); 1986 | } 1987 | 1988 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 1989 | + if (!domestic_trust_anchors.empty()) { 1990 | + base::ScopedCFTypeRef temporary_roots( 1991 | + CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks)); 1992 | + 1993 | + for (const auto& root : domestic_trust_anchors) { 1994 | + base::ScopedCFTypeRef os_cert( 1995 | + x509_util::CreateSecCertificateFromX509Certificate(root.get())); 1996 | + if (!os_cert) 1997 | + continue; 1998 | + 1999 | + CFArrayAppendValue(temporary_roots, os_cert.get()); 2000 | + } 2001 | + if (CFArrayGetCount(temporary_roots)) { 2002 | + OSStatus status = 2003 | + SecTrustSetAnchorCertificates(tmp_trust, temporary_roots); 2004 | + if (status) 2005 | + return NetErrorFromOSStatus(status); 2006 | + // Trust system store in addition to trusting |temporary_roots|. 2007 | + status = SecTrustSetAnchorCertificatesOnly(tmp_trust, false); 2008 | + if (status) 2009 | + return NetErrorFromOSStatus(status); 2010 | + } 2011 | + } 2012 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2013 | + 2014 | if (keychain_search_list) { 2015 | status = SecTrustSetKeychains(tmp_trust, keychain_search_list); 2016 | if (status) 2017 | @@ -693,6 +734,9 @@ int VerifyWithGivenFlags(X509Certificate* cert, 2018 | const int flags, 2019 | bool rev_checking_soft_fail, 2020 | CRLSet* crl_set, 2021 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2022 | + const CertificateList& domestic_trust_anchors, 2023 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2024 | CertVerifyResult* verify_result, 2025 | CRLSetResult* completed_chain_crl_result) { 2026 | ScopedCFTypeRef trust_policies; 2027 | @@ -872,8 +916,10 @@ int VerifyWithGivenFlags(X509Certificate* cert, 2028 | int rv = BuildAndEvaluateSecTrustRef( 2029 | cert_array, trust_policies, ocsp_response_ref.get(), 2030 | sct_array_ref.get(), flags, 2031 | - scoped_alternate_keychain_search_list.get(), &temp_ref, 2032 | - &temp_trust_result, &temp_chain, &temp_chain_info); 2033 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2034 | + scoped_alternate_keychain_search_list.get(), domestic_trust_anchors, 2035 | + &temp_ref, &temp_trust_result, &temp_chain, &temp_chain_info); 2036 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2037 | if (rv != OK) 2038 | return rv; 2039 | 2040 | @@ -1115,7 +1161,9 @@ bool CertVerifyProcMac::SupportsAdditionalTrustAnchors() const { 2041 | return false; 2042 | } 2043 | 2044 | -int CertVerifyProcMac::VerifyInternal( 2045 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2046 | +int CertVerifyProcMac::VerifyInternalWithDomesticAnchors( 2047 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2048 | X509Certificate* cert, 2049 | const std::string& hostname, 2050 | const std::string& ocsp_response, 2051 | @@ -1124,7 +1172,10 @@ int CertVerifyProcMac::VerifyInternal( 2052 | CRLSet* crl_set, 2053 | const CertificateList& additional_trust_anchors, 2054 | CertVerifyResult* verify_result, 2055 | - const NetLogWithSource& net_log) { 2056 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2057 | + const NetLogWithSource& net_log, 2058 | + const CertificateList& domestic_trust_anchors) { 2059 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2060 | // Save the input state of |*verify_result|, which may be needed to re-do 2061 | // verification with different flags. 2062 | const CertVerifyResult input_verify_result(*verify_result); 2063 | @@ -1136,7 +1187,10 @@ int CertVerifyProcMac::VerifyInternal( 2064 | CRLSetResult completed_chain_crl_result; 2065 | int rv = VerifyWithGivenFlags(cert, hostname, ocsp_response, sct_list, flags, 2066 | /*rev_checking_soft_fail=*/true, crl_set, 2067 | - verify_result, &completed_chain_crl_result); 2068 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2069 | + domestic_trust_anchors, verify_result, 2070 | + &completed_chain_crl_result); 2071 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2072 | if (rv != OK) 2073 | return rv; 2074 | 2075 | @@ -1158,8 +1212,10 @@ int CertVerifyProcMac::VerifyInternal( 2076 | int tmp_rv = VerifyWithGivenFlags( 2077 | verify_result->verified_cert.get(), hostname, ocsp_response, sct_list, 2078 | flags | VERIFY_REV_CHECKING_ENABLED, 2079 | - /*rev_checking_soft_fail=*/false, crl_set, &ev_verify_result, 2080 | - &completed_chain_crl_result); 2081 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2082 | + /*rev_checking_soft_fail=*/false, crl_set, domestic_trust_anchors, 2083 | + &ev_verify_result, &completed_chain_crl_result); 2084 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2085 | if (tmp_rv == OK) { 2086 | // If EV re-verification succeeded, mark as EV and return those results. 2087 | *verify_result = ev_verify_result; 2088 | @@ -1189,6 +1245,21 @@ int CertVerifyProcMac::VerifyInternal( 2089 | return OK; 2090 | } 2091 | 2092 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2093 | +int CertVerifyProcMac::VerifyInternal( 2094 | + X509Certificate* cert, 2095 | + const std::string& hostname, 2096 | + const std::string& ocsp_response, 2097 | + const std::string& sct_list, 2098 | + int flags, 2099 | + CRLSet* crl_set, 2100 | + const CertificateList& additional_trust_anchors, 2101 | + CertVerifyResult* verify_result, 2102 | + const NetLogWithSource& net_log) { 2103 | + NOTREACHED(); 2104 | + return ERR_UNEXPECTED; 2105 | +} 2106 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2107 | } // namespace net 2108 | 2109 | #pragma clang diagnostic pop // "-Wdeprecated-declarations" 2110 | diff --git a/net/cert/cert_verify_proc_mac.h b/net/cert/cert_verify_proc_mac.h 2111 | index 84ea532464f31..d52b312012332 100644 2112 | --- a/net/cert/cert_verify_proc_mac.h 2113 | +++ b/net/cert/cert_verify_proc_mac.h 2114 | @@ -81,6 +81,20 @@ class NET_EXPORT CertVerifyProcMac : public CertVerifyProc { 2115 | const CertificateList& additional_trust_anchors, 2116 | CertVerifyResult* verify_result, 2117 | const NetLogWithSource& net_log) override; 2118 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2119 | + 2120 | + int VerifyInternalWithDomesticAnchors( 2121 | + X509Certificate* cert, 2122 | + const std::string& hostname, 2123 | + const std::string& ocsp_response, 2124 | + const std::string& sct_list, 2125 | + int flags, 2126 | + CRLSet* crl_set, 2127 | + const CertificateList& additional_trust_anchors, 2128 | + CertVerifyResult* verify_result, 2129 | + const NetLogWithSource& net_log, 2130 | + const CertificateList& domestic_trust_anchors) override; 2131 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2132 | }; 2133 | 2134 | } // namespace net 2135 | diff --git a/net/cert/cert_verify_proc_win.cc b/net/cert/cert_verify_proc_win.cc 2136 | index 1c7341856843b..bc79b2d4ecc59 100644 2137 | --- a/net/cert/cert_verify_proc_win.cc 2138 | +++ b/net/cert/cert_verify_proc_win.cc 2139 | @@ -12,6 +12,9 @@ 2140 | #include "base/memory/free_deleter.h" 2141 | #include "base/metrics/histogram_macros.h" 2142 | #include "base/no_destructor.h" 2143 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2144 | +#include "base/notreached.h" 2145 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2146 | #include "base/strings/string_util.h" 2147 | #include "base/strings/utf_string_conversions.h" 2148 | #include "base/synchronization/lock.h" 2149 | @@ -19,11 +22,17 @@ 2150 | #include "base/threading/thread_local.h" 2151 | #include "base/threading/thread_task_runner_handle.h" 2152 | #include "base/win/registry.h" 2153 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2154 | +#include "base/win/win_util.h" 2155 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2156 | #include "base/win/windows_version.h" 2157 | #include "crypto/capi_util.h" 2158 | #include "crypto/scoped_capi_types.h" 2159 | #include "crypto/sha2.h" 2160 | #include "net/base/net_errors.h" 2161 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2162 | +#include "net/base/url_util.h" 2163 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2164 | #include "net/cert/asn1_util.h" 2165 | #include "net/cert/cert_status_flags.h" 2166 | #include "net/cert/cert_verifier.h" 2167 | @@ -35,6 +44,9 @@ 2168 | #include "net/cert/test_root_certs.h" 2169 | #include "net/cert/x509_certificate.h" 2170 | #include "net/cert/x509_util_win.h" 2171 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2172 | +#include "third_party/boringssl/src/include/openssl/pool.h" 2173 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2174 | 2175 | #if !defined(CERT_TRUST_HAS_WEAK_SIGNATURE) 2176 | // This was introduced in Windows 8 / Windows Server 2012, but retroactively 2177 | @@ -1018,6 +1030,95 @@ void AuthRootVersionChecker::UpdateAuthRootVersion() { 2178 | base::Time::FromFileTime(ctl_context->pCtlInfo->ThisUpdate); 2179 | } 2180 | 2181 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2182 | +BOOL WINAPI InterceptedOpenStoreW(LPCSTR store_provider, 2183 | + DWORD encoding, 2184 | + HCRYPTPROV crypt_provider, 2185 | + DWORD flags, 2186 | + const void* extra, 2187 | + HCERTSTORE memory_store, 2188 | + PCERT_STORE_PROV_INFO store_info); 2189 | + 2190 | +class RootCertInjector { 2191 | + public: 2192 | + HCERTSTORE* GetRootCerts() { return thread_local_root_certs_.Get(); } 2193 | + void SetRootCerts(HCERTSTORE* config) { 2194 | + thread_local_root_certs_.Set(config); 2195 | + } 2196 | + 2197 | + PFN_CERT_DLL_OPEN_STORE_PROV_FUNC original_function() { 2198 | + return original_function_; 2199 | + } 2200 | + 2201 | + private: 2202 | + friend struct base::LazyInstanceTraitsBase; 2203 | + 2204 | + RootCertInjector() { 2205 | + // Unused as we are leaky 2206 | + HCRYPTOIDFUNCADDR original_handle; 2207 | + 2208 | + auto* registered_functions = 2209 | + CryptInitOIDFunctionSet(CRYPT_OID_OPEN_STORE_PROV_FUNC, 0); 2210 | + 2211 | + BOOL ok = CryptGetOIDFunctionAddress( 2212 | + registered_functions, 0, CERT_STORE_PROV_SYSTEM_W, 0, 2213 | + reinterpret_cast(&original_function_), &original_handle); 2214 | + DCHECK(ok); 2215 | + 2216 | + const CRYPT_OID_FUNC_ENTRY kInterceptFunction[] = { 2217 | + {CERT_STORE_PROV_SYSTEM_W, 2218 | + reinterpret_cast(&InterceptedOpenStoreW)}, 2219 | + }; 2220 | + CryptInstallOIDFunctionAddress(nullptr, 0, CRYPT_OID_OPEN_STORE_PROV_FUNC, 2221 | + base::size(kInterceptFunction), 2222 | + kInterceptFunction, 2223 | + CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG); 2224 | + } 2225 | + ~RootCertInjector() = default; 2226 | + 2227 | + PFN_CERT_DLL_OPEN_STORE_PROV_FUNC original_function_; 2228 | + base::ThreadLocalPointer thread_local_root_certs_; 2229 | +}; 2230 | + 2231 | +base::LazyInstance::Leaky g_root_cert_injector = 2232 | + LAZY_INSTANCE_INITIALIZER; 2233 | + 2234 | +BOOL WINAPI InterceptedOpenStoreW(LPCSTR store_provider, 2235 | + DWORD encoding, 2236 | + HCRYPTPROV crypt_provider, 2237 | + DWORD flags, 2238 | + const void* store_name, 2239 | + HCERTSTORE memory_store, 2240 | + PCERT_STORE_PROV_INFO store_info) { 2241 | + uintptr_t store_as_uintptr = reinterpret_cast(store_provider); 2242 | + if (store_as_uintptr > 0xFFFF || store_provider != CERT_STORE_PROV_SYSTEM_W || 2243 | + !g_root_cert_injector.Get().original_function()) 2244 | + return FALSE; 2245 | + 2246 | + BOOL ok = g_root_cert_injector.Get().original_function()( 2247 | + store_provider, encoding, crypt_provider, flags, store_name, memory_store, 2248 | + store_info); 2249 | + 2250 | + if (!ok || !g_root_cert_injector.Get().GetRootCerts() || 2251 | + (flags & CERT_SYSTEM_STORE_RELOCATE_FLAG) || 2252 | + lstrcmpiW(reinterpret_cast(store_name), L"root")) 2253 | + return ok; 2254 | + 2255 | + return CertAddStoreToCollection( 2256 | + memory_store, *g_root_cert_injector.Get().GetRootCerts(), 0, 0); 2257 | +} 2258 | + 2259 | +class ScopedThreadLocalRootCerts { 2260 | + public: 2261 | + explicit ScopedThreadLocalRootCerts(HCERTSTORE* certs) { 2262 | + g_root_cert_injector.Get().SetRootCerts(certs); 2263 | + } 2264 | + ~ScopedThreadLocalRootCerts() { 2265 | + g_root_cert_injector.Get().SetRootCerts(nullptr); 2266 | + } 2267 | +}; 2268 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2269 | + 2270 | } // namespace 2271 | 2272 | CertVerifyProcWin::ResultDebugData::ResultDebugData( 2273 | @@ -1063,7 +1164,9 @@ bool CertVerifyProcWin::SupportsAdditionalTrustAnchors() const { 2274 | return false; 2275 | } 2276 | 2277 | -int CertVerifyProcWin::VerifyInternal( 2278 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2279 | +int CertVerifyProcWin::VerifyInternalWithDomesticAnchors( 2280 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2281 | X509Certificate* cert, 2282 | const std::string& hostname, 2283 | const std::string& ocsp_response, 2284 | @@ -1072,11 +1175,38 @@ int CertVerifyProcWin::VerifyInternal( 2285 | CRLSet* crl_set, 2286 | const CertificateList& additional_trust_anchors, 2287 | CertVerifyResult* verify_result, 2288 | - const NetLogWithSource& net_log) { 2289 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2290 | + const NetLogWithSource& net_log, 2291 | + const CertificateList& domestic_trust_anchors) { 2292 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2293 | // Ensure the Revocation Provider has been installed and configured for this 2294 | // CRLSet. 2295 | ScopedThreadLocalCRLSet thread_local_crlset(crl_set); 2296 | 2297 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2298 | + crypto::ScopedHCERTSTORE root_cert_store; 2299 | + 2300 | + if (!domestic_trust_anchors.empty()) { 2301 | + root_cert_store.reset( 2302 | + CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 2303 | + CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, nullptr)); 2304 | + 2305 | + for (const auto& root : domestic_trust_anchors) { 2306 | + CertAddEncodedCertificateToStore( 2307 | + root_cert_store.get(), X509_ASN_ENCODING, 2308 | + CRYPTO_BUFFER_data(root->cert_buffer()), 2309 | + base::checked_cast(CRYPTO_BUFFER_len(root->cert_buffer())), 2310 | + CERT_STORE_ADD_NEW, nullptr); 2311 | + } 2312 | + } 2313 | + 2314 | + HCERTSTORE root_cert_store_handle = root_cert_store.get(); 2315 | + absl::optional thread_local_root_certs; 2316 | + if (root_cert_store_handle) { 2317 | + thread_local_root_certs.emplace(&root_cert_store_handle); 2318 | + } 2319 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2320 | + 2321 | crypto::ScopedPCCERT_CONTEXT cert_list = 2322 | x509_util::CreateCertContextWithChain( 2323 | cert, x509_util::InvalidIntermediateBehavior::kIgnore); 2324 | @@ -1155,6 +1285,20 @@ int CertVerifyProcWin::VerifyInternal( 2325 | if (TestRootCerts::HasInstance()) 2326 | chain_engine = TestRootCerts::GetInstance()->GetChainEngine(); 2327 | 2328 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2329 | + if (root_cert_store.get()) { 2330 | + static constexpr DWORD kSizeofCertChainEngineConfig = 2331 | + SIZEOF_STRUCT_WITH_SPECIFIED_LAST_MEMBER(CERT_CHAIN_ENGINE_CONFIG, 2332 | + hExclusiveTrustedPeople); 2333 | + CERT_CHAIN_ENGINE_CONFIG engine_config = {kSizeofCertChainEngineConfig}; 2334 | + engine_config.dwFlags = 2335 | + CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE | CERT_CHAIN_ENABLE_SHARE_STORE; 2336 | + CertCreateCertificateChainEngine( 2337 | + &engine_config, 2338 | + crypto::ScopedHCERTCHAINENGINE::Receiver(chain_engine).get()); 2339 | + } 2340 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2341 | + 2342 | // Add stapled OCSP response data, which will be preferred over online checks 2343 | // and used when in cache-only mode. 2344 | if (!ocsp_response.empty()) { 2345 | @@ -1384,4 +1528,20 @@ int CertVerifyProcWin::VerifyInternal( 2346 | return OK; 2347 | } 2348 | 2349 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2350 | +int CertVerifyProcWin::VerifyInternal( 2351 | + X509Certificate* cert, 2352 | + const std::string& hostname, 2353 | + const std::string& ocsp_response, 2354 | + const std::string& sct_list, 2355 | + int flags, 2356 | + CRLSet* crl_set, 2357 | + const CertificateList& additional_trust_anchors, 2358 | + CertVerifyResult* verify_result, 2359 | + const NetLogWithSource& net_log) { 2360 | + NOTREACHED(); 2361 | + return ERR_UNEXPECTED; 2362 | +} 2363 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2364 | + 2365 | } // namespace net 2366 | diff --git a/net/cert/cert_verify_proc_win.h b/net/cert/cert_verify_proc_win.h 2367 | index d79c788b6cde0..08aa3e9e4e2aa 100644 2368 | --- a/net/cert/cert_verify_proc_win.h 2369 | +++ b/net/cert/cert_verify_proc_win.h 2370 | @@ -74,6 +74,20 @@ class NET_EXPORT CertVerifyProcWin : public CertVerifyProc { 2371 | const CertificateList& additional_trust_anchors, 2372 | CertVerifyResult* verify_result, 2373 | const NetLogWithSource& net_log) override; 2374 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2375 | + 2376 | + int VerifyInternalWithDomesticAnchors( 2377 | + X509Certificate* cert, 2378 | + const std::string& hostname, 2379 | + const std::string& ocsp_response, 2380 | + const std::string& sct_list, 2381 | + int flags, 2382 | + CRLSet* crl_set, 2383 | + const CertificateList& additional_trust_anchors, 2384 | + CertVerifyResult* verify_result, 2385 | + const NetLogWithSource& net_log, 2386 | + const CertificateList& domestic_trust_anchors) override; 2387 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2388 | }; 2389 | 2390 | } // namespace net 2391 | diff --git a/net/test/embedded_test_server/embedded_test_server.cc b/net/test/embedded_test_server/embedded_test_server.cc 2392 | index 01233b6c48eb3..4d6accfcd5c2f 100644 2393 | --- a/net/test/embedded_test_server/embedded_test_server.cc 2394 | +++ b/net/test/embedded_test_server/embedded_test_server.cc 2395 | @@ -414,6 +414,14 @@ bool EmbeddedTestServer::GenerateCertAndKey() { 2396 | std::unique_ptr static_root = CertBuilder::FromStaticCertFile( 2397 | certs_dir.AppendASCII("root_ca_cert.pem")); 2398 | 2399 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2400 | + if (cert_config_.generate_root_cert) { 2401 | + static_root = std::make_unique( 2402 | + static_root->GetX509Certificate()->cert_buffer(), nullptr); 2403 | + generated_root_cert_ = static_root->GetX509Certificate(); 2404 | + } 2405 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2406 | + 2407 | auto now = base::Time::Now(); 2408 | // Will be nullptr if cert_config_.intermediate == kNone. 2409 | std::unique_ptr intermediate; 2410 | diff --git a/net/test/embedded_test_server/embedded_test_server.h b/net/test/embedded_test_server/embedded_test_server.h 2411 | index 7716d2be736a9..fd3034debd754 100644 2412 | --- a/net/test/embedded_test_server/embedded_test_server.h 2413 | +++ b/net/test/embedded_test_server/embedded_test_server.h 2414 | @@ -16,6 +16,9 @@ 2415 | #include "base/files/file_path.h" 2416 | #include "base/memory/raw_ptr.h" 2417 | #include "base/memory/ref_counted.h" 2418 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2419 | +#include "base/memory/scoped_refptr.h" 2420 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2421 | #include "base/memory/weak_ptr.h" 2422 | #include "base/strings/string_piece.h" 2423 | #include "base/threading/thread.h" 2424 | @@ -278,6 +281,11 @@ class EmbeddedTestServer { 2425 | // intermediate, and if so, how it is delivered to the client. 2426 | IntermediateType intermediate = IntermediateType::kNone; 2427 | 2428 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2429 | + // Generate unique root cert with random public key 2430 | + bool generate_root_cert; 2431 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2432 | + 2433 | // Configure OCSP handling. 2434 | // Note: In the current implementation the AIA request handler does not 2435 | // actually parse the OCSP request (a different OCSP URL is used for each 2436 | @@ -439,6 +447,13 @@ class EmbeddedTestServer { 2437 | // InitializeAndListen() has been called. 2438 | scoped_refptr GetCertificate(); 2439 | 2440 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2441 | + // Returns generated root certificate if exists 2442 | + scoped_refptr GetGeneratedRootCertificate() { 2443 | + return generated_root_cert_; 2444 | + } 2445 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2446 | + 2447 | // Registers request handler which serves files from |directory|. 2448 | // For instance, a request to "/foo.html" is served by "foo.html" under 2449 | // |directory|. Files under sub directories are also handled in the same way 2450 | @@ -594,6 +609,10 @@ class EmbeddedTestServer { 2451 | base::flat_map alps_accept_ch_; 2452 | std::unique_ptr context_; 2453 | 2454 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2455 | + scoped_refptr generated_root_cert_; 2456 | +// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2457 | + 2458 | // HTTP server that handles AIA URLs that are embedded in this test server's 2459 | // certificate when the server certificate is one of the CERT_AUTO variants. 2460 | std::unique_ptr aia_http_server_; 2461 | diff --git a/services/network/network_service.cc b/services/network/network_service.cc 2462 | index cc578c6cde2a8..dec82aadcdd10 100644 2463 | --- a/services/network/network_service.cc 2464 | +++ b/services/network/network_service.cc 2465 | @@ -713,9 +713,92 @@ void NetworkService::ConfigureSCTAuditing( 2466 | sct_auditing_cache_->Configure(std::move(configuration)); 2467 | } 2468 | 2469 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2470 | +namespace { 2471 | + 2472 | +struct DomesticCTLogInfo { 2473 | + // The DER-encoded SubjectPublicKeyInfo for the log. Note that this is not 2474 | + // the same as a "log ID": a log ID is the SHA-256 hash of this value. 2475 | + const char* const log_key; 2476 | + // The length, in bytes, of |log_key|. 2477 | + const size_t log_key_length; 2478 | + // The user-friendly log name. 2479 | + // Note: This will not be translated. 2480 | + const char* const log_name; 2481 | + // The current operator of the log. 2482 | + const char* const current_operator; 2483 | +}; 2484 | + 2485 | +constexpr DomesticCTLogInfo kDomesticCTLogList[] = { 2486 | + {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86" 2487 | + "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x25\x2f\xce\x36\x0e\x5e\xe1" 2488 | + "\x73\xa5\x87\xf8\x51\x6d\x7c\x0f\x21\x8e\xa5\x70\x07\x15\x75\x67\x2f" 2489 | + "\x32\x25\x50\xfa\x8e\xeb\xec\x9a\xaf\x62\x58\x9f\x5d\x06\xee\x9d\x93" 2490 | + "\xac\x84\xfa\x3d\x0f\x6d\xb0\x6b\x98\x5a\x22\x35\x23\x59\x2e\x17\xa6" 2491 | + "\x2f\x1a\xb9\xec\x15\xa7", 2492 | + 91, "Yandex Agate-2022 log", "Yandex"}, 2493 | + {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86" 2494 | + "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x87\x18\xcb\x63\xdc\xc1\x41" 2495 | + "\x99\x39\x56\x6c\xa3\x29\xdf\xc4\x8f\xa2\x9f\x04\xb3\x44\xd8\xe2\xa7" 2496 | + "\x77\xe2\xdd\xc9\x72\x2c\x6b\x59\x0f\x91\x7a\xb2\x56\x52\xd6\x11\xf4" 2497 | + "\x04\xed\xb6\x12\x64\xeb\x76\x51\x76\x2c\x71\x1b\x15\x14\xec\xaa\xc7" 2498 | + "\x01\x98\x53\x4c\xa3\x07", 2499 | + 91, "Yandex Agate-2023 log", "Yandex"}, 2500 | + {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86" 2501 | + "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2e\x68\x15\xf8\x74\x2e\xbc" 2502 | + "\xcb\x3b\x31\x82\x83\xd5\x04\xbe\x67\xd0\x3c\x26\xae\xf6\x39\x16\xf4" 2503 | + "\x2a\x27\x17\x0d\xbb\x4f\xa3\x30\xbc\xab\x72\xff\xab\x83\x73\xf7\x70" 2504 | + "\x59\x75\x51\x18\xa2\x86\x3c\x82\xf1\x95\x13\x18\x70\xb9\xa5\xaf\x58" 2505 | + "\x43\x7b\x28\x4e\x7b\x14", 2506 | + 91, "VK 'NCA2022' Log", "VK LLC"}, 2507 | + {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86" 2508 | + "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x52\x27\x57\xe0\x40\x7a\x19" 2509 | + "\xd8\x06\xa1\x00\xb4\xbb\x55\x4e\xa2\x46\x8b\x87\xb7\x1f\x37\xae\x82" 2510 | + "\x4d\x9f\xf3\x2d\xcf\x5b\xae\xda\x69\x13\xd2\xcd\x37\x24\x59\xf4\xc5" 2511 | + "\xe5\xf9\x84\xea\x43\xf6\x31\x36\x2f\xc2\x91\x77\xdb\x57\xdc\x4c\x0b" 2512 | + "\x8b\x55\x28\xdf\xff\x9e", 2513 | + 91, "VK 'NCA2023' Log", "VK LLC"}, 2514 | + {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86" 2515 | + "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc6\xae\x96\xa7\x66\x26\x2c" 2516 | + "\xd0\x21\x68\xce\x43\x92\x83\xeb\xd0\xae\x97\x6b\xb9\x97\xf5\xca\xb4" 2517 | + "\xae\x6f\x3b\x34\x65\xf6\xe8\x1b\x69\x50\xc8\xa6\x83\x0b\x96\x04\xb1" 2518 | + "\x66\xd0\x89\x83\xd9\xd8\x0e\xec\x97\x59\x24\x98\x3a\x4f\xda\x86\xf4" 2519 | + "\x4a\x8e\x5a\x0d\x68\xda", 2520 | + 91, "VK 'NCA2024' Log", "VK LLC"}, 2521 | + {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86" 2522 | + "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0f\x86\x86\x59\xc1\x88\x6c" 2523 | + "\x1b\x9b\xd9\x79\x0b\x20\xff\xa6\x0b\xfa\x81\xe4\x6c\x97\x01\xc7\xcf" 2524 | + "\x52\x95\xe6\x99\xd5\x06\x41\x38\xd9\x9e\xc9\x36\xe8\xb0\x16\xa2\xb7" 2525 | + "\x85\xe1\x36\xae\x11\x8e\x63\x7f\x31\x67\xd3\xb0\x05\x58\x06\x9d\x36" 2526 | + "\xf6\x46\xfd\xf1\xa4\x50", 2527 | + 91, "The Ministry of Digital Development and Communications '2022' Log", 2528 | + "The Ministry of Digital Development and Communications"}, 2529 | + {"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86" 2530 | + "\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x32\xbb\xca\x32\x91\x99\x83" 2531 | + "\x34\xbc\x19\x67\x26\x55\x99\x93\x09\x37\x37\xe7\x79\x59\x9a\x51\x76" 2532 | + "\x6d\x3e\x91\xc4\x23\x6f\xb5\xa5\x57\xd0\xf9\x39\xcc\xaa\x89\x69\x2f" 2533 | + "\x18\x52\xe5\x7e\xf5\x78\x55\x00\x9d\x44\x89\x78\x75\x2e\x81\xe7\xc8" 2534 | + "\x62\x53\x8b\x71\xac\x95", 2535 | + 91, "The Ministry of Digital Development and Communications '2023' Log", 2536 | + "The Ministry of Digital Development and Communications"}}; 2537 | + 2538 | +} // namespace 2539 | +// Copyright 2017 The Chromium Authors. All rights reserved. 2540 | + 2541 | void NetworkService::UpdateCtLogList(std::vector log_list, 2542 | base::Time update_time, 2543 | UpdateCtLogListCallback callback) { 2544 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2545 | + for (const auto& entry : kDomesticCTLogList) { 2546 | + auto log_list_entry = mojom::CTLogInfo::New(); 2547 | + log_list_entry->public_key = 2548 | + std::string(entry.log_key, entry.log_key_length); 2549 | + log_list_entry->name = entry.log_name; 2550 | + log_list_entry->current_operator = entry.current_operator; 2551 | + log_list.push_back(std::move(log_list_entry)); 2552 | + } 2553 | +// Copyright 2017 The Chromium Authors. All rights reserved. 2554 | + 2555 | log_list_ = std::move(log_list); 2556 | ct_log_list_update_time_ = update_time; 2557 | 2558 | diff --git a/services/network/network_service_unittest.cc b/services/network/network_service_unittest.cc 2559 | index 67563bd04ced0..a57d56665431d 100644 2560 | --- a/services/network/network_service_unittest.cc 2561 | +++ b/services/network/network_service_unittest.cc 2562 | @@ -9,6 +9,9 @@ 2563 | 2564 | #include "base/base64.h" 2565 | #include "base/bind.h" 2566 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2567 | +#include "base/callback_helpers.h" 2568 | +// Copyright 2017 The Chromium Authors. All rights reserved. 2569 | #include "base/command_line.h" 2570 | #include "base/containers/span.h" 2571 | #include "base/files/file_util.h" 2572 | @@ -982,6 +985,30 @@ TEST_F(NetworkServiceTest, DisableCTEnforcement) { 2573 | new_network_context.url_request_context()->transport_security_state(); 2574 | EXPECT_TRUE(transport_security_state->is_ct_emergency_disabled_for_testing()); 2575 | } 2576 | +// Copyright (C) 2022. YANDEX,LLC. All rights reserved. 2577 | + 2578 | +TEST_F(NetworkServiceTest, DomesticRoots) { 2579 | + service()->UpdateCtLogList({}, base::Time::Now(), base::DoNothing()); 2580 | + bool has_yandex = false; 2581 | + bool has_vk = false; 2582 | + bool has_ministry = false; 2583 | + for (const auto& log : service()->log_list()) { 2584 | + if (log->current_operator == "Yandex") { 2585 | + has_yandex = true; 2586 | + } 2587 | + if (log->current_operator == "VK LLC") { 2588 | + has_vk = true; 2589 | + } 2590 | + if (log->current_operator == 2591 | + "The Ministry of Digital Development and Communications") { 2592 | + has_ministry = true; 2593 | + } 2594 | + } 2595 | + EXPECT_TRUE(has_yandex); 2596 | + EXPECT_TRUE(has_vk); 2597 | + EXPECT_TRUE(has_ministry); 2598 | +} 2599 | +// Copyright 2017 The Chromium Authors. All rights reserved. 2600 | #endif // BUILDFLAG(IS_CT_SUPPORTED) 2601 | 2602 | class NetworkServiceTestWithService : public testing::Test { 2603 | --------------------------------------------------------------------------------