Confirmed users
238
edits
Line 35: | Line 35: | ||
== Local lookups == | == Local lookups == | ||
URL-based lookups for the target URL and its redirect chain happen in the same way for published Safe Browsing API. For certificate information lookups, the user-agent generates URLs based on signing information and looks up the resulting URL and its fragments in the same way. | |||
A binary may be signed by multiple certificates. Each certificate may be part of a certificate chain, where the previous link in the chain is the issuer of the current certificate, all the way to the root certificate. Certificate chain information is extracted by the WinVerifyTrust and WTHelperProvDataFromStateData Windows API functions. In Chrome, this implementation is in SignatureUtil [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/signature_util_win.cc]. In Firefox, this implementation is in BackgroundFileSaver. | |||
For each certificate chain, let CN be the common name of the signer (the first certificate of the chain), O be the organization name of the signer, and OU the organization unit of the signer. For each issuer in the certificate chain starting with the issuer of the signer, construct a whitelist string of the form: | |||
sb-ssl.google.com/safebrowsing/csd/certificate/<issuer_fingerprint[/CN=<common_name][/O=<organization_name>][OU=<organization_unit>] | |||
Thus every for every certificate chain of length n, n-1 whitelist strings are constructed. In Chrome, certificate whitelist strings are constructed in CertificateChainIsWhitelisted [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&rcl=1392695364&l=703]. | |||
== Remote lookup == | == Remote lookup == |