xref: /aosp_15_r20/external/cronet/net/data/ssl/symantec/README.md (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b)

# Symantec Certificates

This directory contains the set of known active and legacy root certificates
that were operated by Symantec Corporation. In order for certificates issued
from these roots to be trusted, it is required that they comply with the
policies outlined at <https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html>.

The exceptions to this are:
  * Pre-existing independently operated sub-CAs, whose keys were and are not
    controled by Symantec and which maintain current and appropriate audits.
  * The set of Managed CAs in accordance with the above policies.

In addition to the above, no changes exist from the Certificate Transparency
requirement outlined at <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html>

## Implementation Details

Policies related to these certificates are based on the hash of the
subjectPublicKeyInfo, rather than of the certificate, and without considering
the Subject Distinguished Name.

The choice of using subjectPublicKeyInfo is two-fold:

* If there are any concerns with the how the key material has been protected,
  those concerns apply to all subject names, not just the known subject names.
  By limiting trust in the SPKI, the underlying issue is addressed. This also
  helps address any concerns with potential cross-signs in the future, as has
  been seen in past CA remediation efforts.
* Simultaneously, if there are no concerns with the SPKI, such as due to being
  on the exclusions list, then we want to ensure ecosystem flexibility in the
  event that the certificates themselves need to be reissued. The most likely
  cause for reissusance of Excluded Sub-CAs may be presumed to be either
  expiration or due to wanting to add additional extensions (such as to reduce
  the scope of issuance). To avoid unduly limiting the ecosystem flexibility
  in the event of those changes, excluding by SPKI allows for some limited
  agility, while being grounded in the objective evaluation of the key and how
  the key material has been operated and protected. In the context of Managed
  CAs, this ensures that additional (effectively cross-signed) versions of the
  Managed Partner Infrastructure can be introduced as needed, while ensuring no
  additional code changes or updates are necessary.

Thus, identifying 'roots' (which may appear anywhere in the chain) by SPKI help
ensure the appropriate restrictions are applied, regardless of cross-signs or
self-signed variations, while identifying 'exclusions' by SPKI helps ensure the
necessary flexibility to respond to ecosystem changes.

## Roots

The full set of roots are in the [roots/](roots/) directory, organized by
SHA-256 hash of the certificate file.

The following command can be used to match certificates and their key hashes:

`` for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort ``

## Excluded Sub-CAs

### Apple

[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1917)
[Certification Practices Statement](http://images.apple.com/certificateauthority/pdf/Apple_IST_CPS_v2.0.pdf)

  * [17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem](excluded/17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem)
  * [3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem](excluded/3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem)
  * [6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem](excluded/6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem)
  * [904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem](excluded/904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem)
  * [ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem](excluded/ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem)
  * [a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem](excluded/a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem)

### DigiCert

[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=2228)
[Certification Practices Statement](https://www.digicert.com/CPS)

  * [8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem](excluded/8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem)
  * [b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem](excluded/b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem)

### Google

[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1941)
[Certification Practices Statement](http://static.googleusercontent.com/media/pki.google.com/en//GIAG2-CPS-1.3.pdf)

  * [c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem](excluded/c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem)

## Excluded Managed CAs

### DigiCert

  * [7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem](managed/7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem)
  * [ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem](managed/ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem)