Mercurial > mozreview > gecko / changeset / e5f42f7f160d4c8ee7e7659cff99bb56edc19a48
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1233328 - Part 2: Use SHA-256 StaticFingerprints directly instead of StaticPinset since the SHA-1 StaticFingerprints entry will always be null. draft
authorCykesiopka <cykesiopka.bmo@gmail.com>
Tue, 19 Jan 2016 22:58:07 -0800
changeset 323381 e5f42f7f160d4c8ee7e7659cff99bb56edc19a48
parent 323380 9328dced3612e46a37775b77a1810ba5524a4781
child 513205 408e240a8c47207cc082c22803d982ec5d515491
push id9712
push usercykesiopka.bmo@gmail.com
push dateWed, 20 Jan 2016 06:58:30 +0000
bugs1233328
milestone46.0a1
Bug 1233328 - Part 2: Use SHA-256 StaticFingerprints directly instead of StaticPinset since the SHA-1 StaticFingerprints entry will always be null.
security/manager/ssl/PublicKeyPinningService.cpp file | annotate | diff | comparison | revisions
security/manager/ssl/StaticHPKPins.h file | annotate | diff | comparison | revisions
security/manager/tools/genHPKPStaticPins.js file | annotate | diff | comparison | revisions 
--- a/security/manager/ssl/PublicKeyPinningService.cpp
+++ b/security/manager/ssl/PublicKeyPinningService.cpp
@@ -95,29 +95,25 @@ EvalCert(const CERTCertificate* cert, co
 }
 
 /*
  * Sets certListIntersectsPinset to true if a given chain matches any
  * fingerprints from the given pinset or the dynamicFingerprints array, or to
  * false otherwise.
  */
 static nsresult
-EvalChain(const CERTCertList* certList, const StaticPinset* pinset,
+EvalChain(const CERTCertList* certList, const StaticFingerprints* fingerprints,
           const nsTArray<nsCString>* dynamicFingerprints,
   /*out*/ bool& certListIntersectsPinset)
 {
   certListIntersectsPinset = false;
   CERTCertificate* currentCert;
 
-  const StaticFingerprints* fingerprints = nullptr;
-  if (pinset) {
-    fingerprints = pinset->sha256;
-  }
   // This can happen if dynamicFingerprints is null and the static pinset
-  // doesn't have any pins of this hash type.
+  // doesn't have any pins.
   if (!fingerprints && !dynamicFingerprints) {
     return NS_OK;
   }
 
   CERTCertListNode* node;
   for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
        node = CERT_LIST_NEXT(node)) {
     currentCert = node->cert;
@@ -140,17 +136,17 @@ EvalChain(const CERTCertList* certList, 
 
 /**
  * Given a pinset and certlist, sets certListIntersectsPinset to true if one of
  * the certificates on the list matches a fingerprint in the pinset, or to false
  * otherwise.
  */
 static nsresult
 EvalChainWithPinset(const CERTCertList* certList,
-                    const StaticPinset* pinset,
+                    const StaticFingerprints* pinset,
             /*out*/ bool& certListIntersectsPinset)
 {
   certListIntersectsPinset = false;
   nsresult rv = EvalChain(certList, pinset, nullptr, certListIntersectsPinset);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
--- a/security/manager/ssl/StaticHPKPins.h
+++ b/security/manager/ssl/StaticHPKPins.h
@@ -352,23 +352,18 @@ static const char kthawte_Primary_Root_C
   "GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik=";
 
 /* Pinsets are each an ordered list by the actual value of the fingerprint */
 struct StaticFingerprints {
   const size_t size;
   const char* const* data;
 };
 
-struct StaticPinset {
-  const StaticFingerprints* sha1;
-  const StaticFingerprints* sha256;
-};
-
 /* PreloadedHPKPins.json pinsets */
-static const char* kPinset_google_root_pems_sha256_Data[] = {
+static const char* kPinset_google_root_pems_Data[] = {
   kEquifax_Secure_CAFingerprint,
   kEntrust_Root_Certification_Authority___EC1Fingerprint,
   kComodo_Trusted_Services_rootFingerprint,
   kCOMODO_ECC_Certification_AuthorityFingerprint,
   kDigiCert_Assured_ID_Root_G2Fingerprint,
   kCOMODO_Certification_AuthorityFingerprint,
   kAddTrust_Low_Value_Services_RootFingerprint,
   kGlobalSign_ECC_Root_CA___R4Fingerprint,
@@ -415,27 +410,22 @@ static const char* kPinset_google_root_p
   kDigiCert_Global_Root_CAFingerprint,
   kDigiCert_Global_Root_G3Fingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
   kComodo_AAA_Services_rootFingerprint,
   kAffirmTrust_PremiumFingerprint,
   kUSERTrust_RSA_Certification_AuthorityFingerprint,
   kAddTrust_Qualified_Certificates_RootFingerprint,
 };
-static const StaticFingerprints kPinset_google_root_pems_sha256 = {
-  sizeof(kPinset_google_root_pems_sha256_Data) / sizeof(const char*),
-  kPinset_google_root_pems_sha256_Data
+static const StaticFingerprints kPinset_google_root_pems = {
+  sizeof(kPinset_google_root_pems_Data) / sizeof(const char*),
+  kPinset_google_root_pems_Data
 };
 
-static const StaticPinset kPinset_google_root_pems = {
-  nullptr,
-  &kPinset_google_root_pems_sha256
-};
-
-static const char* kPinset_mozilla_sha256_Data[] = {
+static const char* kPinset_mozilla_Data[] = {
   kGeoTrust_Global_CA_2Fingerprint,
   kthawte_Primary_Root_CA___G3Fingerprint,
   kthawte_Primary_Root_CAFingerprint,
   kDigiCert_Assured_ID_Root_CAFingerprint,
   kVerisign_Class_1_Public_Primary_Certification_Authority___G3Fingerprint,
   kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint,
   kGeoTrust_Primary_Certification_AuthorityFingerprint,
   kVerisign_Class_3_Public_Primary_Certification_Authority___G3Fingerprint,
@@ -447,101 +437,71 @@ static const char* kPinset_mozilla_sha25
   kGeoTrust_Universal_CA_2Fingerprint,
   kGeoTrust_Global_CAFingerprint,
   kVeriSign_Universal_Root_Certification_AuthorityFingerprint,
   kGeoTrust_Universal_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
 };
-static const StaticFingerprints kPinset_mozilla_sha256 = {
-  sizeof(kPinset_mozilla_sha256_Data) / sizeof(const char*),
-  kPinset_mozilla_sha256_Data
+static const StaticFingerprints kPinset_mozilla = {
+  sizeof(kPinset_mozilla_Data) / sizeof(const char*),
+  kPinset_mozilla_Data
 };
 
-static const StaticPinset kPinset_mozilla = {
-  nullptr,
-  &kPinset_mozilla_sha256
-};
-
-static const char* kPinset_mozilla_services_sha256_Data[] = {
+static const char* kPinset_mozilla_services_Data[] = {
   kDigiCert_Global_Root_CAFingerprint,
 };
-static const StaticFingerprints kPinset_mozilla_services_sha256 = {
-  sizeof(kPinset_mozilla_services_sha256_Data) / sizeof(const char*),
-  kPinset_mozilla_services_sha256_Data
-};
-
-static const StaticPinset kPinset_mozilla_services = {
-  nullptr,
-  &kPinset_mozilla_services_sha256
+static const StaticFingerprints kPinset_mozilla_services = {
+  sizeof(kPinset_mozilla_services_Data) / sizeof(const char*),
+  kPinset_mozilla_services_Data
 };
 
-static const char* kPinset_mozilla_test_sha256_Data[] = {
+static const char* kPinset_mozilla_test_Data[] = {
   kEnd_Entity_Test_CertFingerprint,
 };
-static const StaticFingerprints kPinset_mozilla_test_sha256 = {
-  sizeof(kPinset_mozilla_test_sha256_Data) / sizeof(const char*),
-  kPinset_mozilla_test_sha256_Data
-};
-
-static const StaticPinset kPinset_mozilla_test = {
-  nullptr,
-  &kPinset_mozilla_test_sha256
+static const StaticFingerprints kPinset_mozilla_test = {
+  sizeof(kPinset_mozilla_test_Data) / sizeof(const char*),
+  kPinset_mozilla_test_Data
 };
 
 /* Chrome static pinsets */
-static const char* kPinset_test_sha256_Data[] = {
+static const char* kPinset_test_Data[] = {
   kTestSPKIFingerprint,
 };
-static const StaticFingerprints kPinset_test_sha256 = {
-  sizeof(kPinset_test_sha256_Data) / sizeof(const char*),
-  kPinset_test_sha256_Data
+static const StaticFingerprints kPinset_test = {
+  sizeof(kPinset_test_Data) / sizeof(const char*),
+  kPinset_test_Data
 };
 
-static const StaticPinset kPinset_test = {
-  nullptr,
-  &kPinset_test_sha256
-};
-
-static const char* kPinset_google_sha256_Data[] = {
+static const char* kPinset_google_Data[] = {
   kGOOGLE_PIN_GoogleG2Fingerprint,
   kGoogleBackup2048Fingerprint,
   kGeoTrust_Global_CAFingerprint,
 };
-static const StaticFingerprints kPinset_google_sha256 = {
-  sizeof(kPinset_google_sha256_Data) / sizeof(const char*),
-  kPinset_google_sha256_Data
+static const StaticFingerprints kPinset_google = {
+  sizeof(kPinset_google_Data) / sizeof(const char*),
+  kPinset_google_Data
 };
 
-static const StaticPinset kPinset_google = {
-  nullptr,
-  &kPinset_google_sha256
-};
-
-static const char* kPinset_tor_sha256_Data[] = {
+static const char* kPinset_tor_Data[] = {
   kTor3Fingerprint,
   kDigiCert_High_Assurance_EV_Root_CAFingerprint,
   kGOOGLE_PIN_LetsEncryptAuthorityX1Fingerprint,
   kTor1Fingerprint,
   kGOOGLE_PIN_RapidSSLFingerprint,
   kGOOGLE_PIN_LetsEncryptAuthorityX2Fingerprint,
   kTor2Fingerprint,
 };
-static const StaticFingerprints kPinset_tor_sha256 = {
-  sizeof(kPinset_tor_sha256_Data) / sizeof(const char*),
-  kPinset_tor_sha256_Data
+static const StaticFingerprints kPinset_tor = {
+  sizeof(kPinset_tor_Data) / sizeof(const char*),
+  kPinset_tor_Data
 };
 
-static const StaticPinset kPinset_tor = {
-  nullptr,
-  &kPinset_tor_sha256
-};
-
-static const char* kPinset_twitterCom_sha256_Data[] = {
+static const char* kPinset_twitterCom_Data[] = {
   kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint,
   kVerisign_Class_3_Public_Primary_Certification_Authority___G2Fingerprint,
   kGeoTrust_Global_CA_2Fingerprint,
   kDigiCert_Assured_ID_Root_CAFingerprint,
   kVerisign_Class_1_Public_Primary_Certification_Authority___G3Fingerprint,
   kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint,
   kVerisign_Class_1_Public_Primary_Certification_AuthorityFingerprint,
   kGeoTrust_Primary_Certification_AuthorityFingerprint,
@@ -554,27 +514,22 @@ static const char* kPinset_twitterCom_sh
   kGeoTrust_Global_CAFingerprint,
   kVeriSign_Universal_Root_Certification_AuthorityFingerprint,
   kGeoTrust_Universal_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
   kTwitter1Fingerprint,
 };
-static const StaticFingerprints kPinset_twitterCom_sha256 = {
-  sizeof(kPinset_twitterCom_sha256_Data) / sizeof(const char*),
-  kPinset_twitterCom_sha256_Data
+static const StaticFingerprints kPinset_twitterCom = {
+  sizeof(kPinset_twitterCom_Data) / sizeof(const char*),
+  kPinset_twitterCom_Data
 };
 
-static const StaticPinset kPinset_twitterCom = {
-  nullptr,
-  &kPinset_twitterCom_sha256
-};
-
-static const char* kPinset_twitterCDN_sha256_Data[] = {
+static const char* kPinset_twitterCDN_Data[] = {
   kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint,
   kComodo_Trusted_Services_rootFingerprint,
   kCOMODO_Certification_AuthorityFingerprint,
   kVerisign_Class_3_Public_Primary_Certification_Authority___G2Fingerprint,
   kAddTrust_Low_Value_Services_RootFingerprint,
   kUTN_USERFirst_Object_Root_CAFingerprint,
   kGOOGLE_PIN_GTECyberTrustGlobalRootFingerprint,
   kGeoTrust_Global_CA_2Fingerprint,
@@ -608,27 +563,22 @@ static const char* kPinset_twitterCDN_sh
   kGOOGLE_PIN_Entrust_SSLFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
   kComodo_AAA_Services_rootFingerprint,
   kTwitter1Fingerprint,
   kAddTrust_Qualified_Certificates_RootFingerprint,
 };
-static const StaticFingerprints kPinset_twitterCDN_sha256 = {
-  sizeof(kPinset_twitterCDN_sha256_Data) / sizeof(const char*),
-  kPinset_twitterCDN_sha256_Data
+static const StaticFingerprints kPinset_twitterCDN = {
+  sizeof(kPinset_twitterCDN_Data) / sizeof(const char*),
+  kPinset_twitterCDN_Data
 };
 
-static const StaticPinset kPinset_twitterCDN = {
-  nullptr,
-  &kPinset_twitterCDN_sha256
-};
-
-static const char* kPinset_dropbox_sha256_Data[] = {
+static const char* kPinset_dropbox_Data[] = {
   kEntrust_Root_Certification_Authority___EC1Fingerprint,
   kGOOGLE_PIN_ThawtePremiumServerFingerprint,
   kthawte_Primary_Root_CA___G3Fingerprint,
   kthawte_Primary_Root_CAFingerprint,
   kEntrust_net_Premium_2048_Secure_Server_CAFingerprint,
   kDigiCert_Assured_ID_Root_CAFingerprint,
   kGo_Daddy_Root_Certificate_Authority___G2Fingerprint,
   kGOOGLE_PIN_GoDaddySecureFingerprint,
@@ -638,93 +588,73 @@ static const char* kPinset_dropbox_sha25
   kthawte_Primary_Root_CA___G2Fingerprint,
   kEntrust_Root_Certification_AuthorityFingerprint,
   kEntrust_Root_Certification_Authority___G2Fingerprint,
   kGeoTrust_Global_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
 };
-static const StaticFingerprints kPinset_dropbox_sha256 = {
-  sizeof(kPinset_dropbox_sha256_Data) / sizeof(const char*),
-  kPinset_dropbox_sha256_Data
+static const StaticFingerprints kPinset_dropbox = {
+  sizeof(kPinset_dropbox_Data) / sizeof(const char*),
+  kPinset_dropbox_Data
 };
 
-static const StaticPinset kPinset_dropbox = {
-  nullptr,
-  &kPinset_dropbox_sha256
-};
-
-static const char* kPinset_facebook_sha256_Data[] = {
+static const char* kPinset_facebook_Data[] = {
   kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint,
   kDigiCert_High_Assurance_EV_Root_CAFingerprint,
   kGOOGLE_PIN_SymantecClass3EVG3Fingerprint,
   kFacebookBackupFingerprint,
 };
-static const StaticFingerprints kPinset_facebook_sha256 = {
-  sizeof(kPinset_facebook_sha256_Data) / sizeof(const char*),
-  kPinset_facebook_sha256_Data
+static const StaticFingerprints kPinset_facebook = {
+  sizeof(kPinset_facebook_Data) / sizeof(const char*),
+  kPinset_facebook_Data
 };
 
-static const StaticPinset kPinset_facebook = {
-  nullptr,
-  &kPinset_facebook_sha256
-};
-
-static const char* kPinset_spideroak_sha256_Data[] = {
+static const char* kPinset_spideroak_Data[] = {
   kSpiderOak2Fingerprint,
   kSpiderOak3Fingerprint,
   kDigiCert_High_Assurance_EV_Root_CAFingerprint,
   kGeoTrust_Global_CAFingerprint,
 };
-static const StaticFingerprints kPinset_spideroak_sha256 = {
-  sizeof(kPinset_spideroak_sha256_Data) / sizeof(const char*),
-  kPinset_spideroak_sha256_Data
+static const StaticFingerprints kPinset_spideroak = {
+  sizeof(kPinset_spideroak_Data) / sizeof(const char*),
+  kPinset_spideroak_Data
 };
 
-static const StaticPinset kPinset_spideroak = {
-  nullptr,
-  &kPinset_spideroak_sha256
-};
-
-static const char* kPinset_yahoo_sha256_Data[] = {
+static const char* kPinset_yahoo_Data[] = {
   kYahooBackup1Fingerprint,
   kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint,
   kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint,
   kGeoTrust_Primary_Certification_AuthorityFingerprint,
   kVerisign_Class_3_Public_Primary_Certification_Authority___G3Fingerprint,
   kVeriSign_Class_3_Public_Primary_Certification_Authority___G4Fingerprint,
   kDigiCert_High_Assurance_EV_Root_CAFingerprint,
   kVerisign_Class_2_Public_Primary_Certification_Authority___G3Fingerprint,
   kYahooBackup2Fingerprint,
   kGeoTrust_Global_CAFingerprint,
   kVeriSign_Universal_Root_Certification_AuthorityFingerprint,
   kGeoTrust_Universal_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
 };
-static const StaticFingerprints kPinset_yahoo_sha256 = {
-  sizeof(kPinset_yahoo_sha256_Data) / sizeof(const char*),
-  kPinset_yahoo_sha256_Data
-};
-
-static const StaticPinset kPinset_yahoo = {
-  nullptr,
-  &kPinset_yahoo_sha256
+static const StaticFingerprints kPinset_yahoo = {
+  sizeof(kPinset_yahoo_Data) / sizeof(const char*),
+  kPinset_yahoo_Data
 };
 
 /* Domainlist */
 struct TransportSecurityPreload {
   const char* mHost;
   const bool mIncludeSubdomains;
   const bool mTestMode;
   const bool mIsMoz;
   const int32_t mId;
-  const StaticPinset* pinset;
+  const StaticFingerprints* pinset;
 };
 
 /* Sort hostnames for binary search. */
 static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "2mdn.net", true, false, false, -1, &kPinset_google_root_pems },
   { "accounts.firefox.com", true, false, true, 4, &kPinset_mozilla_services },
   { "accounts.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla },
@@ -1179,9 +1109,9 @@ static const TransportSecurityPreload kP
   { "za.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "zh.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
 };
 
 // Pinning Preload List Length = 454;
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1461412368217000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1461596756879000);
--- a/security/manager/tools/genHPKPStaticPins.js
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -48,27 +48,23 @@ const FILE_HEADER = "/* This Source Code
 
 const DOMAINHEADER = "/* Domainlist */\n" +
   "struct TransportSecurityPreload {\n" +
   "  const char* mHost;\n" +
   "  const bool mIncludeSubdomains;\n" +
   "  const bool mTestMode;\n" +
   "  const bool mIsMoz;\n" +
   "  const int32_t mId;\n" +
-  "  const StaticPinset* pinset;\n" +
+  "  const StaticFingerprints* pinset;\n" +
   "};\n\n";
 
 const PINSETDEF = "/* Pinsets are each an ordered list by the actual value of the fingerprint */\n" +
   "struct StaticFingerprints {\n" +
   "  const size_t size;\n" +
   "  const char* const* data;\n" +
-  "};\n\n" +
-  "struct StaticPinset {\n" +
-  "  const StaticFingerprints* sha1;\n" +
-  "  const StaticFingerprints* sha256;\n" +
   "};\n\n";
 
 // Command-line arguments
 var gStaticPins = parseJson(arguments[0]);
 
 // arguments[1] is ignored for now. See bug 1205406.
 
 // Open the output file.
@@ -453,22 +449,20 @@ function genExpirationTime() {
 
 function writeFullPinset(certNameToSKD, certSKDToName, pinset) {
   let prefix = "kPinset_" + pinset.name;
   if (!pinset.sha256_hashes || pinset.sha256_hashes.length == 0) {
     throw `ERROR: Pinset ${pinset.name} does not contain any hashes.`;
   }
   writeFingerprints(certNameToSKD, certSKDToName, pinset.name,
                     pinset.sha256_hashes);
-  writeString("static const StaticPinset " + prefix + " = {\n" +
-              "  nullptr,\n  &" + prefix + "_sha256\n};\n\n");
 }
 
 function writeFingerprints(certNameToSKD, certSKDToName, name, hashes) {
-  let varPrefix = "kPinset_" + name + "_sha256";
+  let varPrefix = "kPinset_" + name;
   writeString("static const char* " + varPrefix + "_Data[] = {\n");
   let SKDList = [];
   for (let certName of hashes) {
     if (!(certName in certNameToSKD)) {
       throw "Can't find " + certName + " in certNameToSKD";
     }
     SKDList.push(certNameToSKD[certName]);
   }
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.