mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-28 15:23:51 +00:00
Bug 1715142 - convert pinning to use a static pref r=rmf
This patch converts the pinning preference "security.cert_pinning.enforcement_level" to be static. It also removes some unused pinning preferences and parameters. Differential Revision: https://phabricator.services.mozilla.com/D117095
This commit is contained in:
parent
eba562c428
commit
50526906b2
@ -10581,6 +10581,13 @@
|
||||
value: false
|
||||
mirror: always
|
||||
|
||||
# Disable preloaded static key pins by default.
|
||||
- name: security.cert_pinning.enforcement_level
|
||||
type: ReleaseAcquireAtomicUint32
|
||||
value: 0
|
||||
mirror: always
|
||||
do_not_use_directly: true
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Prefs starting with "slider."
|
||||
#---------------------------------------------------------------------------
|
||||
|
@ -156,11 +156,6 @@ pref("security.webauth.webauthn_enable_softtoken", false);
|
||||
pref("security.xfocsp.errorReporting.enabled", true);
|
||||
pref("security.xfocsp.errorReporting.automatic", false);
|
||||
|
||||
// Impose a maximum age on HPKP headers, to avoid sites getting permanently
|
||||
// blacking themselves out by setting a bad pin. (60 days by default)
|
||||
// https://tools.ietf.org/html/rfc7469#section-4.1
|
||||
pref("security.cert_pinning.max_max_age_seconds", 5184000);
|
||||
|
||||
// 0: Disable CRLite entirely
|
||||
// 1: Enable and check revocations via CRLite, but only collect telemetry
|
||||
// 2: Enable and enforce revocations via CRLite
|
||||
@ -2168,22 +2163,6 @@ pref("security.ssl.enable_ocsp_must_staple", true);
|
||||
pref("security.insecure_field_warning.contextual.enabled", false);
|
||||
pref("security.insecure_field_warning.ignore_local_ip_address", true);
|
||||
|
||||
// Disable pinning checks by default.
|
||||
pref("security.cert_pinning.enforcement_level", 0);
|
||||
// Do not process hpkp headers rooted by not built in roots by default.
|
||||
// This is to prevent accidental pinning from MITM devices and is used
|
||||
// for tests.
|
||||
pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
|
||||
|
||||
// Controls whether or not HPKP (the HTTP Public Key Pinning header) is enabled.
|
||||
// If true, the header is processed and collected HPKP information is consulted
|
||||
// when looking for pinning information.
|
||||
// If false, the header is not processed and collected HPKP information is not
|
||||
// consulted when looking for pinning information. Preloaded pins are not
|
||||
// affected by this preference.
|
||||
// Default: false
|
||||
pref("security.cert_pinning.hpkp.enabled", false);
|
||||
|
||||
// Remote settings preferences
|
||||
// Note: if you change this, make sure to also review security.onecrl.maximum_staleness_in_seconds
|
||||
pref("services.settings.poll_interval", 86400); // 24H
|
||||
|
@ -258,7 +258,6 @@ static const char* gCallbackSecurityPrefs[] = {
|
||||
"security.ssl.enable_ocsp_stapling",
|
||||
"security.ssl.enable_ocsp_must_staple",
|
||||
"security.pki.certificate_transparency.mode",
|
||||
"security.cert_pinning.enforcement_level",
|
||||
"security.pki.name_matching_mode",
|
||||
nullptr,
|
||||
};
|
||||
@ -405,7 +404,6 @@ void nsIOService::OnTLSPrefChange(const char* aPref, void* aSelf) {
|
||||
} else if (pref.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
|
||||
pref.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
|
||||
pref.EqualsLiteral("security.pki.certificate_transparency.mode") ||
|
||||
pref.EqualsLiteral("security.cert_pinning.enforcement_level") ||
|
||||
pref.EqualsLiteral("security.pki.name_matching_mode")) {
|
||||
SetValidationOptionsCommon();
|
||||
}
|
||||
|
@ -88,8 +88,7 @@ void CertificateTransparencyInfo::Reset() {
|
||||
CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
||||
mozilla::TimeDuration ocspTimeoutSoft,
|
||||
mozilla::TimeDuration ocspTimeoutHard,
|
||||
uint32_t certShortLifetimeInDays,
|
||||
PinningMode pinningMode, SHA1Mode sha1Mode,
|
||||
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
|
||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||
CertificateTransparencyMode ctMode,
|
||||
@ -101,7 +100,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
||||
mOCSPTimeoutSoft(ocspTimeoutSoft),
|
||||
mOCSPTimeoutHard(ocspTimeoutHard),
|
||||
mCertShortLifetimeInDays(certShortLifetimeInDays),
|
||||
mPinningMode(pinningMode),
|
||||
mSHA1Mode(sha1Mode),
|
||||
mNameMatchingMode(nameMatchingMode),
|
||||
mNetscapeStepUpPolicy(netscapeStepUpPolicy),
|
||||
@ -564,9 +562,9 @@ Result CertVerifier::VerifyCert(
|
||||
// just use trustEmail as it is the closest alternative.
|
||||
NSSCertDBTrustDomain trustDomain(
|
||||
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
|
||||
MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
|
||||
SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
|
||||
ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
|
||||
NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
|
||||
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
|
||||
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
|
||||
nullptr);
|
||||
@ -637,10 +635,10 @@ Result CertVerifier::VerifyCert(
|
||||
|
||||
NSSCertDBTrustDomain trustDomain(
|
||||
trustSSL, evOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, mPinningMode,
|
||||
MIN_RSA_BITS, ValidityCheckingMode::CheckForEV,
|
||||
sha1ModeConfigurations[i], mNetscapeStepUpPolicy, mCRLiteMode,
|
||||
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS,
|
||||
ValidityCheckingMode::CheckForEV, sha1ModeConfigurations[i],
|
||||
mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
|
||||
originAttributes, mThirdPartyRootInputs,
|
||||
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
|
||||
pinningTelemetryInfo, hostname);
|
||||
rv = BuildCertChainForOneKeyUsage(
|
||||
@ -720,12 +718,11 @@ Result CertVerifier::VerifyCert(
|
||||
NSSCertDBTrustDomain trustDomain(
|
||||
trustSSL, defaultOCSPFetching, mOCSPCache, pinArg,
|
||||
mOCSPTimeoutSoft, mOCSPTimeoutHard, mCertShortLifetimeInDays,
|
||||
mPinningMode, keySizeOptions[i],
|
||||
ValidityCheckingMode::CheckingOff, sha1ModeConfigurations[j],
|
||||
mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
|
||||
originAttributes, mThirdPartyRootInputs,
|
||||
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
|
||||
pinningTelemetryInfo, hostname);
|
||||
keySizeOptions[i], ValidityCheckingMode::CheckingOff,
|
||||
sha1ModeConfigurations[j], mNetscapeStepUpPolicy, mCRLiteMode,
|
||||
mCRLiteCTMergeDelaySeconds, originAttributes,
|
||||
mThirdPartyRootInputs, mThirdPartyIntermediateInputs,
|
||||
extraCertificates, builtChain, pinningTelemetryInfo, hostname);
|
||||
rv = BuildCertChainForOneKeyUsage(
|
||||
trustDomain, certDER, time,
|
||||
KeyUsage::digitalSignature, //(EC)DHE
|
||||
@ -790,10 +787,10 @@ Result CertVerifier::VerifyCert(
|
||||
case certificateUsageSSLCA: {
|
||||
NSSCertDBTrustDomain trustDomain(
|
||||
trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
|
||||
MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
|
||||
SHA1Mode::Allowed, mNetscapeStepUpPolicy, mCRLiteMode,
|
||||
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
|
||||
ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
|
||||
mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
|
||||
originAttributes, mThirdPartyRootInputs,
|
||||
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
|
||||
nullptr);
|
||||
rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeCA,
|
||||
@ -805,9 +802,9 @@ Result CertVerifier::VerifyCert(
|
||||
case certificateUsageEmailSigner: {
|
||||
NSSCertDBTrustDomain trustDomain(
|
||||
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
|
||||
MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
|
||||
SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
|
||||
ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
|
||||
NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
|
||||
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
|
||||
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
|
||||
nullptr);
|
||||
@ -830,9 +827,9 @@ Result CertVerifier::VerifyCert(
|
||||
// based on the result of the verification(s).
|
||||
NSSCertDBTrustDomain trustDomain(
|
||||
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
|
||||
MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
|
||||
SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
|
||||
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
|
||||
ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
|
||||
NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
|
||||
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
|
||||
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
|
||||
nullptr);
|
||||
|
@ -195,13 +195,6 @@ class CertVerifier {
|
||||
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr,
|
||||
/*optional out*/ bool* isBuiltCertChainRootBuiltInRoot = nullptr);
|
||||
|
||||
enum PinningMode {
|
||||
pinningDisabled = 0,
|
||||
pinningAllowUserCAMITM = 1,
|
||||
pinningStrict = 2,
|
||||
pinningEnforceTestMode = 3
|
||||
};
|
||||
|
||||
enum class SHA1Mode {
|
||||
Allowed = 0,
|
||||
Forbidden = 1,
|
||||
@ -224,8 +217,8 @@ class CertVerifier {
|
||||
CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
||||
mozilla::TimeDuration ocspTimeoutSoft,
|
||||
mozilla::TimeDuration ocspTimeoutHard,
|
||||
uint32_t certShortLifetimeInDays, PinningMode pinningMode,
|
||||
SHA1Mode sha1Mode, BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
|
||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||
CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
|
||||
uint64_t crliteCTMergeDelaySeconds,
|
||||
@ -239,7 +232,6 @@ class CertVerifier {
|
||||
const mozilla::TimeDuration mOCSPTimeoutSoft;
|
||||
const mozilla::TimeDuration mOCSPTimeoutHard;
|
||||
const uint32_t mCertShortLifetimeInDays;
|
||||
const PinningMode mPinningMode;
|
||||
const SHA1Mode mSHA1Mode;
|
||||
const BRNameMatchingPolicy::Mode mNameMatchingMode;
|
||||
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
|
||||
@ -276,9 +268,9 @@ class CertVerifier {
|
||||
};
|
||||
|
||||
mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result);
|
||||
mozilla::pkix::Result CertListContainsExpectedKeys(
|
||||
const CERTCertList* certList, const char* hostname,
|
||||
mozilla::pkix::Time time, CertVerifier::PinningMode pinningMode);
|
||||
mozilla::pkix::Result CertListContainsExpectedKeys(const CERTCertList* certList,
|
||||
const char* hostname,
|
||||
mozilla::pkix::Time time);
|
||||
|
||||
} // namespace psm
|
||||
} // namespace mozilla
|
||||
|
@ -66,10 +66,9 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
|
||||
OCSPCache& ocspCache,
|
||||
/*optional but shouldn't be*/ void* pinArg, TimeDuration ocspTimeoutSoft,
|
||||
TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays,
|
||||
CertVerifier::PinningMode pinningMode, unsigned int minRSABits,
|
||||
ValidityCheckingMode validityCheckingMode, CertVerifier::SHA1Mode sha1Mode,
|
||||
NetscapeStepUpPolicy netscapeStepUpPolicy, CRLiteMode crliteMode,
|
||||
uint64_t crliteCTMergeDelaySeconds,
|
||||
unsigned int minRSABits, ValidityCheckingMode validityCheckingMode,
|
||||
CertVerifier::SHA1Mode sha1Mode, NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||
CRLiteMode crliteMode, uint64_t crliteCTMergeDelaySeconds,
|
||||
const OriginAttributes& originAttributes,
|
||||
const Vector<Input>& thirdPartyRootInputs,
|
||||
const Vector<Input>& thirdPartyIntermediateInputs,
|
||||
@ -84,7 +83,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
|
||||
mOCSPTimeoutSoft(ocspTimeoutSoft),
|
||||
mOCSPTimeoutHard(ocspTimeoutHard),
|
||||
mCertShortLifetimeInDays(certShortLifetimeInDays),
|
||||
mPinningMode(pinningMode),
|
||||
mMinRSABits(minRSABits),
|
||||
mValidityCheckingMode(validityCheckingMode),
|
||||
mSHA1Mode(sha1Mode),
|
||||
@ -1186,16 +1184,9 @@ Result NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
|
||||
if (NS_FAILED(nsrv)) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
bool skipPinningChecksBecauseOfMITMMode =
|
||||
(!isBuiltInRoot && mPinningMode == CertVerifier::pinningAllowUserCAMITM);
|
||||
// If mHostname isn't set, we're not verifying in the context of a TLS
|
||||
// handshake, so don't verify HPKP in those cases.
|
||||
if (mHostname && (mPinningMode != CertVerifier::pinningDisabled) &&
|
||||
!skipPinningChecksBecauseOfMITMMode) {
|
||||
bool enforceTestMode =
|
||||
(mPinningMode == CertVerifier::pinningEnforceTestMode);
|
||||
bool chainHasValidPins;
|
||||
|
||||
// handshake, so don't verify key pinning in those cases.
|
||||
if (mHostname) {
|
||||
nsTArray<Span<const uint8_t>> derCertSpanList;
|
||||
size_t numCerts = certArray.GetLength();
|
||||
for (size_t i = numCerts; i > 0; --i) {
|
||||
@ -1206,9 +1197,10 @@ Result NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
|
||||
derCertSpanList.EmplaceBack(der->UnsafeGetData(), der->GetLength());
|
||||
}
|
||||
|
||||
bool chainHasValidPins;
|
||||
nsrv = PublicKeyPinningService::ChainHasValidPins(
|
||||
derCertSpanList, mHostname, time, enforceTestMode, mOriginAttributes,
|
||||
chainHasValidPins, mPinningTelemetryInfo);
|
||||
derCertSpanList, mHostname, time, isBuiltInRoot, chainHasValidPins,
|
||||
mPinningTelemetryInfo);
|
||||
if (NS_FAILED(nsrv)) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
@ -128,8 +128,7 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
|
||||
SECTrustType certDBTrustType, OCSPFetching ocspFetching,
|
||||
OCSPCache& ocspCache, void* pinArg, mozilla::TimeDuration ocspTimeoutSoft,
|
||||
mozilla::TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays,
|
||||
CertVerifier::PinningMode pinningMode, unsigned int minRSABits,
|
||||
ValidityCheckingMode validityCheckingMode,
|
||||
unsigned int minRSABits, ValidityCheckingMode validityCheckingMode,
|
||||
CertVerifier::SHA1Mode sha1Mode,
|
||||
NetscapeStepUpPolicy netscapeStepUpPolicy, CRLiteMode crliteMode,
|
||||
uint64_t crliteCTMergeDelaySeconds,
|
||||
@ -247,7 +246,6 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
|
||||
const mozilla::TimeDuration mOCSPTimeoutSoft;
|
||||
const mozilla::TimeDuration mOCSPTimeoutHard;
|
||||
const uint32_t mCertShortLifetimeInDays;
|
||||
CertVerifier::PinningMode mPinningMode;
|
||||
const unsigned int mMinRSABits;
|
||||
ValidityCheckingMode mValidityCheckingMode;
|
||||
CertVerifier::SHA1Mode mSHA1Mode;
|
||||
|
@ -202,34 +202,26 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
mozilla::psm::CertVerifier::PinningMode pinningMode =
|
||||
mozilla::psm::PublicSSLState()->PinningMode();
|
||||
if (pinningMode != mozilla::psm::CertVerifier::pinningDisabled) {
|
||||
bool chainHasValidPins;
|
||||
bool enforceTestMode =
|
||||
(pinningMode == mozilla::psm::CertVerifier::pinningEnforceTestMode);
|
||||
|
||||
nsTArray<nsTArray<uint8_t>> rawDerCertList;
|
||||
nsTArray<Span<const uint8_t>> derCertSpanList;
|
||||
for (const auto& cert : mSucceededCertChain) {
|
||||
rawDerCertList.EmplaceBack();
|
||||
nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement());
|
||||
if (NS_FAILED(nsrv)) {
|
||||
return nsrv;
|
||||
}
|
||||
derCertSpanList.EmplaceBack(rawDerCertList.LastElement());
|
||||
}
|
||||
|
||||
nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
|
||||
derCertSpanList, PromiseFlatCString(hostname).BeginReading(), Now(),
|
||||
enforceTestMode, GetOriginAttributes(lock), chainHasValidPins, nullptr);
|
||||
nsTArray<nsTArray<uint8_t>> rawDerCertList;
|
||||
nsTArray<Span<const uint8_t>> derCertSpanList;
|
||||
for (const auto& cert : mSucceededCertChain) {
|
||||
rawDerCertList.EmplaceBack();
|
||||
nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement());
|
||||
if (NS_FAILED(nsrv)) {
|
||||
return NS_OK;
|
||||
return nsrv;
|
||||
}
|
||||
derCertSpanList.EmplaceBack(rawDerCertList.LastElement());
|
||||
}
|
||||
bool chainHasValidPins;
|
||||
nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
|
||||
derCertSpanList, PromiseFlatCString(hostname).BeginReading(), Now(),
|
||||
mIsBuiltCertChainRootBuiltInRoot, chainHasValidPins, nullptr);
|
||||
if (NS_FAILED(nsrv)) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
if (!chainHasValidPins) {
|
||||
return NS_OK;
|
||||
}
|
||||
if (!chainHasValidPins) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
// All tests pass
|
||||
|
@ -11,6 +11,7 @@
|
||||
#include "mozilla/Casting.h"
|
||||
#include "mozilla/Logging.h"
|
||||
#include "mozilla/Span.h"
|
||||
#include "mozilla/StaticPrefs_security.h"
|
||||
#include "mozilla/Telemetry.h"
|
||||
#include "nsDependentString.h"
|
||||
#include "nsServiceManagerUtils.h"
|
||||
@ -27,6 +28,30 @@ using namespace mozilla::psm;
|
||||
|
||||
LazyLogModule gPublicKeyPinningLog("PublicKeyPinningService");
|
||||
|
||||
enum class PinningMode : uint32_t {
|
||||
Disabled = 0,
|
||||
AllowUserCAMITM = 1,
|
||||
Strict = 2,
|
||||
EnforceTestMode = 3
|
||||
};
|
||||
|
||||
PinningMode GetPinningMode() {
|
||||
PinningMode pinningMode = static_cast<PinningMode>(
|
||||
StaticPrefs::security_cert_pinning_enforcement_level_DoNotUseDirectly());
|
||||
switch (pinningMode) {
|
||||
case PinningMode::Disabled:
|
||||
return PinningMode::Disabled;
|
||||
case PinningMode::AllowUserCAMITM:
|
||||
return PinningMode::AllowUserCAMITM;
|
||||
case PinningMode::Strict:
|
||||
return PinningMode::Strict;
|
||||
case PinningMode::EnforceTestMode:
|
||||
return PinningMode::EnforceTestMode;
|
||||
default:
|
||||
return PinningMode::Disabled;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
Computes in the location specified by base64Out the SHA256 digest
|
||||
of the DER Encoded subject Public Key Info for the given cert
|
||||
@ -161,7 +186,6 @@ static void ValidatePinningPreloadList() {
|
||||
// information that is valid for the given host at the given time.
|
||||
static nsresult FindPinningInformation(
|
||||
const char* hostname, mozilla::pkix::Time time,
|
||||
const OriginAttributes& originAttributes,
|
||||
/*out*/ const TransportSecurityPreload*& staticFingerprints) {
|
||||
#ifdef DEBUG
|
||||
ValidatePinningPreloadList();
|
||||
@ -217,7 +241,6 @@ static nsresult FindPinningInformation(
|
||||
static nsresult CheckPinsForHostname(
|
||||
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
|
||||
bool enforceTestMode, mozilla::pkix::Time time,
|
||||
const OriginAttributes& originAttributes,
|
||||
/*out*/ bool& chainHasValidPins,
|
||||
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
|
||||
chainHasValidPins = false;
|
||||
@ -229,8 +252,10 @@ static nsresult CheckPinsForHostname(
|
||||
}
|
||||
|
||||
const TransportSecurityPreload* staticFingerprints = nullptr;
|
||||
nsresult rv = FindPinningInformation(hostname, time, originAttributes,
|
||||
staticFingerprints);
|
||||
nsresult rv = FindPinningInformation(hostname, time, staticFingerprints);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
// If we have no pinning information, the certificate chain trivially
|
||||
// validates with respect to pinning.
|
||||
if (!staticFingerprints) {
|
||||
@ -299,10 +324,16 @@ static nsresult CheckPinsForHostname(
|
||||
|
||||
nsresult PublicKeyPinningService::ChainHasValidPins(
|
||||
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
|
||||
mozilla::pkix::Time time, bool enforceTestMode,
|
||||
const OriginAttributes& originAttributes,
|
||||
mozilla::pkix::Time time, bool isBuiltInRoot,
|
||||
/*out*/ bool& chainHasValidPins,
|
||||
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
|
||||
PinningMode pinningMode(GetPinningMode());
|
||||
if (pinningMode == PinningMode::Disabled ||
|
||||
(!isBuiltInRoot && pinningMode == PinningMode::AllowUserCAMITM)) {
|
||||
chainHasValidPins = true;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
chainHasValidPins = false;
|
||||
if (certList.IsEmpty()) {
|
||||
return NS_ERROR_INVALID_ARG;
|
||||
@ -311,25 +342,30 @@ nsresult PublicKeyPinningService::ChainHasValidPins(
|
||||
return NS_ERROR_INVALID_ARG;
|
||||
}
|
||||
nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname));
|
||||
bool enforceTestMode = pinningMode == PinningMode::EnforceTestMode;
|
||||
return CheckPinsForHostname(certList, canonicalizedHostname.get(),
|
||||
enforceTestMode, time, originAttributes,
|
||||
chainHasValidPins, pinningTelemetryInfo);
|
||||
enforceTestMode, time, chainHasValidPins,
|
||||
pinningTelemetryInfo);
|
||||
}
|
||||
|
||||
nsresult PublicKeyPinningService::HostHasPins(
|
||||
const char* hostname, mozilla::pkix::Time time, bool enforceTestMode,
|
||||
const OriginAttributes& originAttributes,
|
||||
/*out*/ bool& hostHasPins) {
|
||||
nsresult PublicKeyPinningService::HostHasPins(const char* hostname,
|
||||
mozilla::pkix::Time time,
|
||||
/*out*/ bool& hostHasPins) {
|
||||
hostHasPins = false;
|
||||
PinningMode pinningMode(GetPinningMode());
|
||||
if (pinningMode == PinningMode::Disabled) {
|
||||
return NS_OK;
|
||||
}
|
||||
nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname));
|
||||
const TransportSecurityPreload* staticFingerprints = nullptr;
|
||||
nsresult rv = FindPinningInformation(canonicalizedHostname.get(), time,
|
||||
originAttributes, staticFingerprints);
|
||||
staticFingerprints);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
if (staticFingerprints) {
|
||||
hostHasPins = !staticFingerprints->mTestMode || enforceTestMode;
|
||||
hostHasPins = !staticFingerprints->mTestMode ||
|
||||
pinningMode == PinningMode::EnforceTestMode;
|
||||
}
|
||||
return NS_OK;
|
||||
}
|
||||
|
@ -14,12 +14,6 @@
|
||||
#include "mozilla/Span.h"
|
||||
#include "mozpkix/Time.h"
|
||||
|
||||
namespace mozilla {
|
||||
class OriginAttributes;
|
||||
}
|
||||
|
||||
using mozilla::OriginAttributes;
|
||||
|
||||
namespace mozilla {
|
||||
namespace psm {
|
||||
|
||||
@ -36,8 +30,7 @@ class PublicKeyPinningService {
|
||||
*/
|
||||
static nsresult ChainHasValidPins(
|
||||
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
|
||||
mozilla::pkix::Time time, bool enforceTestMode,
|
||||
const OriginAttributes& originAttributes,
|
||||
mozilla::pkix::Time time, bool isBuiltInRoot,
|
||||
/*out*/ bool& chainHasValidPins,
|
||||
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
|
||||
|
||||
@ -47,8 +40,6 @@ class PublicKeyPinningService {
|
||||
* otherwise.
|
||||
*/
|
||||
static nsresult HostHasPins(const char* hostname, mozilla::pkix::Time time,
|
||||
bool enforceTestMode,
|
||||
const OriginAttributes& originAttributes,
|
||||
/*out*/ bool& hostHasPins);
|
||||
|
||||
/**
|
||||
|
@ -23,8 +23,7 @@ class SharedCertVerifier : public mozilla::psm::CertVerifier {
|
||||
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
||||
mozilla::TimeDuration ocspSoftTimeout,
|
||||
mozilla::TimeDuration ocspHardTimeout,
|
||||
uint32_t certShortLifetimeInDays, PinningMode pinningMode,
|
||||
SHA1Mode sha1Mode,
|
||||
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
|
||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||
CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
|
||||
@ -32,8 +31,8 @@ class SharedCertVerifier : public mozilla::psm::CertVerifier {
|
||||
const Vector<EnterpriseCert>& thirdPartyCerts)
|
||||
: mozilla::psm::CertVerifier(
|
||||
odc, osc, ocspSoftTimeout, ocspHardTimeout, certShortLifetimeInDays,
|
||||
pinningMode, sha1Mode, nameMatchingMode, netscapeStepUpPolicy,
|
||||
ctMode, crliteMode, crliteCTMergeDelaySeconds, thirdPartyCerts) {}
|
||||
sha1Mode, nameMatchingMode, netscapeStepUpPolicy, ctMode,
|
||||
crliteMode, crliteCTMergeDelaySeconds, thirdPartyCerts) {}
|
||||
};
|
||||
|
||||
} // namespace psm
|
||||
|
@ -36,9 +36,6 @@ class SharedSSLState {
|
||||
void SetSignedCertTimestampsEnabled(bool signedCertTimestampsEnabled) {
|
||||
mSignedCertTimestampsEnabled = signedCertTimestampsEnabled;
|
||||
}
|
||||
void SetPinningMode(CertVerifier::PinningMode aPinningMode) {
|
||||
mPinningMode = aPinningMode;
|
||||
}
|
||||
void SetNameMatchingMode(BRNameMatchingPolicy::Mode aMode) {
|
||||
mNameMatchingMode = aMode;
|
||||
}
|
||||
@ -52,7 +49,6 @@ class SharedSSLState {
|
||||
bool IsSignedCertTimestampsEnabled() const {
|
||||
return mSignedCertTimestampsEnabled;
|
||||
}
|
||||
CertVerifier::PinningMode PinningMode() { return mPinningMode; }
|
||||
BRNameMatchingPolicy::Mode NameMatchingMode() { return mNameMatchingMode; }
|
||||
|
||||
private:
|
||||
@ -71,7 +67,6 @@ class SharedSSLState {
|
||||
bool mOCSPStaplingEnabled;
|
||||
bool mOCSPMustStapleEnabled;
|
||||
bool mSignedCertTimestampsEnabled;
|
||||
CertVerifier::PinningMode mPinningMode;
|
||||
BRNameMatchingPolicy::Mode mNameMatchingMode;
|
||||
};
|
||||
|
||||
|
@ -1292,16 +1292,6 @@ void SetValidationOptionsCommon() {
|
||||
PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
|
||||
PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
|
||||
|
||||
CertVerifier::PinningMode pinningMode =
|
||||
static_cast<CertVerifier::PinningMode>(
|
||||
Preferences::GetInt("security.cert_pinning.enforcement_level",
|
||||
CertVerifier::pinningDisabled));
|
||||
if (pinningMode > CertVerifier::pinningEnforceTestMode) {
|
||||
pinningMode = CertVerifier::pinningDisabled;
|
||||
}
|
||||
PublicSSLState()->SetPinningMode(pinningMode);
|
||||
PrivateSSLState()->SetPinningMode(pinningMode);
|
||||
|
||||
BRNameMatchingPolicy::Mode nameMatchingMode =
|
||||
static_cast<BRNameMatchingPolicy::Mode>(Preferences::GetInt(
|
||||
"security.pki.name_matching_mode",
|
||||
@ -1508,8 +1498,7 @@ void nsNSSComponent::setValidationOptions(
|
||||
softTimeout, hardTimeout, proofOfLock);
|
||||
|
||||
mDefaultCertVerifier = new SharedCertVerifier(
|
||||
odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays,
|
||||
PublicSSLState()->PinningMode(), sha1Mode,
|
||||
odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays, sha1Mode,
|
||||
PublicSSLState()->NameMatchingMode(), netscapeStepUpPolicy, ctMode,
|
||||
crliteMode, crliteCTMergeDelaySeconds, mEnterpriseCerts);
|
||||
}
|
||||
@ -1527,8 +1516,8 @@ void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
|
||||
oldCertVerifier->mOCSPStrict ? CertVerifier::ocspStrict
|
||||
: CertVerifier::ocspRelaxed,
|
||||
oldCertVerifier->mOCSPTimeoutSoft, oldCertVerifier->mOCSPTimeoutHard,
|
||||
oldCertVerifier->mCertShortLifetimeInDays, oldCertVerifier->mPinningMode,
|
||||
oldCertVerifier->mSHA1Mode, oldCertVerifier->mNameMatchingMode,
|
||||
oldCertVerifier->mCertShortLifetimeInDays, oldCertVerifier->mSHA1Mode,
|
||||
oldCertVerifier->mNameMatchingMode,
|
||||
oldCertVerifier->mNetscapeStepUpPolicy, oldCertVerifier->mCTMode,
|
||||
oldCertVerifier->mCRLiteMode, oldCertVerifier->mCRLiteCTMergeDelaySeconds,
|
||||
mEnterpriseCerts);
|
||||
@ -2284,8 +2273,6 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
|
||||
prefName.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
|
||||
prefName.EqualsLiteral(
|
||||
"security.pki.certificate_transparency.mode") ||
|
||||
prefName.EqualsLiteral(
|
||||
"security.cert_pinning.enforcement_level") ||
|
||||
prefName.EqualsLiteral("security.pki.sha1_enforcement_level") ||
|
||||
prefName.EqualsLiteral("security.pki.name_matching_mode") ||
|
||||
prefName.EqualsLiteral("security.pki.netscape_step_up_policy") ||
|
||||
|
@ -924,19 +924,8 @@ nsresult nsSiteSecurityService::IsSecureHost(
|
||||
}
|
||||
|
||||
if (aType == nsISiteSecurityService::STATIC_PINNING) {
|
||||
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
|
||||
if (!certVerifier) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
if (certVerifier->mPinningMode ==
|
||||
CertVerifier::PinningMode::pinningDisabled) {
|
||||
return NS_OK;
|
||||
}
|
||||
bool enforceTestMode = certVerifier->mPinningMode ==
|
||||
CertVerifier::PinningMode::pinningEnforceTestMode;
|
||||
return PublicKeyPinningService::HostHasPins(
|
||||
flatHost.get(), mozilla::pkix::Now(), enforceTestMode,
|
||||
aOriginAttributes, *aResult);
|
||||
return PublicKeyPinningService::HostHasPins(flatHost.get(),
|
||||
mozilla::pkix::Now(), *aResult);
|
||||
}
|
||||
|
||||
nsAutoCString host(
|
||||
|
Loading…
Reference in New Issue
Block a user