Bug 1715142 - convert pinning to use a static pref r=rmf

This patch converts the pinning preference
"security.cert_pinning.enforcement_level" to be static. It also removes some
unused pinning preferences and parameters.

Differential Revision: https://phabricator.services.mozilla.com/D117095
This commit is contained in:
Dana Keeler 2021-06-10 22:13:31 +00:00
parent eba562c428
commit 50526906b2
14 changed files with 120 additions and 168 deletions

View File

@ -10581,6 +10581,13 @@
value: false
mirror: always
# Disable preloaded static key pins by default.
- name: security.cert_pinning.enforcement_level
type: ReleaseAcquireAtomicUint32
value: 0
mirror: always
do_not_use_directly: true
#---------------------------------------------------------------------------
# Prefs starting with "slider."
#---------------------------------------------------------------------------

View File

@ -156,11 +156,6 @@ pref("security.webauth.webauthn_enable_softtoken", false);
pref("security.xfocsp.errorReporting.enabled", true);
pref("security.xfocsp.errorReporting.automatic", false);
// Impose a maximum age on HPKP headers, to avoid sites getting permanently
// blacking themselves out by setting a bad pin. (60 days by default)
// https://tools.ietf.org/html/rfc7469#section-4.1
pref("security.cert_pinning.max_max_age_seconds", 5184000);
// 0: Disable CRLite entirely
// 1: Enable and check revocations via CRLite, but only collect telemetry
// 2: Enable and enforce revocations via CRLite
@ -2168,22 +2163,6 @@ pref("security.ssl.enable_ocsp_must_staple", true);
pref("security.insecure_field_warning.contextual.enabled", false);
pref("security.insecure_field_warning.ignore_local_ip_address", true);
// Disable pinning checks by default.
pref("security.cert_pinning.enforcement_level", 0);
// Do not process hpkp headers rooted by not built in roots by default.
// This is to prevent accidental pinning from MITM devices and is used
// for tests.
pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
// Controls whether or not HPKP (the HTTP Public Key Pinning header) is enabled.
// If true, the header is processed and collected HPKP information is consulted
// when looking for pinning information.
// If false, the header is not processed and collected HPKP information is not
// consulted when looking for pinning information. Preloaded pins are not
// affected by this preference.
// Default: false
pref("security.cert_pinning.hpkp.enabled", false);
// Remote settings preferences
// Note: if you change this, make sure to also review security.onecrl.maximum_staleness_in_seconds
pref("services.settings.poll_interval", 86400); // 24H

View File

@ -258,7 +258,6 @@ static const char* gCallbackSecurityPrefs[] = {
"security.ssl.enable_ocsp_stapling",
"security.ssl.enable_ocsp_must_staple",
"security.pki.certificate_transparency.mode",
"security.cert_pinning.enforcement_level",
"security.pki.name_matching_mode",
nullptr,
};
@ -405,7 +404,6 @@ void nsIOService::OnTLSPrefChange(const char* aPref, void* aSelf) {
} else if (pref.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
pref.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
pref.EqualsLiteral("security.pki.certificate_transparency.mode") ||
pref.EqualsLiteral("security.cert_pinning.enforcement_level") ||
pref.EqualsLiteral("security.pki.name_matching_mode")) {
SetValidationOptionsCommon();
}

View File

@ -88,8 +88,7 @@ void CertificateTransparencyInfo::Reset() {
CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard,
uint32_t certShortLifetimeInDays,
PinningMode pinningMode, SHA1Mode sha1Mode,
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode,
@ -101,7 +100,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mOCSPTimeoutSoft(ocspTimeoutSoft),
mOCSPTimeoutHard(ocspTimeoutHard),
mCertShortLifetimeInDays(certShortLifetimeInDays),
mPinningMode(pinningMode),
mSHA1Mode(sha1Mode),
mNameMatchingMode(nameMatchingMode),
mNetscapeStepUpPolicy(netscapeStepUpPolicy),
@ -564,9 +562,9 @@ Result CertVerifier::VerifyCert(
// just use trustEmail as it is the closest alternative.
NSSCertDBTrustDomain trustDomain(
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);
@ -637,10 +635,10 @@ Result CertVerifier::VerifyCert(
NSSCertDBTrustDomain trustDomain(
trustSSL, evOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
mOCSPTimeoutHard, mCertShortLifetimeInDays, mPinningMode,
MIN_RSA_BITS, ValidityCheckingMode::CheckForEV,
sha1ModeConfigurations[i], mNetscapeStepUpPolicy, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS,
ValidityCheckingMode::CheckForEV, sha1ModeConfigurations[i],
mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
pinningTelemetryInfo, hostname);
rv = BuildCertChainForOneKeyUsage(
@ -720,12 +718,11 @@ Result CertVerifier::VerifyCert(
NSSCertDBTrustDomain trustDomain(
trustSSL, defaultOCSPFetching, mOCSPCache, pinArg,
mOCSPTimeoutSoft, mOCSPTimeoutHard, mCertShortLifetimeInDays,
mPinningMode, keySizeOptions[i],
ValidityCheckingMode::CheckingOff, sha1ModeConfigurations[j],
mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
pinningTelemetryInfo, hostname);
keySizeOptions[i], ValidityCheckingMode::CheckingOff,
sha1ModeConfigurations[j], mNetscapeStepUpPolicy, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes,
mThirdPartyRootInputs, mThirdPartyIntermediateInputs,
extraCertificates, builtChain, pinningTelemetryInfo, hostname);
rv = BuildCertChainForOneKeyUsage(
trustDomain, certDER, time,
KeyUsage::digitalSignature, //(EC)DHE
@ -790,10 +787,10 @@ Result CertVerifier::VerifyCert(
case certificateUsageSSLCA: {
NSSCertDBTrustDomain trustDomain(
trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, mNetscapeStepUpPolicy, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);
rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeCA,
@ -805,9 +802,9 @@ Result CertVerifier::VerifyCert(
case certificateUsageEmailSigner: {
NSSCertDBTrustDomain trustDomain(
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);
@ -830,9 +827,9 @@ Result CertVerifier::VerifyCert(
// based on the result of the verification(s).
NSSCertDBTrustDomain trustDomain(
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);

View File

@ -195,13 +195,6 @@ class CertVerifier {
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr,
/*optional out*/ bool* isBuiltCertChainRootBuiltInRoot = nullptr);
enum PinningMode {
pinningDisabled = 0,
pinningAllowUserCAMITM = 1,
pinningStrict = 2,
pinningEnforceTestMode = 3
};
enum class SHA1Mode {
Allowed = 0,
Forbidden = 1,
@ -224,8 +217,8 @@ class CertVerifier {
CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard,
uint32_t certShortLifetimeInDays, PinningMode pinningMode,
SHA1Mode sha1Mode, BRNameMatchingPolicy::Mode nameMatchingMode,
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
uint64_t crliteCTMergeDelaySeconds,
@ -239,7 +232,6 @@ class CertVerifier {
const mozilla::TimeDuration mOCSPTimeoutSoft;
const mozilla::TimeDuration mOCSPTimeoutHard;
const uint32_t mCertShortLifetimeInDays;
const PinningMode mPinningMode;
const SHA1Mode mSHA1Mode;
const BRNameMatchingPolicy::Mode mNameMatchingMode;
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
@ -276,9 +268,9 @@ class CertVerifier {
};
mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result);
mozilla::pkix::Result CertListContainsExpectedKeys(
const CERTCertList* certList, const char* hostname,
mozilla::pkix::Time time, CertVerifier::PinningMode pinningMode);
mozilla::pkix::Result CertListContainsExpectedKeys(const CERTCertList* certList,
const char* hostname,
mozilla::pkix::Time time);
} // namespace psm
} // namespace mozilla

View File

@ -66,10 +66,9 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
OCSPCache& ocspCache,
/*optional but shouldn't be*/ void* pinArg, TimeDuration ocspTimeoutSoft,
TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays,
CertVerifier::PinningMode pinningMode, unsigned int minRSABits,
ValidityCheckingMode validityCheckingMode, CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy, CRLiteMode crliteMode,
uint64_t crliteCTMergeDelaySeconds,
unsigned int minRSABits, ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode, NetscapeStepUpPolicy netscapeStepUpPolicy,
CRLiteMode crliteMode, uint64_t crliteCTMergeDelaySeconds,
const OriginAttributes& originAttributes,
const Vector<Input>& thirdPartyRootInputs,
const Vector<Input>& thirdPartyIntermediateInputs,
@ -84,7 +83,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
mOCSPTimeoutSoft(ocspTimeoutSoft),
mOCSPTimeoutHard(ocspTimeoutHard),
mCertShortLifetimeInDays(certShortLifetimeInDays),
mPinningMode(pinningMode),
mMinRSABits(minRSABits),
mValidityCheckingMode(validityCheckingMode),
mSHA1Mode(sha1Mode),
@ -1186,16 +1184,9 @@ Result NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
if (NS_FAILED(nsrv)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
bool skipPinningChecksBecauseOfMITMMode =
(!isBuiltInRoot && mPinningMode == CertVerifier::pinningAllowUserCAMITM);
// If mHostname isn't set, we're not verifying in the context of a TLS
// handshake, so don't verify HPKP in those cases.
if (mHostname && (mPinningMode != CertVerifier::pinningDisabled) &&
!skipPinningChecksBecauseOfMITMMode) {
bool enforceTestMode =
(mPinningMode == CertVerifier::pinningEnforceTestMode);
bool chainHasValidPins;
// handshake, so don't verify key pinning in those cases.
if (mHostname) {
nsTArray<Span<const uint8_t>> derCertSpanList;
size_t numCerts = certArray.GetLength();
for (size_t i = numCerts; i > 0; --i) {
@ -1206,9 +1197,10 @@ Result NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
derCertSpanList.EmplaceBack(der->UnsafeGetData(), der->GetLength());
}
bool chainHasValidPins;
nsrv = PublicKeyPinningService::ChainHasValidPins(
derCertSpanList, mHostname, time, enforceTestMode, mOriginAttributes,
chainHasValidPins, mPinningTelemetryInfo);
derCertSpanList, mHostname, time, isBuiltInRoot, chainHasValidPins,
mPinningTelemetryInfo);
if (NS_FAILED(nsrv)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}

View File

@ -128,8 +128,7 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
SECTrustType certDBTrustType, OCSPFetching ocspFetching,
OCSPCache& ocspCache, void* pinArg, mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays,
CertVerifier::PinningMode pinningMode, unsigned int minRSABits,
ValidityCheckingMode validityCheckingMode,
unsigned int minRSABits, ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy, CRLiteMode crliteMode,
uint64_t crliteCTMergeDelaySeconds,
@ -247,7 +246,6 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
const mozilla::TimeDuration mOCSPTimeoutSoft;
const mozilla::TimeDuration mOCSPTimeoutHard;
const uint32_t mCertShortLifetimeInDays;
CertVerifier::PinningMode mPinningMode;
const unsigned int mMinRSABits;
ValidityCheckingMode mValidityCheckingMode;
CertVerifier::SHA1Mode mSHA1Mode;

View File

@ -202,34 +202,26 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
return NS_OK;
}
mozilla::psm::CertVerifier::PinningMode pinningMode =
mozilla::psm::PublicSSLState()->PinningMode();
if (pinningMode != mozilla::psm::CertVerifier::pinningDisabled) {
bool chainHasValidPins;
bool enforceTestMode =
(pinningMode == mozilla::psm::CertVerifier::pinningEnforceTestMode);
nsTArray<nsTArray<uint8_t>> rawDerCertList;
nsTArray<Span<const uint8_t>> derCertSpanList;
for (const auto& cert : mSucceededCertChain) {
rawDerCertList.EmplaceBack();
nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement());
if (NS_FAILED(nsrv)) {
return nsrv;
}
derCertSpanList.EmplaceBack(rawDerCertList.LastElement());
}
nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
derCertSpanList, PromiseFlatCString(hostname).BeginReading(), Now(),
enforceTestMode, GetOriginAttributes(lock), chainHasValidPins, nullptr);
nsTArray<nsTArray<uint8_t>> rawDerCertList;
nsTArray<Span<const uint8_t>> derCertSpanList;
for (const auto& cert : mSucceededCertChain) {
rawDerCertList.EmplaceBack();
nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement());
if (NS_FAILED(nsrv)) {
return NS_OK;
return nsrv;
}
derCertSpanList.EmplaceBack(rawDerCertList.LastElement());
}
bool chainHasValidPins;
nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
derCertSpanList, PromiseFlatCString(hostname).BeginReading(), Now(),
mIsBuiltCertChainRootBuiltInRoot, chainHasValidPins, nullptr);
if (NS_FAILED(nsrv)) {
return NS_OK;
}
if (!chainHasValidPins) {
return NS_OK;
}
if (!chainHasValidPins) {
return NS_OK;
}
// All tests pass

View File

@ -11,6 +11,7 @@
#include "mozilla/Casting.h"
#include "mozilla/Logging.h"
#include "mozilla/Span.h"
#include "mozilla/StaticPrefs_security.h"
#include "mozilla/Telemetry.h"
#include "nsDependentString.h"
#include "nsServiceManagerUtils.h"
@ -27,6 +28,30 @@ using namespace mozilla::psm;
LazyLogModule gPublicKeyPinningLog("PublicKeyPinningService");
enum class PinningMode : uint32_t {
Disabled = 0,
AllowUserCAMITM = 1,
Strict = 2,
EnforceTestMode = 3
};
PinningMode GetPinningMode() {
PinningMode pinningMode = static_cast<PinningMode>(
StaticPrefs::security_cert_pinning_enforcement_level_DoNotUseDirectly());
switch (pinningMode) {
case PinningMode::Disabled:
return PinningMode::Disabled;
case PinningMode::AllowUserCAMITM:
return PinningMode::AllowUserCAMITM;
case PinningMode::Strict:
return PinningMode::Strict;
case PinningMode::EnforceTestMode:
return PinningMode::EnforceTestMode;
default:
return PinningMode::Disabled;
}
}
/**
Computes in the location specified by base64Out the SHA256 digest
of the DER Encoded subject Public Key Info for the given cert
@ -161,7 +186,6 @@ static void ValidatePinningPreloadList() {
// information that is valid for the given host at the given time.
static nsresult FindPinningInformation(
const char* hostname, mozilla::pkix::Time time,
const OriginAttributes& originAttributes,
/*out*/ const TransportSecurityPreload*& staticFingerprints) {
#ifdef DEBUG
ValidatePinningPreloadList();
@ -217,7 +241,6 @@ static nsresult FindPinningInformation(
static nsresult CheckPinsForHostname(
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
bool enforceTestMode, mozilla::pkix::Time time,
const OriginAttributes& originAttributes,
/*out*/ bool& chainHasValidPins,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
chainHasValidPins = false;
@ -229,8 +252,10 @@ static nsresult CheckPinsForHostname(
}
const TransportSecurityPreload* staticFingerprints = nullptr;
nsresult rv = FindPinningInformation(hostname, time, originAttributes,
staticFingerprints);
nsresult rv = FindPinningInformation(hostname, time, staticFingerprints);
if (NS_FAILED(rv)) {
return rv;
}
// If we have no pinning information, the certificate chain trivially
// validates with respect to pinning.
if (!staticFingerprints) {
@ -299,10 +324,16 @@ static nsresult CheckPinsForHostname(
nsresult PublicKeyPinningService::ChainHasValidPins(
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
mozilla::pkix::Time time, bool enforceTestMode,
const OriginAttributes& originAttributes,
mozilla::pkix::Time time, bool isBuiltInRoot,
/*out*/ bool& chainHasValidPins,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
PinningMode pinningMode(GetPinningMode());
if (pinningMode == PinningMode::Disabled ||
(!isBuiltInRoot && pinningMode == PinningMode::AllowUserCAMITM)) {
chainHasValidPins = true;
return NS_OK;
}
chainHasValidPins = false;
if (certList.IsEmpty()) {
return NS_ERROR_INVALID_ARG;
@ -311,25 +342,30 @@ nsresult PublicKeyPinningService::ChainHasValidPins(
return NS_ERROR_INVALID_ARG;
}
nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname));
bool enforceTestMode = pinningMode == PinningMode::EnforceTestMode;
return CheckPinsForHostname(certList, canonicalizedHostname.get(),
enforceTestMode, time, originAttributes,
chainHasValidPins, pinningTelemetryInfo);
enforceTestMode, time, chainHasValidPins,
pinningTelemetryInfo);
}
nsresult PublicKeyPinningService::HostHasPins(
const char* hostname, mozilla::pkix::Time time, bool enforceTestMode,
const OriginAttributes& originAttributes,
/*out*/ bool& hostHasPins) {
nsresult PublicKeyPinningService::HostHasPins(const char* hostname,
mozilla::pkix::Time time,
/*out*/ bool& hostHasPins) {
hostHasPins = false;
PinningMode pinningMode(GetPinningMode());
if (pinningMode == PinningMode::Disabled) {
return NS_OK;
}
nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname));
const TransportSecurityPreload* staticFingerprints = nullptr;
nsresult rv = FindPinningInformation(canonicalizedHostname.get(), time,
originAttributes, staticFingerprints);
staticFingerprints);
if (NS_FAILED(rv)) {
return rv;
}
if (staticFingerprints) {
hostHasPins = !staticFingerprints->mTestMode || enforceTestMode;
hostHasPins = !staticFingerprints->mTestMode ||
pinningMode == PinningMode::EnforceTestMode;
}
return NS_OK;
}

View File

@ -14,12 +14,6 @@
#include "mozilla/Span.h"
#include "mozpkix/Time.h"
namespace mozilla {
class OriginAttributes;
}
using mozilla::OriginAttributes;
namespace mozilla {
namespace psm {
@ -36,8 +30,7 @@ class PublicKeyPinningService {
*/
static nsresult ChainHasValidPins(
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
mozilla::pkix::Time time, bool enforceTestMode,
const OriginAttributes& originAttributes,
mozilla::pkix::Time time, bool isBuiltInRoot,
/*out*/ bool& chainHasValidPins,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
@ -47,8 +40,6 @@ class PublicKeyPinningService {
* otherwise.
*/
static nsresult HostHasPins(const char* hostname, mozilla::pkix::Time time,
bool enforceTestMode,
const OriginAttributes& originAttributes,
/*out*/ bool& hostHasPins);
/**

View File

@ -23,8 +23,7 @@ class SharedCertVerifier : public mozilla::psm::CertVerifier {
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mozilla::TimeDuration ocspSoftTimeout,
mozilla::TimeDuration ocspHardTimeout,
uint32_t certShortLifetimeInDays, PinningMode pinningMode,
SHA1Mode sha1Mode,
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
@ -32,8 +31,8 @@ class SharedCertVerifier : public mozilla::psm::CertVerifier {
const Vector<EnterpriseCert>& thirdPartyCerts)
: mozilla::psm::CertVerifier(
odc, osc, ocspSoftTimeout, ocspHardTimeout, certShortLifetimeInDays,
pinningMode, sha1Mode, nameMatchingMode, netscapeStepUpPolicy,
ctMode, crliteMode, crliteCTMergeDelaySeconds, thirdPartyCerts) {}
sha1Mode, nameMatchingMode, netscapeStepUpPolicy, ctMode,
crliteMode, crliteCTMergeDelaySeconds, thirdPartyCerts) {}
};
} // namespace psm

View File

@ -36,9 +36,6 @@ class SharedSSLState {
void SetSignedCertTimestampsEnabled(bool signedCertTimestampsEnabled) {
mSignedCertTimestampsEnabled = signedCertTimestampsEnabled;
}
void SetPinningMode(CertVerifier::PinningMode aPinningMode) {
mPinningMode = aPinningMode;
}
void SetNameMatchingMode(BRNameMatchingPolicy::Mode aMode) {
mNameMatchingMode = aMode;
}
@ -52,7 +49,6 @@ class SharedSSLState {
bool IsSignedCertTimestampsEnabled() const {
return mSignedCertTimestampsEnabled;
}
CertVerifier::PinningMode PinningMode() { return mPinningMode; }
BRNameMatchingPolicy::Mode NameMatchingMode() { return mNameMatchingMode; }
private:
@ -71,7 +67,6 @@ class SharedSSLState {
bool mOCSPStaplingEnabled;
bool mOCSPMustStapleEnabled;
bool mSignedCertTimestampsEnabled;
CertVerifier::PinningMode mPinningMode;
BRNameMatchingPolicy::Mode mNameMatchingMode;
};

View File

@ -1292,16 +1292,6 @@ void SetValidationOptionsCommon() {
PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
CertVerifier::PinningMode pinningMode =
static_cast<CertVerifier::PinningMode>(
Preferences::GetInt("security.cert_pinning.enforcement_level",
CertVerifier::pinningDisabled));
if (pinningMode > CertVerifier::pinningEnforceTestMode) {
pinningMode = CertVerifier::pinningDisabled;
}
PublicSSLState()->SetPinningMode(pinningMode);
PrivateSSLState()->SetPinningMode(pinningMode);
BRNameMatchingPolicy::Mode nameMatchingMode =
static_cast<BRNameMatchingPolicy::Mode>(Preferences::GetInt(
"security.pki.name_matching_mode",
@ -1508,8 +1498,7 @@ void nsNSSComponent::setValidationOptions(
softTimeout, hardTimeout, proofOfLock);
mDefaultCertVerifier = new SharedCertVerifier(
odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays,
PublicSSLState()->PinningMode(), sha1Mode,
odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays, sha1Mode,
PublicSSLState()->NameMatchingMode(), netscapeStepUpPolicy, ctMode,
crliteMode, crliteCTMergeDelaySeconds, mEnterpriseCerts);
}
@ -1527,8 +1516,8 @@ void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
oldCertVerifier->mOCSPStrict ? CertVerifier::ocspStrict
: CertVerifier::ocspRelaxed,
oldCertVerifier->mOCSPTimeoutSoft, oldCertVerifier->mOCSPTimeoutHard,
oldCertVerifier->mCertShortLifetimeInDays, oldCertVerifier->mPinningMode,
oldCertVerifier->mSHA1Mode, oldCertVerifier->mNameMatchingMode,
oldCertVerifier->mCertShortLifetimeInDays, oldCertVerifier->mSHA1Mode,
oldCertVerifier->mNameMatchingMode,
oldCertVerifier->mNetscapeStepUpPolicy, oldCertVerifier->mCTMode,
oldCertVerifier->mCRLiteMode, oldCertVerifier->mCRLiteCTMergeDelaySeconds,
mEnterpriseCerts);
@ -2284,8 +2273,6 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
prefName.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
prefName.EqualsLiteral(
"security.pki.certificate_transparency.mode") ||
prefName.EqualsLiteral(
"security.cert_pinning.enforcement_level") ||
prefName.EqualsLiteral("security.pki.sha1_enforcement_level") ||
prefName.EqualsLiteral("security.pki.name_matching_mode") ||
prefName.EqualsLiteral("security.pki.netscape_step_up_policy") ||

View File

@ -924,19 +924,8 @@ nsresult nsSiteSecurityService::IsSecureHost(
}
if (aType == nsISiteSecurityService::STATIC_PINNING) {
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
if (!certVerifier) {
return NS_ERROR_FAILURE;
}
if (certVerifier->mPinningMode ==
CertVerifier::PinningMode::pinningDisabled) {
return NS_OK;
}
bool enforceTestMode = certVerifier->mPinningMode ==
CertVerifier::PinningMode::pinningEnforceTestMode;
return PublicKeyPinningService::HostHasPins(
flatHost.get(), mozilla::pkix::Now(), enforceTestMode,
aOriginAttributes, *aResult);
return PublicKeyPinningService::HostHasPins(flatHost.get(),
mozilla::pkix::Now(), *aResult);
}
nsAutoCString host(