diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
index e3fa0351c944..28cd22e920b6 100644
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -10581,6 +10581,13 @@
value: false
mirror: always
+# Disable preloaded static key pins by default.
+- name: security.cert_pinning.enforcement_level
+ type: ReleaseAcquireAtomicUint32
+ value: 0
+ mirror: always
+ do_not_use_directly: true
+
#---------------------------------------------------------------------------
# Prefs starting with "slider."
#---------------------------------------------------------------------------
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 633df035e6b6..e72f40bffcb3 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -156,11 +156,6 @@ pref("security.webauth.webauthn_enable_softtoken", false);
pref("security.xfocsp.errorReporting.enabled", true);
pref("security.xfocsp.errorReporting.automatic", false);
-// Impose a maximum age on HPKP headers, to avoid sites getting permanently
-// blacking themselves out by setting a bad pin. (60 days by default)
-// https://tools.ietf.org/html/rfc7469#section-4.1
-pref("security.cert_pinning.max_max_age_seconds", 5184000);
-
// 0: Disable CRLite entirely
// 1: Enable and check revocations via CRLite, but only collect telemetry
// 2: Enable and enforce revocations via CRLite
@@ -2168,22 +2163,6 @@ pref("security.ssl.enable_ocsp_must_staple", true);
pref("security.insecure_field_warning.contextual.enabled", false);
pref("security.insecure_field_warning.ignore_local_ip_address", true);
-// Disable pinning checks by default.
-pref("security.cert_pinning.enforcement_level", 0);
-// Do not process hpkp headers rooted by not built in roots by default.
-// This is to prevent accidental pinning from MITM devices and is used
-// for tests.
-pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
-
-// Controls whether or not HPKP (the HTTP Public Key Pinning header) is enabled.
-// If true, the header is processed and collected HPKP information is consulted
-// when looking for pinning information.
-// If false, the header is not processed and collected HPKP information is not
-// consulted when looking for pinning information. Preloaded pins are not
-// affected by this preference.
-// Default: false
-pref("security.cert_pinning.hpkp.enabled", false);
-
// Remote settings preferences
// Note: if you change this, make sure to also review security.onecrl.maximum_staleness_in_seconds
pref("services.settings.poll_interval", 86400); // 24H
diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp
index c437717aabad..059ac12808b5 100644
--- a/netwerk/base/nsIOService.cpp
+++ b/netwerk/base/nsIOService.cpp
@@ -258,7 +258,6 @@ static const char* gCallbackSecurityPrefs[] = {
"security.ssl.enable_ocsp_stapling",
"security.ssl.enable_ocsp_must_staple",
"security.pki.certificate_transparency.mode",
- "security.cert_pinning.enforcement_level",
"security.pki.name_matching_mode",
nullptr,
};
@@ -405,7 +404,6 @@ void nsIOService::OnTLSPrefChange(const char* aPref, void* aSelf) {
} else if (pref.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
pref.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
pref.EqualsLiteral("security.pki.certificate_transparency.mode") ||
- pref.EqualsLiteral("security.cert_pinning.enforcement_level") ||
pref.EqualsLiteral("security.pki.name_matching_mode")) {
SetValidationOptionsCommon();
}
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index 61fc09663e67..c427539bd67e 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -88,8 +88,7 @@ void CertificateTransparencyInfo::Reset() {
CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard,
- uint32_t certShortLifetimeInDays,
- PinningMode pinningMode, SHA1Mode sha1Mode,
+ uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode,
@@ -101,7 +100,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mOCSPTimeoutSoft(ocspTimeoutSoft),
mOCSPTimeoutHard(ocspTimeoutHard),
mCertShortLifetimeInDays(certShortLifetimeInDays),
- mPinningMode(pinningMode),
mSHA1Mode(sha1Mode),
mNameMatchingMode(nameMatchingMode),
mNetscapeStepUpPolicy(netscapeStepUpPolicy),
@@ -564,9 +562,9 @@ Result CertVerifier::VerifyCert(
// just use trustEmail as it is the closest alternative.
NSSCertDBTrustDomain trustDomain(
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
- mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
- MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
- SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
+ mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
+ ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
+ NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);
@@ -637,10 +635,10 @@ Result CertVerifier::VerifyCert(
NSSCertDBTrustDomain trustDomain(
trustSSL, evOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
- mOCSPTimeoutHard, mCertShortLifetimeInDays, mPinningMode,
- MIN_RSA_BITS, ValidityCheckingMode::CheckForEV,
- sha1ModeConfigurations[i], mNetscapeStepUpPolicy, mCRLiteMode,
- mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
+ mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS,
+ ValidityCheckingMode::CheckForEV, sha1ModeConfigurations[i],
+ mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
+ originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
pinningTelemetryInfo, hostname);
rv = BuildCertChainForOneKeyUsage(
@@ -720,12 +718,11 @@ Result CertVerifier::VerifyCert(
NSSCertDBTrustDomain trustDomain(
trustSSL, defaultOCSPFetching, mOCSPCache, pinArg,
mOCSPTimeoutSoft, mOCSPTimeoutHard, mCertShortLifetimeInDays,
- mPinningMode, keySizeOptions[i],
- ValidityCheckingMode::CheckingOff, sha1ModeConfigurations[j],
- mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
- originAttributes, mThirdPartyRootInputs,
- mThirdPartyIntermediateInputs, extraCertificates, builtChain,
- pinningTelemetryInfo, hostname);
+ keySizeOptions[i], ValidityCheckingMode::CheckingOff,
+ sha1ModeConfigurations[j], mNetscapeStepUpPolicy, mCRLiteMode,
+ mCRLiteCTMergeDelaySeconds, originAttributes,
+ mThirdPartyRootInputs, mThirdPartyIntermediateInputs,
+ extraCertificates, builtChain, pinningTelemetryInfo, hostname);
rv = BuildCertChainForOneKeyUsage(
trustDomain, certDER, time,
KeyUsage::digitalSignature, //(EC)DHE
@@ -790,10 +787,10 @@ Result CertVerifier::VerifyCert(
case certificateUsageSSLCA: {
NSSCertDBTrustDomain trustDomain(
trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
- mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
- MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
- SHA1Mode::Allowed, mNetscapeStepUpPolicy, mCRLiteMode,
- mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
+ mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
+ ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
+ mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
+ originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);
rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeCA,
@@ -805,9 +802,9 @@ Result CertVerifier::VerifyCert(
case certificateUsageEmailSigner: {
NSSCertDBTrustDomain trustDomain(
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
- mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
- MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
- SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
+ mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
+ ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
+ NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);
@@ -830,9 +827,9 @@ Result CertVerifier::VerifyCert(
// based on the result of the verification(s).
NSSCertDBTrustDomain trustDomain(
trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
- mOCSPTimeoutHard, mCertShortLifetimeInDays, pinningDisabled,
- MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff,
- SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
+ mOCSPTimeoutHard, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
+ ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed,
+ NetscapeStepUpPolicy::NeverMatch, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);
diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
index 10fb7431aaa1..5a206c13009f 100644
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -195,13 +195,6 @@ class CertVerifier {
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr,
/*optional out*/ bool* isBuiltCertChainRootBuiltInRoot = nullptr);
- enum PinningMode {
- pinningDisabled = 0,
- pinningAllowUserCAMITM = 1,
- pinningStrict = 2,
- pinningEnforceTestMode = 3
- };
-
enum class SHA1Mode {
Allowed = 0,
Forbidden = 1,
@@ -224,8 +217,8 @@ class CertVerifier {
CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard,
- uint32_t certShortLifetimeInDays, PinningMode pinningMode,
- SHA1Mode sha1Mode, BRNameMatchingPolicy::Mode nameMatchingMode,
+ uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
+ BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
uint64_t crliteCTMergeDelaySeconds,
@@ -239,7 +232,6 @@ class CertVerifier {
const mozilla::TimeDuration mOCSPTimeoutSoft;
const mozilla::TimeDuration mOCSPTimeoutHard;
const uint32_t mCertShortLifetimeInDays;
- const PinningMode mPinningMode;
const SHA1Mode mSHA1Mode;
const BRNameMatchingPolicy::Mode mNameMatchingMode;
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
@@ -276,9 +268,9 @@ class CertVerifier {
};
mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result);
-mozilla::pkix::Result CertListContainsExpectedKeys(
- const CERTCertList* certList, const char* hostname,
- mozilla::pkix::Time time, CertVerifier::PinningMode pinningMode);
+mozilla::pkix::Result CertListContainsExpectedKeys(const CERTCertList* certList,
+ const char* hostname,
+ mozilla::pkix::Time time);
} // namespace psm
} // namespace mozilla
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 48f903e017ed..110c2d561177 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -66,10 +66,9 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
OCSPCache& ocspCache,
/*optional but shouldn't be*/ void* pinArg, TimeDuration ocspTimeoutSoft,
TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays,
- CertVerifier::PinningMode pinningMode, unsigned int minRSABits,
- ValidityCheckingMode validityCheckingMode, CertVerifier::SHA1Mode sha1Mode,
- NetscapeStepUpPolicy netscapeStepUpPolicy, CRLiteMode crliteMode,
- uint64_t crliteCTMergeDelaySeconds,
+ unsigned int minRSABits, ValidityCheckingMode validityCheckingMode,
+ CertVerifier::SHA1Mode sha1Mode, NetscapeStepUpPolicy netscapeStepUpPolicy,
+ CRLiteMode crliteMode, uint64_t crliteCTMergeDelaySeconds,
const OriginAttributes& originAttributes,
const Vector& thirdPartyRootInputs,
const Vector& thirdPartyIntermediateInputs,
@@ -84,7 +83,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
mOCSPTimeoutSoft(ocspTimeoutSoft),
mOCSPTimeoutHard(ocspTimeoutHard),
mCertShortLifetimeInDays(certShortLifetimeInDays),
- mPinningMode(pinningMode),
mMinRSABits(minRSABits),
mValidityCheckingMode(validityCheckingMode),
mSHA1Mode(sha1Mode),
@@ -1186,16 +1184,9 @@ Result NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
if (NS_FAILED(nsrv)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
- bool skipPinningChecksBecauseOfMITMMode =
- (!isBuiltInRoot && mPinningMode == CertVerifier::pinningAllowUserCAMITM);
// If mHostname isn't set, we're not verifying in the context of a TLS
- // handshake, so don't verify HPKP in those cases.
- if (mHostname && (mPinningMode != CertVerifier::pinningDisabled) &&
- !skipPinningChecksBecauseOfMITMMode) {
- bool enforceTestMode =
- (mPinningMode == CertVerifier::pinningEnforceTestMode);
- bool chainHasValidPins;
-
+ // handshake, so don't verify key pinning in those cases.
+ if (mHostname) {
nsTArray> derCertSpanList;
size_t numCerts = certArray.GetLength();
for (size_t i = numCerts; i > 0; --i) {
@@ -1206,9 +1197,10 @@ Result NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
derCertSpanList.EmplaceBack(der->UnsafeGetData(), der->GetLength());
}
+ bool chainHasValidPins;
nsrv = PublicKeyPinningService::ChainHasValidPins(
- derCertSpanList, mHostname, time, enforceTestMode, mOriginAttributes,
- chainHasValidPins, mPinningTelemetryInfo);
+ derCertSpanList, mHostname, time, isBuiltInRoot, chainHasValidPins,
+ mPinningTelemetryInfo);
if (NS_FAILED(nsrv)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index 42ad343cec33..08d0265302d7 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -128,8 +128,7 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
SECTrustType certDBTrustType, OCSPFetching ocspFetching,
OCSPCache& ocspCache, void* pinArg, mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays,
- CertVerifier::PinningMode pinningMode, unsigned int minRSABits,
- ValidityCheckingMode validityCheckingMode,
+ unsigned int minRSABits, ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy, CRLiteMode crliteMode,
uint64_t crliteCTMergeDelaySeconds,
@@ -247,7 +246,6 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
const mozilla::TimeDuration mOCSPTimeoutSoft;
const mozilla::TimeDuration mOCSPTimeoutHard;
const uint32_t mCertShortLifetimeInDays;
- CertVerifier::PinningMode mPinningMode;
const unsigned int mMinRSABits;
ValidityCheckingMode mValidityCheckingMode;
CertVerifier::SHA1Mode mSHA1Mode;
diff --git a/security/manager/ssl/CommonSocketControl.cpp b/security/manager/ssl/CommonSocketControl.cpp
index b7dc27eaa1a5..bd5aa2a1a94f 100644
--- a/security/manager/ssl/CommonSocketControl.cpp
+++ b/security/manager/ssl/CommonSocketControl.cpp
@@ -202,34 +202,26 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
return NS_OK;
}
- mozilla::psm::CertVerifier::PinningMode pinningMode =
- mozilla::psm::PublicSSLState()->PinningMode();
- if (pinningMode != mozilla::psm::CertVerifier::pinningDisabled) {
- bool chainHasValidPins;
- bool enforceTestMode =
- (pinningMode == mozilla::psm::CertVerifier::pinningEnforceTestMode);
-
- nsTArray> rawDerCertList;
- nsTArray> derCertSpanList;
- for (const auto& cert : mSucceededCertChain) {
- rawDerCertList.EmplaceBack();
- nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement());
- if (NS_FAILED(nsrv)) {
- return nsrv;
- }
- derCertSpanList.EmplaceBack(rawDerCertList.LastElement());
- }
-
- nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
- derCertSpanList, PromiseFlatCString(hostname).BeginReading(), Now(),
- enforceTestMode, GetOriginAttributes(lock), chainHasValidPins, nullptr);
+ nsTArray> rawDerCertList;
+ nsTArray> derCertSpanList;
+ for (const auto& cert : mSucceededCertChain) {
+ rawDerCertList.EmplaceBack();
+ nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement());
if (NS_FAILED(nsrv)) {
- return NS_OK;
+ return nsrv;
}
+ derCertSpanList.EmplaceBack(rawDerCertList.LastElement());
+ }
+ bool chainHasValidPins;
+ nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
+ derCertSpanList, PromiseFlatCString(hostname).BeginReading(), Now(),
+ mIsBuiltCertChainRootBuiltInRoot, chainHasValidPins, nullptr);
+ if (NS_FAILED(nsrv)) {
+ return NS_OK;
+ }
- if (!chainHasValidPins) {
- return NS_OK;
- }
+ if (!chainHasValidPins) {
+ return NS_OK;
}
// All tests pass
diff --git a/security/manager/ssl/PublicKeyPinningService.cpp b/security/manager/ssl/PublicKeyPinningService.cpp
index b29e74f2c671..9570f64ef8b4 100644
--- a/security/manager/ssl/PublicKeyPinningService.cpp
+++ b/security/manager/ssl/PublicKeyPinningService.cpp
@@ -11,6 +11,7 @@
#include "mozilla/Casting.h"
#include "mozilla/Logging.h"
#include "mozilla/Span.h"
+#include "mozilla/StaticPrefs_security.h"
#include "mozilla/Telemetry.h"
#include "nsDependentString.h"
#include "nsServiceManagerUtils.h"
@@ -27,6 +28,30 @@ using namespace mozilla::psm;
LazyLogModule gPublicKeyPinningLog("PublicKeyPinningService");
+enum class PinningMode : uint32_t {
+ Disabled = 0,
+ AllowUserCAMITM = 1,
+ Strict = 2,
+ EnforceTestMode = 3
+};
+
+PinningMode GetPinningMode() {
+ PinningMode pinningMode = static_cast(
+ StaticPrefs::security_cert_pinning_enforcement_level_DoNotUseDirectly());
+ switch (pinningMode) {
+ case PinningMode::Disabled:
+ return PinningMode::Disabled;
+ case PinningMode::AllowUserCAMITM:
+ return PinningMode::AllowUserCAMITM;
+ case PinningMode::Strict:
+ return PinningMode::Strict;
+ case PinningMode::EnforceTestMode:
+ return PinningMode::EnforceTestMode;
+ default:
+ return PinningMode::Disabled;
+ }
+}
+
/**
Computes in the location specified by base64Out the SHA256 digest
of the DER Encoded subject Public Key Info for the given cert
@@ -161,7 +186,6 @@ static void ValidatePinningPreloadList() {
// information that is valid for the given host at the given time.
static nsresult FindPinningInformation(
const char* hostname, mozilla::pkix::Time time,
- const OriginAttributes& originAttributes,
/*out*/ const TransportSecurityPreload*& staticFingerprints) {
#ifdef DEBUG
ValidatePinningPreloadList();
@@ -217,7 +241,6 @@ static nsresult FindPinningInformation(
static nsresult CheckPinsForHostname(
const nsTArray>& certList, const char* hostname,
bool enforceTestMode, mozilla::pkix::Time time,
- const OriginAttributes& originAttributes,
/*out*/ bool& chainHasValidPins,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
chainHasValidPins = false;
@@ -229,8 +252,10 @@ static nsresult CheckPinsForHostname(
}
const TransportSecurityPreload* staticFingerprints = nullptr;
- nsresult rv = FindPinningInformation(hostname, time, originAttributes,
- staticFingerprints);
+ nsresult rv = FindPinningInformation(hostname, time, staticFingerprints);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
// If we have no pinning information, the certificate chain trivially
// validates with respect to pinning.
if (!staticFingerprints) {
@@ -299,10 +324,16 @@ static nsresult CheckPinsForHostname(
nsresult PublicKeyPinningService::ChainHasValidPins(
const nsTArray>& certList, const char* hostname,
- mozilla::pkix::Time time, bool enforceTestMode,
- const OriginAttributes& originAttributes,
+ mozilla::pkix::Time time, bool isBuiltInRoot,
/*out*/ bool& chainHasValidPins,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
+ PinningMode pinningMode(GetPinningMode());
+ if (pinningMode == PinningMode::Disabled ||
+ (!isBuiltInRoot && pinningMode == PinningMode::AllowUserCAMITM)) {
+ chainHasValidPins = true;
+ return NS_OK;
+ }
+
chainHasValidPins = false;
if (certList.IsEmpty()) {
return NS_ERROR_INVALID_ARG;
@@ -311,25 +342,30 @@ nsresult PublicKeyPinningService::ChainHasValidPins(
return NS_ERROR_INVALID_ARG;
}
nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname));
+ bool enforceTestMode = pinningMode == PinningMode::EnforceTestMode;
return CheckPinsForHostname(certList, canonicalizedHostname.get(),
- enforceTestMode, time, originAttributes,
- chainHasValidPins, pinningTelemetryInfo);
+ enforceTestMode, time, chainHasValidPins,
+ pinningTelemetryInfo);
}
-nsresult PublicKeyPinningService::HostHasPins(
- const char* hostname, mozilla::pkix::Time time, bool enforceTestMode,
- const OriginAttributes& originAttributes,
- /*out*/ bool& hostHasPins) {
+nsresult PublicKeyPinningService::HostHasPins(const char* hostname,
+ mozilla::pkix::Time time,
+ /*out*/ bool& hostHasPins) {
hostHasPins = false;
+ PinningMode pinningMode(GetPinningMode());
+ if (pinningMode == PinningMode::Disabled) {
+ return NS_OK;
+ }
nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname));
const TransportSecurityPreload* staticFingerprints = nullptr;
nsresult rv = FindPinningInformation(canonicalizedHostname.get(), time,
- originAttributes, staticFingerprints);
+ staticFingerprints);
if (NS_FAILED(rv)) {
return rv;
}
if (staticFingerprints) {
- hostHasPins = !staticFingerprints->mTestMode || enforceTestMode;
+ hostHasPins = !staticFingerprints->mTestMode ||
+ pinningMode == PinningMode::EnforceTestMode;
}
return NS_OK;
}
diff --git a/security/manager/ssl/PublicKeyPinningService.h b/security/manager/ssl/PublicKeyPinningService.h
index 5a16d838e0af..47f8bbd4562a 100644
--- a/security/manager/ssl/PublicKeyPinningService.h
+++ b/security/manager/ssl/PublicKeyPinningService.h
@@ -14,12 +14,6 @@
#include "mozilla/Span.h"
#include "mozpkix/Time.h"
-namespace mozilla {
-class OriginAttributes;
-}
-
-using mozilla::OriginAttributes;
-
namespace mozilla {
namespace psm {
@@ -36,8 +30,7 @@ class PublicKeyPinningService {
*/
static nsresult ChainHasValidPins(
const nsTArray>& certList, const char* hostname,
- mozilla::pkix::Time time, bool enforceTestMode,
- const OriginAttributes& originAttributes,
+ mozilla::pkix::Time time, bool isBuiltInRoot,
/*out*/ bool& chainHasValidPins,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
@@ -47,8 +40,6 @@ class PublicKeyPinningService {
* otherwise.
*/
static nsresult HostHasPins(const char* hostname, mozilla::pkix::Time time,
- bool enforceTestMode,
- const OriginAttributes& originAttributes,
/*out*/ bool& hostHasPins);
/**
diff --git a/security/manager/ssl/SharedCertVerifier.h b/security/manager/ssl/SharedCertVerifier.h
index 6771dab16bb0..700e2da267f0 100644
--- a/security/manager/ssl/SharedCertVerifier.h
+++ b/security/manager/ssl/SharedCertVerifier.h
@@ -23,8 +23,7 @@ class SharedCertVerifier : public mozilla::psm::CertVerifier {
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mozilla::TimeDuration ocspSoftTimeout,
mozilla::TimeDuration ocspHardTimeout,
- uint32_t certShortLifetimeInDays, PinningMode pinningMode,
- SHA1Mode sha1Mode,
+ uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
@@ -32,8 +31,8 @@ class SharedCertVerifier : public mozilla::psm::CertVerifier {
const Vector& thirdPartyCerts)
: mozilla::psm::CertVerifier(
odc, osc, ocspSoftTimeout, ocspHardTimeout, certShortLifetimeInDays,
- pinningMode, sha1Mode, nameMatchingMode, netscapeStepUpPolicy,
- ctMode, crliteMode, crliteCTMergeDelaySeconds, thirdPartyCerts) {}
+ sha1Mode, nameMatchingMode, netscapeStepUpPolicy, ctMode,
+ crliteMode, crliteCTMergeDelaySeconds, thirdPartyCerts) {}
};
} // namespace psm
diff --git a/security/manager/ssl/SharedSSLState.h b/security/manager/ssl/SharedSSLState.h
index 9431abeab9c8..0fd1e23710e9 100644
--- a/security/manager/ssl/SharedSSLState.h
+++ b/security/manager/ssl/SharedSSLState.h
@@ -36,9 +36,6 @@ class SharedSSLState {
void SetSignedCertTimestampsEnabled(bool signedCertTimestampsEnabled) {
mSignedCertTimestampsEnabled = signedCertTimestampsEnabled;
}
- void SetPinningMode(CertVerifier::PinningMode aPinningMode) {
- mPinningMode = aPinningMode;
- }
void SetNameMatchingMode(BRNameMatchingPolicy::Mode aMode) {
mNameMatchingMode = aMode;
}
@@ -52,7 +49,6 @@ class SharedSSLState {
bool IsSignedCertTimestampsEnabled() const {
return mSignedCertTimestampsEnabled;
}
- CertVerifier::PinningMode PinningMode() { return mPinningMode; }
BRNameMatchingPolicy::Mode NameMatchingMode() { return mNameMatchingMode; }
private:
@@ -71,7 +67,6 @@ class SharedSSLState {
bool mOCSPStaplingEnabled;
bool mOCSPMustStapleEnabled;
bool mSignedCertTimestampsEnabled;
- CertVerifier::PinningMode mPinningMode;
BRNameMatchingPolicy::Mode mNameMatchingMode;
};
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index d0f72b85cee5..592aa8404ce1 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1292,16 +1292,6 @@ void SetValidationOptionsCommon() {
PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
- CertVerifier::PinningMode pinningMode =
- static_cast(
- Preferences::GetInt("security.cert_pinning.enforcement_level",
- CertVerifier::pinningDisabled));
- if (pinningMode > CertVerifier::pinningEnforceTestMode) {
- pinningMode = CertVerifier::pinningDisabled;
- }
- PublicSSLState()->SetPinningMode(pinningMode);
- PrivateSSLState()->SetPinningMode(pinningMode);
-
BRNameMatchingPolicy::Mode nameMatchingMode =
static_cast(Preferences::GetInt(
"security.pki.name_matching_mode",
@@ -1508,8 +1498,7 @@ void nsNSSComponent::setValidationOptions(
softTimeout, hardTimeout, proofOfLock);
mDefaultCertVerifier = new SharedCertVerifier(
- odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays,
- PublicSSLState()->PinningMode(), sha1Mode,
+ odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays, sha1Mode,
PublicSSLState()->NameMatchingMode(), netscapeStepUpPolicy, ctMode,
crliteMode, crliteCTMergeDelaySeconds, mEnterpriseCerts);
}
@@ -1527,8 +1516,8 @@ void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
oldCertVerifier->mOCSPStrict ? CertVerifier::ocspStrict
: CertVerifier::ocspRelaxed,
oldCertVerifier->mOCSPTimeoutSoft, oldCertVerifier->mOCSPTimeoutHard,
- oldCertVerifier->mCertShortLifetimeInDays, oldCertVerifier->mPinningMode,
- oldCertVerifier->mSHA1Mode, oldCertVerifier->mNameMatchingMode,
+ oldCertVerifier->mCertShortLifetimeInDays, oldCertVerifier->mSHA1Mode,
+ oldCertVerifier->mNameMatchingMode,
oldCertVerifier->mNetscapeStepUpPolicy, oldCertVerifier->mCTMode,
oldCertVerifier->mCRLiteMode, oldCertVerifier->mCRLiteCTMergeDelaySeconds,
mEnterpriseCerts);
@@ -2284,8 +2273,6 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
prefName.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
prefName.EqualsLiteral(
"security.pki.certificate_transparency.mode") ||
- prefName.EqualsLiteral(
- "security.cert_pinning.enforcement_level") ||
prefName.EqualsLiteral("security.pki.sha1_enforcement_level") ||
prefName.EqualsLiteral("security.pki.name_matching_mode") ||
prefName.EqualsLiteral("security.pki.netscape_step_up_policy") ||
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
index f3f52a3b0081..b217d2c76074 100644
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -924,19 +924,8 @@ nsresult nsSiteSecurityService::IsSecureHost(
}
if (aType == nsISiteSecurityService::STATIC_PINNING) {
- RefPtr certVerifier(GetDefaultCertVerifier());
- if (!certVerifier) {
- return NS_ERROR_FAILURE;
- }
- if (certVerifier->mPinningMode ==
- CertVerifier::PinningMode::pinningDisabled) {
- return NS_OK;
- }
- bool enforceTestMode = certVerifier->mPinningMode ==
- CertVerifier::PinningMode::pinningEnforceTestMode;
- return PublicKeyPinningService::HostHasPins(
- flatHost.get(), mozilla::pkix::Now(), enforceTestMode,
- aOriginAttributes, *aResult);
+ return PublicKeyPinningService::HostHasPins(flatHost.get(),
+ mozilla::pkix::Now(), *aResult);
}
nsAutoCString host(