mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-12 04:45:45 +00:00
Bug 1009635 - PreloadedHPKP.json should also contain production/exclusion lists. r=keeler
--HG-- extra : rebase_source : 46c13e490358f26b21191d6d783d795897ceea63
This commit is contained in:
parent
bf9922a2e0
commit
e7518a4528
@ -745,7 +745,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
|
||||
{ "media.mozilla.com", true, true, true, -1, &kPinset_mozilla },
|
||||
{ "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom },
|
||||
{ "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom },
|
||||
{ "pinningtest.appspot.com", true, true, false, -1, &kPinset_test },
|
||||
{ "pinningtest.appspot.com", true, false, false, -1, &kPinset_test },
|
||||
{ "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
|
||||
{ "play.google.com", false, true, false, -1, &kPinset_google },
|
||||
{ "plus.google.com", true, true, false, -1, &kPinset_google },
|
||||
@ -779,4 +779,4 @@ static const int kPublicKeyPinningPreloadListLength = 307;
|
||||
|
||||
static const int32_t kUnknownId = -1;
|
||||
|
||||
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1411498007030000);
|
||||
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1411598636448000);
|
||||
|
@ -25,6 +25,15 @@
|
||||
// Geotrust Primary -> www.mozilla.org
|
||||
// Geotrust Global -> *. addons.mozilla.org
|
||||
{
|
||||
"chromium_data" : {
|
||||
"cert_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs",
|
||||
"json_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json",
|
||||
"excluded_pinsets": [
|
||||
],
|
||||
"production_domains": [
|
||||
"pinningtest.appspot.com"
|
||||
]
|
||||
},
|
||||
"pinsets": [
|
||||
{
|
||||
// From bug 772756, mozilla uses GeoTrust, Digicert and Thawte. Our
|
||||
|
@ -35,8 +35,6 @@ const GOOGLE_PIN_PREFIX = "GOOGLE_PIN_";
|
||||
|
||||
// Pins expire in 18 weeks
|
||||
const PINNING_MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 18;
|
||||
const CHROME_JSON_SOURCE = "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json";
|
||||
const CHROME_CERT_SOURCE = "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs";
|
||||
|
||||
const FILE_HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
|
||||
" * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
|
||||
@ -312,13 +310,18 @@ function downloadAndParseChromePins(filename,
|
||||
|
||||
// Grab the domain entry lists. Chrome's entry format is similar to
|
||||
// ours, except theirs includes a HSTS mode.
|
||||
const cData = gStaticPins.chromium_data;
|
||||
let entries = chromePreloads.entries;
|
||||
entries.forEach(function(entry) {
|
||||
if (entry.pins && chromeImportedPinsets[entry.pins]) {
|
||||
let isExcludedPinset =
|
||||
(cData.excluded_pinsets.indexOf(entry.pins) != -1);
|
||||
let isProductionDomain =
|
||||
(cData.production_domains.indexOf(entry.name) != -1);
|
||||
if (entry.pins && chromeImportedPinsets[entry.pins] && !isExcludedPinset) {
|
||||
chromeImportedEntries.push({
|
||||
name: entry.name,
|
||||
include_subdomains: entry.include_subdomains,
|
||||
test_mode: true,
|
||||
test_mode: !isProductionDomain,
|
||||
is_moz: false,
|
||||
pins: entry.pins });
|
||||
}
|
||||
@ -536,10 +539,10 @@ function writeFile(certNameToSKD, certSKDToName,
|
||||
|
||||
let [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(gTestCertFile);
|
||||
let [ chromeNameToHash, chromeNameToMozName ] = downloadAndParseChromeCerts(
|
||||
CHROME_CERT_SOURCE, certSKDToName);
|
||||
gStaticPins.chromium_data.cert_file_url, certSKDToName);
|
||||
let [ chromeImportedPinsets, chromeImportedEntries ] =
|
||||
downloadAndParseChromePins(CHROME_JSON_SOURCE, chromeNameToHash,
|
||||
chromeNameToMozName, certNameToSKD, certSKDToName);
|
||||
downloadAndParseChromePins(gStaticPins.chromium_data.json_file_url,
|
||||
chromeNameToHash, chromeNameToMozName, certNameToSKD, certSKDToName);
|
||||
|
||||
writeFile(certNameToSKD, certSKDToName, chromeImportedPinsets,
|
||||
chromeImportedEntries);
|
||||
|
Loading…
Reference in New Issue
Block a user