Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-12 04:45:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1009635 - PreloadedHPKP.json should also contain production/exclusion lists. r=keeler

Browse Source 
--HG--
extra : rebase_source : 46c13e490358f26b21191d6d783d795897ceea63
This commit is contained in:
Camilo Viecco 2014-05-15 08:04:54 -07:00
parent bf9922a2e0
commit e7518a4528
3 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
security/manager/boot/src/StaticHPKPins.h
View File

@ -745,7 +745,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "media.mozilla.com", true, true, true, -1, &kPinset_mozilla },
{ "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "pinningtest.appspot.com", true, true, false, -1, &kPinset_test },
{ "pinningtest.appspot.com", true, false, false, -1, &kPinset_test },
{ "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
{ "play.google.com", false, true, false, -1, &kPinset_google },
{ "plus.google.com", true, true, false, -1, &kPinset_google },
@ -779,4 +779,4 @@ static const int kPublicKeyPinningPreloadListLength = 307;
static const int32_t kUnknownId = -1;
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1411498007030000);
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1411598636448000);

9
security/manager/tools/PreloadedHPKPins.json
View File

@ -25,6 +25,15 @@
// Geotrust Primary -> www.mozilla.org
// Geotrust Global -> *. addons.mozilla.org
{
"chromium_data" : {
"cert_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs",
"json_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json",
"excluded_pinsets": [
],
"production_domains": [
"pinningtest.appspot.com"
]
},
"pinsets": [
{
// From bug 772756, mozilla uses GeoTrust, Digicert and Thawte. Our

17
security/manager/tools/genHPKPStaticPins.js
View File

@ -35,8 +35,6 @@ const GOOGLE_PIN_PREFIX = "GOOGLE_PIN_";
// Pins expire in 18 weeks
const PINNING_MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 18;
const CHROME_JSON_SOURCE = "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json";
const CHROME_CERT_SOURCE = "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs";
const FILE_HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
" * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
@ -312,13 +310,18 @@ function downloadAndParseChromePins(filename,
// Grab the domain entry lists. Chrome's entry format is similar to
// ours, except theirs includes a HSTS mode.
const cData = gStaticPins.chromium_data;
let entries = chromePreloads.entries;
entries.forEach(function(entry) {
if (entry.pins && chromeImportedPinsets[entry.pins]) {
let isExcludedPinset =
(cData.excluded_pinsets.indexOf(entry.pins) != -1);
let isProductionDomain =
(cData.production_domains.indexOf(entry.name) != -1);
if (entry.pins && chromeImportedPinsets[entry.pins] && !isExcludedPinset) {
chromeImportedEntries.push({
name: entry.name,
include_subdomains: entry.include_subdomains,
test_mode: true,
test_mode: !isProductionDomain,
is_moz: false,
pins: entry.pins });
}
@ -536,10 +539,10 @@ function writeFile(certNameToSKD, certSKDToName,
let [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(gTestCertFile);
let [ chromeNameToHash, chromeNameToMozName ] = downloadAndParseChromeCerts(
CHROME_CERT_SOURCE, certSKDToName);
gStaticPins.chromium_data.cert_file_url, certSKDToName);
let [ chromeImportedPinsets, chromeImportedEntries ] =
downloadAndParseChromePins(CHROME_JSON_SOURCE, chromeNameToHash,
chromeNameToMozName, certNameToSKD, certSKDToName);
downloadAndParseChromePins(gStaticPins.chromium_data.json_file_url,
chromeNameToHash, chromeNameToMozName, certNameToSKD, certSKDToName);
writeFile(certNameToSKD, certSKDToName, chromeImportedPinsets,
chromeImportedEntries);