wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1020485: Enable pinning in test mode for accounts.firefox.com (r=keeler)

Browse Source
This commit is contained in:
Monica Chew 2014-06-06 13:44:59 -07:00
parent c5f1180f79
commit 2a8bdf8ac7
2 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
security/manager/boot/src/StaticHPKPins.h
View File

@ -475,6 +475,16 @@ static const StaticPinset kPinset_mozilla = {
&kPinset_mozilla_sha256
};
static const char* kPinset_mozilla_fxa_sha256_Data[] = {
kDigiCert_Global_Root_CAFingerprint,
};
static const StaticFingerprints kPinset_mozilla_fxa_sha256 = { 1, kPinset_mozilla_fxa_sha256_Data };
static const StaticPinset kPinset_mozilla_fxa = {
nullptr,
&kPinset_mozilla_fxa_sha256
};
static const char* kPinset_mozilla_test_sha256_Data[] = {
kEnd_Entity_Test_CertFingerprint,
};
@ -660,6 +670,7 @@ struct TransportSecurityPreload {
/* Sort hostnames for binary search. */
static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "accounts.firefox.com", true, true, false, 4, &kPinset_mozilla_fxa },
{ "accounts.google.com", true, true, false, -1, &kPinset_google_root_pems },
{ "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla },
{ "addons.mozilla.org", true, false, true, 1, &kPinset_mozilla },
@ -984,8 +995,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "ytimg.com", true, true, false, -1, &kPinset_google_root_pems },
};
static const int kPublicKeyPinningPreloadListLength = 322;
static const int kPublicKeyPinningPreloadListLength = 323;
static const int32_t kUnknownId = -1;
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1412704831237000);
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1412966638293000);

15
security/manager/tools/PreloadedHPKPins.json
View File

@ -9,12 +9,11 @@
//
// "pinsets" is a list of objects. Each object has the following members:
// name: (string) the name of the pinset
// static_spki_hashes: (list of strings) the set of allowed SPKIs hashes
// sha256_hashes: (list of strings) the set of allowed SPKIs hashes
//
// For a given pinset, a certificate is accepted if at least one of the
// "static_spki_hashes" SPKIs is found in the chain.
// SPKIs are specified as names, which must match up with the name given
// in the Mozilla root store.
// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified
// as names, which must match up with the name given in the Mozilla root store.
//
// "entries" is a list of objects. Each object has the following members:
// name: (string) the DNS name of the host in question
@ -78,6 +77,12 @@
"VeriSign Universal Root Certification Authority"
]
},
{
"name": "mozilla_fxa",
"sha256_hashes": [
"DigiCert Global Root CA"
]
},
// For pinning tests on pinning.example.com, the certificate must be 'End
// Entity Test Cert'
{
@ -176,6 +181,8 @@
"pins": "mozilla", "test_mode": false, "id": 2 },
{ "name": "aus4.mozilla.org", "include_subdomains": true,
"pins": "mozilla", "test_mode": true, "id": 3 },
{ "name": "accounts.firefox.com", "include_subdomains": true,
"pins": "mozilla_fxa", "test_mode": true, "id": 4 },
{ "name": "cdn.mozilla.net", "include_subdomains": true,
"pins": "mozilla", "test_mode": false },
{ "name": "cdn.mozilla.org", "include_subdomains": true,