From 2a8bdf8ac7b845b7791c86da3b89b9bf439b0c84 Mon Sep 17 00:00:00 2001 From: Monica Chew Date: Fri, 6 Jun 2014 13:44:59 -0700 Subject: [PATCH] Bug 1020485: Enable pinning in test mode for accounts.firefox.com (r=keeler) --- security/manager/boot/src/StaticHPKPins.h | 15 +++++++++++++-- security/manager/tools/PreloadedHPKPins.json | 15 +++++++++++---- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/security/manager/boot/src/StaticHPKPins.h b/security/manager/boot/src/StaticHPKPins.h index 7d9dfab74f6..4031596c1fa 100644 --- a/security/manager/boot/src/StaticHPKPins.h +++ b/security/manager/boot/src/StaticHPKPins.h @@ -475,6 +475,16 @@ static const StaticPinset kPinset_mozilla = { &kPinset_mozilla_sha256 }; +static const char* kPinset_mozilla_fxa_sha256_Data[] = { + kDigiCert_Global_Root_CAFingerprint, +}; +static const StaticFingerprints kPinset_mozilla_fxa_sha256 = { 1, kPinset_mozilla_fxa_sha256_Data }; + +static const StaticPinset kPinset_mozilla_fxa = { + nullptr, + &kPinset_mozilla_fxa_sha256 +}; + static const char* kPinset_mozilla_test_sha256_Data[] = { kEnd_Entity_Test_CertFingerprint, }; @@ -660,6 +670,7 @@ struct TransportSecurityPreload { /* Sort hostnames for binary search. */ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "accounts.firefox.com", true, true, false, 4, &kPinset_mozilla_fxa }, { "accounts.google.com", true, true, false, -1, &kPinset_google_root_pems }, { "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla }, { "addons.mozilla.org", true, false, true, 1, &kPinset_mozilla }, @@ -984,8 +995,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "ytimg.com", true, true, false, -1, &kPinset_google_root_pems }, }; -static const int kPublicKeyPinningPreloadListLength = 322; +static const int kPublicKeyPinningPreloadListLength = 323; static const int32_t kUnknownId = -1; -static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1412704831237000); +static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1412966638293000); diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json index bab6f124c1d..a8ec5fdaba1 100644 --- a/security/manager/tools/PreloadedHPKPins.json +++ b/security/manager/tools/PreloadedHPKPins.json @@ -9,12 +9,11 @@ // // "pinsets" is a list of objects. Each object has the following members: // name: (string) the name of the pinset -// static_spki_hashes: (list of strings) the set of allowed SPKIs hashes +// sha256_hashes: (list of strings) the set of allowed SPKIs hashes // // For a given pinset, a certificate is accepted if at least one of the -// "static_spki_hashes" SPKIs is found in the chain. -// SPKIs are specified as names, which must match up with the name given -// in the Mozilla root store. +// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified +// as names, which must match up with the name given in the Mozilla root store. // // "entries" is a list of objects. Each object has the following members: // name: (string) the DNS name of the host in question @@ -78,6 +77,12 @@ "VeriSign Universal Root Certification Authority" ] }, + { + "name": "mozilla_fxa", + "sha256_hashes": [ + "DigiCert Global Root CA" + ] + }, // For pinning tests on pinning.example.com, the certificate must be 'End // Entity Test Cert' { @@ -176,6 +181,8 @@ "pins": "mozilla", "test_mode": false, "id": 2 }, { "name": "aus4.mozilla.org", "include_subdomains": true, "pins": "mozilla", "test_mode": true, "id": 3 }, + { "name": "accounts.firefox.com", "include_subdomains": true, + "pins": "mozilla_fxa", "test_mode": true, "id": 4 }, { "name": "cdn.mozilla.net", "include_subdomains": true, "pins": "mozilla", "test_mode": false }, { "name": "cdn.mozilla.org", "include_subdomains": true,