mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
bug 1004781 - follow-up to add "DigiCert ECC Secure Server CA" to Facebook's pinset r=mmc
This commit is contained in:
parent
2b1247970e
commit
e59d626477
@ -79,6 +79,10 @@ static const char kCybertrust_Global_RootFingerprint[] =
|
||||
static const char kDigiCert_Assured_ID_Root_CAFingerprint[] =
|
||||
"I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o=";
|
||||
|
||||
/* DigiCert ECC Secure Server CA */
|
||||
static const char kDigiCert_ECC_Secure_Server_CAFingerprint[] =
|
||||
"PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=";
|
||||
|
||||
/* DigiCert Global Root CA */
|
||||
static const char kDigiCert_Global_Root_CAFingerprint[] =
|
||||
"r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
|
||||
@ -364,6 +368,7 @@ struct StaticPinset {
|
||||
|
||||
/* PreloadedHPKPins.json pinsets */
|
||||
static const char* kPinset_facebook_sha256_Data[] = {
|
||||
kDigiCert_ECC_Secure_Server_CAFingerprint,
|
||||
kVerisign_Class_3_Public_Primary_Certification_Authority___G3Fingerprint,
|
||||
kDigiCert_High_Assurance_EV_Root_CAFingerprint,
|
||||
};
|
||||
@ -1087,4 +1092,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
|
||||
|
||||
static const int32_t kUnknownId = -1;
|
||||
|
||||
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1418465237331000);
|
||||
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1418659817121000);
|
||||
|
@ -19,6 +19,10 @@
|
||||
// name: (string) the DNS name of the host in question
|
||||
// include_subdomains: (optional bool) whether subdomains of |name| are also covered
|
||||
// pins: (string) the |name| member of an object in |pinsets|
|
||||
//
|
||||
// "extra_certs" is a list of base64-encoded certificates. These are used in
|
||||
// pinsets that reference certificates not in our root program (for example,
|
||||
// Facebook).
|
||||
|
||||
// equifax -> aus3
|
||||
// Geotrust Primary -> www.mozilla.org
|
||||
@ -186,13 +190,12 @@
|
||||
"XRamp Global CA Root"
|
||||
]
|
||||
},
|
||||
// For pinning tests on pinning.example.com, the certificate must be 'End
|
||||
// Entity Test Cert'
|
||||
{
|
||||
"name": "facebook",
|
||||
"sha256_hashes": [
|
||||
"Verisign Class 3 Public Primary Certification Authority - G3",
|
||||
"DigiCert High Assurance EV Root CA"
|
||||
"DigiCert High Assurance EV Root CA",
|
||||
"DigiCert ECC Secure Server CA"
|
||||
]
|
||||
}
|
||||
],
|
||||
@ -235,5 +238,10 @@
|
||||
// Facebook (not pinned by Chrome)
|
||||
{ "name": "facebook.com", "include_subdomains": true,
|
||||
"pins": "facebook", "test_mode": true }
|
||||
],
|
||||
|
||||
"extra_certificates": [
|
||||
// DigiCert ECC Secure Server CA (for Facebook)
|
||||
"MIIDrDCCApSgAwIBAgIQCssoukZe5TkIdnRw883GEjANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaMEwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJjAkBgNVBAMTHURpZ2lDZXJ0IEVDQyBTZWN1cmUgU2VydmVyIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ghC6nfYJN6gLGSkE85AnCNyqQIKDjc/ITa4jVMU9tWRlUvzlgKNcR7E2Munn17voOZ/WpIRllNv68DLP679Wz9HJOeaBy6Wvqgvu1cYr3GkvXg6HuhbPGtkESvMNCuMo4IBITCCAR0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUo53mH/naOU/AbuiRy5Wl2jHiCp8wHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEMBQADggEBAMeKoENL7HTJxavVHzA1Nm6YVntIrAVjrnuaVyRXzG/63qttnMe2uuzO58pzZNvfBDcKAEmzP58mrZGMIOgfiA4q+2Y3yDDo0sIkp0VILeoBUEoxlBPfjV/aKrtJPGHzecicZpIalir0ezZYoyxBEHQa0+1IttK7igZFcTMQMHp6mCHdJLnsnLWSB62DxsRq+HfmNb4TDydkskO/g+l3VtsIh5RHFPVfKK+jaEyDj2D3loB5hWp2Jp2VDCADjT7ueihlZGak2YPqmXTNbk19HOuNssWvFhtOyPNV6og4ETQdEa8/B6hPatJ0ES8q/HO3X8IVQwVs1n3aAr0im0/T+Xc="
|
||||
]
|
||||
}
|
||||
|
@ -336,7 +336,7 @@ function downloadAndParseChromePins(filename,
|
||||
|
||||
// Returns a pair of maps [certNameToSKD, certSKDToName] between cert
|
||||
// nicknames and digests of the SPKInfo for the mozilla trust store
|
||||
function loadNSSCertinfo(derTestFile) {
|
||||
function loadNSSCertinfo(derTestFile, extraCertificates) {
|
||||
let allCerts = gCertDB.getCerts();
|
||||
let enumerator = allCerts.getEnumerator();
|
||||
let certNameToSKD = {};
|
||||
@ -351,6 +351,14 @@ function loadNSSCertinfo(derTestFile) {
|
||||
certNameToSKD[name] = SKD;
|
||||
certSKDToName[SKD] = name;
|
||||
}
|
||||
|
||||
for (let cert of extraCertificates) {
|
||||
let name = cert.commonName;
|
||||
let SKD = cert.sha256SubjectPublicKeyInfoDigest;
|
||||
certNameToSKD[name] = SKD;
|
||||
certSKDToName[SKD] = name;
|
||||
}
|
||||
|
||||
{
|
||||
// A certificate for *.example.com.
|
||||
let der = readFileToString(derTestFile);
|
||||
@ -545,7 +553,17 @@ function writeFile(certNameToSKD, certSKDToName,
|
||||
writeString(genExpirationTime());
|
||||
}
|
||||
|
||||
let [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(gTestCertFile);
|
||||
function loadExtraCertificates(certStringList) {
|
||||
let constructedCerts = [];
|
||||
for (let certString of certStringList) {
|
||||
constructedCerts.push(gCertDB.constructX509FromBase64(certString));
|
||||
}
|
||||
return constructedCerts;
|
||||
}
|
||||
|
||||
let extraCertificates = loadExtraCertificates(gStaticPins.extra_certificates);
|
||||
let [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(gTestCertFile,
|
||||
extraCertificates);
|
||||
let [ chromeNameToHash, chromeNameToMozName ] = downloadAndParseChromeCerts(
|
||||
gStaticPins.chromium_data.cert_file_url, certSKDToName);
|
||||
let [ chromeImportedPinsets, chromeImportedEntries ] =
|
||||
|
Loading…
Reference in New Issue
Block a user