From e59d62647728a26a1c1aef08330436ad85982732 Mon Sep 17 00:00:00 2001 From: David Keeler Date: Mon, 8 Sep 2014 09:33:03 -0700 Subject: [PATCH] bug 1004781 - follow-up to add "DigiCert ECC Secure Server CA" to Facebook's pinset r=mmc --- security/manager/boot/src/StaticHPKPins.h | 7 ++++++- security/manager/tools/PreloadedHPKPins.json | 14 ++++++++++--- security/manager/tools/genHPKPStaticPins.js | 22 ++++++++++++++++++-- 3 files changed, 37 insertions(+), 6 deletions(-) diff --git a/security/manager/boot/src/StaticHPKPins.h b/security/manager/boot/src/StaticHPKPins.h index 0e90b592c53..658944dfd7d 100644 --- a/security/manager/boot/src/StaticHPKPins.h +++ b/security/manager/boot/src/StaticHPKPins.h @@ -79,6 +79,10 @@ static const char kCybertrust_Global_RootFingerprint[] = static const char kDigiCert_Assured_ID_Root_CAFingerprint[] = "I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o="; +/* DigiCert ECC Secure Server CA */ +static const char kDigiCert_ECC_Secure_Server_CAFingerprint[] = + "PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw="; + /* DigiCert Global Root CA */ static const char kDigiCert_Global_Root_CAFingerprint[] = "r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; @@ -364,6 +368,7 @@ struct StaticPinset { /* PreloadedHPKPins.json pinsets */ static const char* kPinset_facebook_sha256_Data[] = { + kDigiCert_ECC_Secure_Server_CAFingerprint, kVerisign_Class_3_Public_Primary_Certification_Authority___G3Fingerprint, kDigiCert_High_Assurance_EV_Root_CAFingerprint, }; @@ -1087,4 +1092,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { static const int32_t kUnknownId = -1; -static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1418465237331000); +static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1418659817121000); diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json index 96367eced8e..ed3b9b798d5 100644 --- a/security/manager/tools/PreloadedHPKPins.json +++ b/security/manager/tools/PreloadedHPKPins.json @@ -19,6 +19,10 @@ // name: (string) the DNS name of the host in question // include_subdomains: (optional bool) whether subdomains of |name| are also covered // pins: (string) the |name| member of an object in |pinsets| +// +// "extra_certs" is a list of base64-encoded certificates. These are used in +// pinsets that reference certificates not in our root program (for example, +// Facebook). // equifax -> aus3 // Geotrust Primary -> www.mozilla.org @@ -186,13 +190,12 @@ "XRamp Global CA Root" ] }, - // For pinning tests on pinning.example.com, the certificate must be 'End - // Entity Test Cert' { "name": "facebook", "sha256_hashes": [ "Verisign Class 3 Public Primary Certification Authority - G3", - "DigiCert High Assurance EV Root CA" + "DigiCert High Assurance EV Root CA", + "DigiCert ECC Secure Server CA" ] } ], @@ -235,5 +238,10 @@ // Facebook (not pinned by Chrome) { "name": "facebook.com", "include_subdomains": true, "pins": "facebook", "test_mode": true } + ], + + "extra_certificates": [ + // DigiCert ECC Secure Server CA (for Facebook) + "MIIDrDCCApSgAwIBAgIQCssoukZe5TkIdnRw883GEjANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaMEwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJjAkBgNVBAMTHURpZ2lDZXJ0IEVDQyBTZWN1cmUgU2VydmVyIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ghC6nfYJN6gLGSkE85AnCNyqQIKDjc/ITa4jVMU9tWRlUvzlgKNcR7E2Munn17voOZ/WpIRllNv68DLP679Wz9HJOeaBy6Wvqgvu1cYr3GkvXg6HuhbPGtkESvMNCuMo4IBITCCAR0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUo53mH/naOU/AbuiRy5Wl2jHiCp8wHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEMBQADggEBAMeKoENL7HTJxavVHzA1Nm6YVntIrAVjrnuaVyRXzG/63qttnMe2uuzO58pzZNvfBDcKAEmzP58mrZGMIOgfiA4q+2Y3yDDo0sIkp0VILeoBUEoxlBPfjV/aKrtJPGHzecicZpIalir0ezZYoyxBEHQa0+1IttK7igZFcTMQMHp6mCHdJLnsnLWSB62DxsRq+HfmNb4TDydkskO/g+l3VtsIh5RHFPVfKK+jaEyDj2D3loB5hWp2Jp2VDCADjT7ueihlZGak2YPqmXTNbk19HOuNssWvFhtOyPNV6og4ETQdEa8/B6hPatJ0ES8q/HO3X8IVQwVs1n3aAr0im0/T+Xc=" ] } diff --git a/security/manager/tools/genHPKPStaticPins.js b/security/manager/tools/genHPKPStaticPins.js index 9798c5abfc6..d16d017828c 100644 --- a/security/manager/tools/genHPKPStaticPins.js +++ b/security/manager/tools/genHPKPStaticPins.js @@ -336,7 +336,7 @@ function downloadAndParseChromePins(filename, // Returns a pair of maps [certNameToSKD, certSKDToName] between cert // nicknames and digests of the SPKInfo for the mozilla trust store -function loadNSSCertinfo(derTestFile) { +function loadNSSCertinfo(derTestFile, extraCertificates) { let allCerts = gCertDB.getCerts(); let enumerator = allCerts.getEnumerator(); let certNameToSKD = {}; @@ -351,6 +351,14 @@ function loadNSSCertinfo(derTestFile) { certNameToSKD[name] = SKD; certSKDToName[SKD] = name; } + + for (let cert of extraCertificates) { + let name = cert.commonName; + let SKD = cert.sha256SubjectPublicKeyInfoDigest; + certNameToSKD[name] = SKD; + certSKDToName[SKD] = name; + } + { // A certificate for *.example.com. let der = readFileToString(derTestFile); @@ -545,7 +553,17 @@ function writeFile(certNameToSKD, certSKDToName, writeString(genExpirationTime()); } -let [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(gTestCertFile); +function loadExtraCertificates(certStringList) { + let constructedCerts = []; + for (let certString of certStringList) { + constructedCerts.push(gCertDB.constructX509FromBase64(certString)); + } + return constructedCerts; +} + +let extraCertificates = loadExtraCertificates(gStaticPins.extra_certificates); +let [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(gTestCertFile, + extraCertificates); let [ chromeNameToHash, chromeNameToMozName ] = downloadAndParseChromeCerts( gStaticPins.chromium_data.cert_file_url, certSKDToName); let [ chromeImportedPinsets, chromeImportedEntries ] =