[tor-browser/tor-browser-45.2.0esr-6.5-1] Bug 1233328 - Part 2: Use SHA-256 StaticFingerprints directly instead of StaticPinset since the SHA-1 StaticFingerprints entry will always be null. r=keeler
commit 3832c89a58e2b526a40e6399dceec3c21524f01a Author: Cykesiopka cykesiopka.bmo@gmail.com Date: Wed Jan 20 20:45:29 2016 -0800
Bug 1233328 - Part 2: Use SHA-256 StaticFingerprints directly instead of StaticPinset since the SHA-1 StaticFingerprints entry will always be null. r=keeler --- security/manager/ssl/PublicKeyPinningService.cpp | 10 +- security/manager/ssl/StaticHPKPins.h | 259 ++++++----------------- security/manager/tools/genHPKPStaticPins.js | 10 +- 3 files changed, 75 insertions(+), 204 deletions(-)
diff --git a/security/manager/ssl/PublicKeyPinningService.cpp b/security/manager/ssl/PublicKeyPinningService.cpp index 7fa7bf7..d6fcd0b 100644 --- a/security/manager/ssl/PublicKeyPinningService.cpp +++ b/security/manager/ssl/PublicKeyPinningService.cpp @@ -95,21 +95,17 @@ EvalCert(const CERTCertificate* cert, const StaticFingerprints* fingerprints,
/* * Sets certListIntersectsPinset to true if a given chain matches any - * fingerprints from the given pinset or the dynamicFingerprints array, or to - * false otherwise. + * fingerprints from the given static fingerprints or the + * dynamicFingerprints array, or to false otherwise. */ static nsresult -EvalChain(const CERTCertList* certList, const StaticPinset* pinset, +EvalChain(const CERTCertList* certList, const StaticFingerprints* fingerprints, const nsTArray<nsCString>* dynamicFingerprints, /*out*/ bool& certListIntersectsPinset) { certListIntersectsPinset = false; CERTCertificate* currentCert;
- const StaticFingerprints* fingerprints = nullptr; - if (pinset) { - fingerprints = pinset->sha256; - } if (!fingerprints && !dynamicFingerprints) { MOZ_ASSERT(false, "Must pass in at least one type of pinset"); return NS_ERROR_FAILURE; diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h index 7fb0c7e..f05af88 100644 --- a/security/manager/ssl/StaticHPKPins.h +++ b/security/manager/ssl/StaticHPKPins.h @@ -113,7 +113,7 @@ static const char kEquifax_Secure_eBusiness_CA_1Fingerprint[] =
/* FacebookBackup */ static const char kFacebookBackupFingerprint[] = - "1ww8E0AYsR2oX5lndk2hwp2Uosk="; + "q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ=";
/* GOOGLE_PIN_DigiCertECCSecureServerCA */ static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] = @@ -213,7 +213,7 @@ static const char kGo_Daddy_Root_Certificate_Authority___G2Fingerprint[] =
/* GoogleBackup2048 */ static const char kGoogleBackup2048Fingerprint[] = - "vq7OyjSnqOco9nyMCDGdy77eijM="; + "IPMbDAjLVSGntGO3WP53X/zilCVndez5YJ2+vJvhJsA=";
/* Network Solutions Certificate Authority */ static const char kNetwork_Solutions_Certificate_AuthorityFingerprint[] = @@ -221,11 +221,11 @@ static const char kNetwork_Solutions_Certificate_AuthorityFingerprint[] =
/* SpiderOak2 */ static const char kSpiderOak2Fingerprint[] = - "D0fS/hquA6QprluciyO1hlFUAxg="; + "7Y3UnxbffL8aFPXsOJBpGasgpDmngpIhAxGKdQRklQQ=";
/* SpiderOak3 */ static const char kSpiderOak3Fingerprint[] = - "l5JoIXv4lztZ+C6TJWgxZCHQzS4="; + "LkER54vOdlygpTsbYvlpMq1CE/lDAG1AP9xmdtwvV2A=";
/* Starfield Class 2 CA */ static const char kStarfield_Class_2_CAFingerprint[] = @@ -257,19 +257,19 @@ static const char kTestSPKIFingerprint[] =
/* Tor1 */ static const char kTor1Fingerprint[] = - "juNxSTv9UANmpC9kF5GKpmWNx3Y="; + "bYz9JTDk89X3qu3fgswG+lBQso5vI0N1f0Rx4go4nLo=";
/* Tor2 */ static const char kTor2Fingerprint[] = - "lia43lPolzSPVIq34Dw57uYcLD8="; + "xXCxhTdn7uxXneJSbQCqoAvuW3ZtQl2pDVTf2sewS8w=";
/* Tor3 */ static const char kTor3Fingerprint[] = - "rzEyQIKOh77j87n5bjWUNguXF8Y="; + "CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo=";
/* Twitter1 */ static const char kTwitter1Fingerprint[] = - "Vv7zwhR9TtOIN/29MFI4cgHld40="; + "vU9M48LzD/CF34wE5PPf4nBwRyosy06X21J0ap8yS5s=";
/* UTN USERFirst Email Root CA */ static const char kUTN_USERFirst_Email_Root_CAFingerprint[] = @@ -329,11 +329,11 @@ static const char kXRamp_Global_CA_RootFingerprint[] =
/* YahooBackup1 */ static const char kYahooBackup1Fingerprint[] = - "uwnZN/atr9+khywDukPzmD9kFiY="; + "2fRAUXyxl4A1/XHrKNBmc8bTkzA7y4FB/GLJuNAzCqY=";
/* YahooBackup2 */ static const char kYahooBackup2Fingerprint[] = - "Ui85k1YWcCl0z/4IlMvrDmI5zEo="; + "dolnbtzEBnELx/9lOEQ22e6OZO/QNb6VSSX2XHA3E7A=";
/* thawte Primary Root CA */ static const char kthawte_Primary_Root_CAFingerprint[] = @@ -353,13 +353,8 @@ struct StaticFingerprints { const char* const* data; };
-struct StaticPinset { - const StaticFingerprints* sha1; - const StaticFingerprints* sha256; -}; - /* PreloadedHPKPins.json pinsets */ -static const char* kPinset_google_root_pems_sha256_Data[] = { +static const char* kPinset_google_root_pems_Data[] = { kEquifax_Secure_CAFingerprint, kComodo_Trusted_Services_rootFingerprint, kCOMODO_ECC_Certification_AuthorityFingerprint, @@ -416,17 +411,12 @@ static const char* kPinset_google_root_pems_sha256_Data[] = { kAffirmTrust_PremiumFingerprint, kAddTrust_Qualified_Certificates_RootFingerprint, }; -static const StaticFingerprints kPinset_google_root_pems_sha256 = { - sizeof(kPinset_google_root_pems_sha256_Data) / sizeof(const char*), - kPinset_google_root_pems_sha256_Data -}; - -static const StaticPinset kPinset_google_root_pems = { - nullptr, - &kPinset_google_root_pems_sha256 +static const StaticFingerprints kPinset_google_root_pems = { + sizeof(kPinset_google_root_pems_Data) / sizeof(const char*), + kPinset_google_root_pems_Data };
-static const char* kPinset_mozilla_sha256_Data[] = { +static const char* kPinset_mozilla_Data[] = { kGeoTrust_Global_CA_2Fingerprint, kthawte_Primary_Root_CA___G3Fingerprint, kthawte_Primary_Root_CAFingerprint, @@ -448,113 +438,61 @@ static const char* kPinset_mozilla_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; -static const StaticFingerprints kPinset_mozilla_sha256 = { - sizeof(kPinset_mozilla_sha256_Data) / sizeof(const char*), - kPinset_mozilla_sha256_Data +static const StaticFingerprints kPinset_mozilla = { + sizeof(kPinset_mozilla_Data) / sizeof(const char*), + kPinset_mozilla_Data };
-static const StaticPinset kPinset_mozilla = { - nullptr, - &kPinset_mozilla_sha256 -}; - -static const char* kPinset_mozilla_services_sha256_Data[] = { +static const char* kPinset_mozilla_services_Data[] = { kDigiCert_Global_Root_CAFingerprint, }; -static const StaticFingerprints kPinset_mozilla_services_sha256 = { - sizeof(kPinset_mozilla_services_sha256_Data) / sizeof(const char*), - kPinset_mozilla_services_sha256_Data -}; - -static const StaticPinset kPinset_mozilla_services = { - nullptr, - &kPinset_mozilla_services_sha256 +static const StaticFingerprints kPinset_mozilla_services = { + sizeof(kPinset_mozilla_services_Data) / sizeof(const char*), + kPinset_mozilla_services_Data };
-static const char* kPinset_mozilla_test_sha256_Data[] = { +static const char* kPinset_mozilla_test_Data[] = { kEnd_Entity_Test_CertFingerprint, }; -static const StaticFingerprints kPinset_mozilla_test_sha256 = { - sizeof(kPinset_mozilla_test_sha256_Data) / sizeof(const char*), - kPinset_mozilla_test_sha256_Data -}; - -static const StaticPinset kPinset_mozilla_test = { - nullptr, - &kPinset_mozilla_test_sha256 +static const StaticFingerprints kPinset_mozilla_test = { + sizeof(kPinset_mozilla_test_Data) / sizeof(const char*), + kPinset_mozilla_test_Data };
/* Chrome static pinsets */ -static const char* kPinset_test_sha256_Data[] = { +static const char* kPinset_test_Data[] = { kTestSPKIFingerprint, }; -static const StaticFingerprints kPinset_test_sha256 = { - sizeof(kPinset_test_sha256_Data) / sizeof(const char*), - kPinset_test_sha256_Data -}; - -static const StaticPinset kPinset_test = { - nullptr, - &kPinset_test_sha256 -}; - -static const char* kPinset_google_sha1_Data[] = { - kGoogleBackup2048Fingerprint, -}; -static const StaticFingerprints kPinset_google_sha1 = { - sizeof(kPinset_google_sha1_Data) / sizeof(const char*), - kPinset_google_sha1_Data +static const StaticFingerprints kPinset_test = { + sizeof(kPinset_test_Data) / sizeof(const char*), + kPinset_test_Data };
-static const char* kPinset_google_sha256_Data[] = { +static const char* kPinset_google_Data[] = { kGOOGLE_PIN_GoogleG2Fingerprint, + kGoogleBackup2048Fingerprint, kGeoTrust_Global_CAFingerprint, }; -static const StaticFingerprints kPinset_google_sha256 = { - sizeof(kPinset_google_sha256_Data) / sizeof(const char*), - kPinset_google_sha256_Data -}; - -static const StaticPinset kPinset_google = { - &kPinset_google_sha1, - &kPinset_google_sha256 +static const StaticFingerprints kPinset_google = { + sizeof(kPinset_google_Data) / sizeof(const char*), + kPinset_google_Data };
-static const char* kPinset_tor_sha1_Data[] = { - kTor1Fingerprint, - kTor2Fingerprint, +static const char* kPinset_tor_Data[] = { kTor3Fingerprint, -}; -static const StaticFingerprints kPinset_tor_sha1 = { - sizeof(kPinset_tor_sha1_Data) / sizeof(const char*), - kPinset_tor_sha1_Data -}; - -static const char* kPinset_tor_sha256_Data[] = { kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGOOGLE_PIN_LetsEncryptAuthorityX1Fingerprint, + kTor1Fingerprint, kGOOGLE_PIN_RapidSSLFingerprint, kGOOGLE_PIN_LetsEncryptAuthorityX2Fingerprint, + kTor2Fingerprint, }; -static const StaticFingerprints kPinset_tor_sha256 = { - sizeof(kPinset_tor_sha256_Data) / sizeof(const char*), - kPinset_tor_sha256_Data -}; - -static const StaticPinset kPinset_tor = { - &kPinset_tor_sha1, - &kPinset_tor_sha256 -}; - -static const char* kPinset_twitterCom_sha1_Data[] = { - kTwitter1Fingerprint, -}; -static const StaticFingerprints kPinset_twitterCom_sha1 = { - sizeof(kPinset_twitterCom_sha1_Data) / sizeof(const char*), - kPinset_twitterCom_sha1_Data +static const StaticFingerprints kPinset_tor = { + sizeof(kPinset_tor_Data) / sizeof(const char*), + kPinset_tor_Data };
-static const char* kPinset_twitterCom_sha256_Data[] = { +static const char* kPinset_twitterCom_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kVerisign_Class_3_Public_Primary_Certification_Authority___G2Fingerprint, kGeoTrust_Global_CA_2Fingerprint, @@ -575,26 +513,14 @@ static const char* kPinset_twitterCom_sha256_Data[] = { kGeoTrust_Primary_Certification_Authority___G3Fingerprint, kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, -}; -static const StaticFingerprints kPinset_twitterCom_sha256 = { - sizeof(kPinset_twitterCom_sha256_Data) / sizeof(const char*), - kPinset_twitterCom_sha256_Data -}; - -static const StaticPinset kPinset_twitterCom = { - &kPinset_twitterCom_sha1, - &kPinset_twitterCom_sha256 -}; - -static const char* kPinset_twitterCDN_sha1_Data[] = { kTwitter1Fingerprint, }; -static const StaticFingerprints kPinset_twitterCDN_sha1 = { - sizeof(kPinset_twitterCDN_sha1_Data) / sizeof(const char*), - kPinset_twitterCDN_sha1_Data +static const StaticFingerprints kPinset_twitterCom = { + sizeof(kPinset_twitterCom_Data) / sizeof(const char*), + kPinset_twitterCom_Data };
-static const char* kPinset_twitterCDN_sha256_Data[] = { +static const char* kPinset_twitterCDN_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kComodo_Trusted_Services_rootFingerprint, kCOMODO_Certification_AuthorityFingerprint, @@ -635,19 +561,15 @@ static const char* kPinset_twitterCDN_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, kComodo_AAA_Services_rootFingerprint, + kTwitter1Fingerprint, kAddTrust_Qualified_Certificates_RootFingerprint, }; -static const StaticFingerprints kPinset_twitterCDN_sha256 = { - sizeof(kPinset_twitterCDN_sha256_Data) / sizeof(const char*), - kPinset_twitterCDN_sha256_Data +static const StaticFingerprints kPinset_twitterCDN = { + sizeof(kPinset_twitterCDN_Data) / sizeof(const char*), + kPinset_twitterCDN_Data };
-static const StaticPinset kPinset_twitterCDN = { - &kPinset_twitterCDN_sha1, - &kPinset_twitterCDN_sha256 -}; - -static const char* kPinset_dropbox_sha256_Data[] = { +static const char* kPinset_dropbox_Data[] = { kEntrust_Root_Certification_Authority___EC1Fingerprint, kGOOGLE_PIN_ThawtePremiumServerFingerprint, kthawte_Primary_Root_CA___G3Fingerprint, @@ -667,72 +589,35 @@ static const char* kPinset_dropbox_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; -static const StaticFingerprints kPinset_dropbox_sha256 = { - sizeof(kPinset_dropbox_sha256_Data) / sizeof(const char*), - kPinset_dropbox_sha256_Data -}; - -static const StaticPinset kPinset_dropbox = { - nullptr, - &kPinset_dropbox_sha256 -}; - -static const char* kPinset_facebook_sha1_Data[] = { - kFacebookBackupFingerprint, -}; -static const StaticFingerprints kPinset_facebook_sha1 = { - sizeof(kPinset_facebook_sha1_Data) / sizeof(const char*), - kPinset_facebook_sha1_Data +static const StaticFingerprints kPinset_dropbox = { + sizeof(kPinset_dropbox_Data) / sizeof(const char*), + kPinset_dropbox_Data };
-static const char* kPinset_facebook_sha256_Data[] = { +static const char* kPinset_facebook_Data[] = { kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint, kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGOOGLE_PIN_SymantecClass3EVG3Fingerprint, + kFacebookBackupFingerprint, }; -static const StaticFingerprints kPinset_facebook_sha256 = { - sizeof(kPinset_facebook_sha256_Data) / sizeof(const char*), - kPinset_facebook_sha256_Data -}; - -static const StaticPinset kPinset_facebook = { - &kPinset_facebook_sha1, - &kPinset_facebook_sha256 +static const StaticFingerprints kPinset_facebook = { + sizeof(kPinset_facebook_Data) / sizeof(const char*), + kPinset_facebook_Data };
-static const char* kPinset_spideroak_sha1_Data[] = { +static const char* kPinset_spideroak_Data[] = { kSpiderOak2Fingerprint, kSpiderOak3Fingerprint, -}; -static const StaticFingerprints kPinset_spideroak_sha1 = { - sizeof(kPinset_spideroak_sha1_Data) / sizeof(const char*), - kPinset_spideroak_sha1_Data -}; - -static const char* kPinset_spideroak_sha256_Data[] = { kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGeoTrust_Global_CAFingerprint, }; -static const StaticFingerprints kPinset_spideroak_sha256 = { - sizeof(kPinset_spideroak_sha256_Data) / sizeof(const char*), - kPinset_spideroak_sha256_Data -}; - -static const StaticPinset kPinset_spideroak = { - &kPinset_spideroak_sha1, - &kPinset_spideroak_sha256 +static const StaticFingerprints kPinset_spideroak = { + sizeof(kPinset_spideroak_Data) / sizeof(const char*), + kPinset_spideroak_Data };
-static const char* kPinset_yahoo_sha1_Data[] = { - kYahooBackup2Fingerprint, +static const char* kPinset_yahoo_Data[] = { kYahooBackup1Fingerprint, -}; -static const StaticFingerprints kPinset_yahoo_sha1 = { - sizeof(kPinset_yahoo_sha1_Data) / sizeof(const char*), - kPinset_yahoo_sha1_Data -}; - -static const char* kPinset_yahoo_sha256_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint, kGeoTrust_Primary_Certification_AuthorityFingerprint, @@ -740,6 +625,7 @@ static const char* kPinset_yahoo_sha256_Data[] = { kVeriSign_Class_3_Public_Primary_Certification_Authority___G4Fingerprint, kDigiCert_High_Assurance_EV_Root_CAFingerprint, kVerisign_Class_2_Public_Primary_Certification_Authority___G3Fingerprint, + kYahooBackup2Fingerprint, kGeoTrust_Global_CAFingerprint, kVeriSign_Universal_Root_Certification_AuthorityFingerprint, kGeoTrust_Universal_CAFingerprint, @@ -747,14 +633,9 @@ static const char* kPinset_yahoo_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; -static const StaticFingerprints kPinset_yahoo_sha256 = { - sizeof(kPinset_yahoo_sha256_Data) / sizeof(const char*), - kPinset_yahoo_sha256_Data -}; - -static const StaticPinset kPinset_yahoo = { - &kPinset_yahoo_sha1, - &kPinset_yahoo_sha256 +static const StaticFingerprints kPinset_yahoo = { + sizeof(kPinset_yahoo_Data) / sizeof(const char*), + kPinset_yahoo_Data };
/* Domainlist */ @@ -764,7 +645,7 @@ struct TransportSecurityPreload { const bool mTestMode; const bool mIsMoz; const int32_t mId; - const StaticPinset *pinset; + const StaticFingerprints* pinset; };
/* Sort hostnames for binary search. */ @@ -1230,4 +1111,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
static const int32_t kUnknownId = -1;
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1472903978258000); +static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1473437156700000); diff --git a/security/manager/tools/genHPKPStaticPins.js b/security/manager/tools/genHPKPStaticPins.js index 8a91fff..c1bbd01 100644 --- a/security/manager/tools/genHPKPStaticPins.js +++ b/security/manager/tools/genHPKPStaticPins.js @@ -53,17 +53,13 @@ const DOMAINHEADER = "/* Domainlist */\n" + " const bool mTestMode;\n" + " const bool mIsMoz;\n" + " const int32_t mId;\n" + - " const StaticPinset* pinset;\n" + + " const StaticFingerprints* pinset;\n" + "};\n\n";
const PINSETDEF = "/* Pinsets are each an ordered list by the actual value of the fingerprint */\n" + "struct StaticFingerprints {\n" + " const size_t size;\n" + " const char* const* data;\n" + - "};\n\n" + - "struct StaticPinset {\n" + - " const StaticFingerprints* sha1;\n" + - " const StaticFingerprints* sha256;\n" + "};\n\n";
// Command-line arguments @@ -463,12 +459,10 @@ function writeFullPinset(certNameToSKD, certSKDToName, pinset) { } writeFingerprints(certNameToSKD, certSKDToName, pinset.name, pinset.sha256_hashes); - writeString("static const StaticPinset " + prefix + " = {\n" + - " nullptr,\n &" + prefix + "_sha256\n};\n\n"); }
function writeFingerprints(certNameToSKD, certSKDToName, name, hashes) { - let varPrefix = "kPinset_" + name + "_sha256"; + let varPrefix = "kPinset_" + name; writeString("static const char* " + varPrefix + "_Data[] = {\n"); let SKDList = []; for (let certName of hashes) {
tor-commits@lists.torproject.org
-
gk@torproject.org