Commit 182970e4 authored by Cykesiopka's avatar Cykesiopka Committed by Georg Koppen
Browse files

Bug 1233328 - Part 2: Use SHA-256 StaticFingerprints directly instead of...

Bug 1233328 - Part 2: Use SHA-256 StaticFingerprints directly instead of StaticPinset since the SHA-1 StaticFingerprints entry will always be null. r=keeler
parent 47644f2a
Loading
Loading
Loading
Loading
+3 −7
Original line number Diff line number Diff line
@@ -95,21 +95,17 @@ EvalCert(const CERTCertificate* cert, const StaticFingerprints* fingerprints,

/*
 * Sets certListIntersectsPinset to true if a given chain matches any
 * fingerprints from the given pinset or the dynamicFingerprints array, or to
 * false otherwise.
 * fingerprints from the given static fingerprints or the
 * dynamicFingerprints array, or to false otherwise.
 */
static nsresult
EvalChain(const CERTCertList* certList, const StaticPinset* pinset,
EvalChain(const CERTCertList* certList, const StaticFingerprints* fingerprints,
          const nsTArray<nsCString>* dynamicFingerprints,
  /*out*/ bool& certListIntersectsPinset)
{
  certListIntersectsPinset = false;
  CERTCertificate* currentCert;

  const StaticFingerprints* fingerprints = nullptr;
  if (pinset) {
    fingerprints = pinset->sha256;
  }
  if (!fingerprints && !dynamicFingerprints) {
    MOZ_ASSERT(false, "Must pass in at least one type of pinset");
    return NS_ERROR_FAILURE;
+70 −189
Original line number Diff line number Diff line
@@ -113,7 +113,7 @@ static const char kEquifax_Secure_eBusiness_CA_1Fingerprint[] =

/* FacebookBackup */
static const char kFacebookBackupFingerprint[] =
  "1ww8E0AYsR2oX5lndk2hwp2Uosk=";
  "q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ=";

/* GOOGLE_PIN_DigiCertECCSecureServerCA */
static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] =
@@ -213,7 +213,7 @@ static const char kGo_Daddy_Root_Certificate_Authority___G2Fingerprint[] =

/* GoogleBackup2048 */
static const char kGoogleBackup2048Fingerprint[] =
  "vq7OyjSnqOco9nyMCDGdy77eijM=";
  "IPMbDAjLVSGntGO3WP53X/zilCVndez5YJ2+vJvhJsA=";

/* Network Solutions Certificate Authority */
static const char kNetwork_Solutions_Certificate_AuthorityFingerprint[] =
@@ -221,11 +221,11 @@ static const char kNetwork_Solutions_Certificate_AuthorityFingerprint[] =

/* SpiderOak2 */
static const char kSpiderOak2Fingerprint[] =
  "D0fS/hquA6QprluciyO1hlFUAxg=";
  "7Y3UnxbffL8aFPXsOJBpGasgpDmngpIhAxGKdQRklQQ=";

/* SpiderOak3 */
static const char kSpiderOak3Fingerprint[] =
  "l5JoIXv4lztZ+C6TJWgxZCHQzS4=";
  "LkER54vOdlygpTsbYvlpMq1CE/lDAG1AP9xmdtwvV2A=";

/* Starfield Class 2 CA */
static const char kStarfield_Class_2_CAFingerprint[] =
@@ -257,19 +257,19 @@ static const char kTestSPKIFingerprint[] =

/* Tor1 */
static const char kTor1Fingerprint[] =
  "juNxSTv9UANmpC9kF5GKpmWNx3Y=";
  "bYz9JTDk89X3qu3fgswG+lBQso5vI0N1f0Rx4go4nLo=";

/* Tor2 */
static const char kTor2Fingerprint[] =
  "lia43lPolzSPVIq34Dw57uYcLD8=";
  "xXCxhTdn7uxXneJSbQCqoAvuW3ZtQl2pDVTf2sewS8w=";

/* Tor3 */
static const char kTor3Fingerprint[] =
  "rzEyQIKOh77j87n5bjWUNguXF8Y=";
  "CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo=";

/* Twitter1 */
static const char kTwitter1Fingerprint[] =
  "Vv7zwhR9TtOIN/29MFI4cgHld40=";
  "vU9M48LzD/CF34wE5PPf4nBwRyosy06X21J0ap8yS5s=";

/* UTN USERFirst Email Root CA */
static const char kUTN_USERFirst_Email_Root_CAFingerprint[] =
@@ -329,11 +329,11 @@ static const char kXRamp_Global_CA_RootFingerprint[] =

/* YahooBackup1 */
static const char kYahooBackup1Fingerprint[] =
  "uwnZN/atr9+khywDukPzmD9kFiY=";
  "2fRAUXyxl4A1/XHrKNBmc8bTkzA7y4FB/GLJuNAzCqY=";

/* YahooBackup2 */
static const char kYahooBackup2Fingerprint[] =
  "Ui85k1YWcCl0z/4IlMvrDmI5zEo=";
  "dolnbtzEBnELx/9lOEQ22e6OZO/QNb6VSSX2XHA3E7A=";

/* thawte Primary Root CA */
static const char kthawte_Primary_Root_CAFingerprint[] =
@@ -353,13 +353,8 @@ struct StaticFingerprints {
  const char* const* data;
};

struct StaticPinset {
  const StaticFingerprints* sha1;
  const StaticFingerprints* sha256;
};

/* PreloadedHPKPins.json pinsets */
static const char* kPinset_google_root_pems_sha256_Data[] = {
static const char* kPinset_google_root_pems_Data[] = {
  kEquifax_Secure_CAFingerprint,
  kComodo_Trusted_Services_rootFingerprint,
  kCOMODO_ECC_Certification_AuthorityFingerprint,
@@ -416,17 +411,12 @@ static const char* kPinset_google_root_pems_sha256_Data[] = {
  kAffirmTrust_PremiumFingerprint,
  kAddTrust_Qualified_Certificates_RootFingerprint,
};
static const StaticFingerprints kPinset_google_root_pems_sha256 = {
  sizeof(kPinset_google_root_pems_sha256_Data) / sizeof(const char*),
  kPinset_google_root_pems_sha256_Data
};

static const StaticPinset kPinset_google_root_pems = {
  nullptr,
  &kPinset_google_root_pems_sha256
static const StaticFingerprints kPinset_google_root_pems = {
  sizeof(kPinset_google_root_pems_Data) / sizeof(const char*),
  kPinset_google_root_pems_Data
};

static const char* kPinset_mozilla_sha256_Data[] = {
static const char* kPinset_mozilla_Data[] = {
  kGeoTrust_Global_CA_2Fingerprint,
  kthawte_Primary_Root_CA___G3Fingerprint,
  kthawte_Primary_Root_CAFingerprint,
@@ -448,113 +438,61 @@ static const char* kPinset_mozilla_sha256_Data[] = {
  kDigiCert_Global_Root_CAFingerprint,
  kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
};
static const StaticFingerprints kPinset_mozilla_sha256 = {
  sizeof(kPinset_mozilla_sha256_Data) / sizeof(const char*),
  kPinset_mozilla_sha256_Data
static const StaticFingerprints kPinset_mozilla = {
  sizeof(kPinset_mozilla_Data) / sizeof(const char*),
  kPinset_mozilla_Data
};

static const StaticPinset kPinset_mozilla = {
  nullptr,
  &kPinset_mozilla_sha256
};

static const char* kPinset_mozilla_services_sha256_Data[] = {
static const char* kPinset_mozilla_services_Data[] = {
  kDigiCert_Global_Root_CAFingerprint,
};
static const StaticFingerprints kPinset_mozilla_services_sha256 = {
  sizeof(kPinset_mozilla_services_sha256_Data) / sizeof(const char*),
  kPinset_mozilla_services_sha256_Data
};

static const StaticPinset kPinset_mozilla_services = {
  nullptr,
  &kPinset_mozilla_services_sha256
static const StaticFingerprints kPinset_mozilla_services = {
  sizeof(kPinset_mozilla_services_Data) / sizeof(const char*),
  kPinset_mozilla_services_Data
};

static const char* kPinset_mozilla_test_sha256_Data[] = {
static const char* kPinset_mozilla_test_Data[] = {
  kEnd_Entity_Test_CertFingerprint,
};
static const StaticFingerprints kPinset_mozilla_test_sha256 = {
  sizeof(kPinset_mozilla_test_sha256_Data) / sizeof(const char*),
  kPinset_mozilla_test_sha256_Data
};

static const StaticPinset kPinset_mozilla_test = {
  nullptr,
  &kPinset_mozilla_test_sha256
static const StaticFingerprints kPinset_mozilla_test = {
  sizeof(kPinset_mozilla_test_Data) / sizeof(const char*),
  kPinset_mozilla_test_Data
};

/* Chrome static pinsets */
static const char* kPinset_test_sha256_Data[] = {
static const char* kPinset_test_Data[] = {
  kTestSPKIFingerprint,
};
static const StaticFingerprints kPinset_test_sha256 = {
  sizeof(kPinset_test_sha256_Data) / sizeof(const char*),
  kPinset_test_sha256_Data
};

static const StaticPinset kPinset_test = {
  nullptr,
  &kPinset_test_sha256
};

static const char* kPinset_google_sha1_Data[] = {
  kGoogleBackup2048Fingerprint,
};
static const StaticFingerprints kPinset_google_sha1 = {
  sizeof(kPinset_google_sha1_Data) / sizeof(const char*),
  kPinset_google_sha1_Data
static const StaticFingerprints kPinset_test = {
  sizeof(kPinset_test_Data) / sizeof(const char*),
  kPinset_test_Data
};

static const char* kPinset_google_sha256_Data[] = {
static const char* kPinset_google_Data[] = {
  kGOOGLE_PIN_GoogleG2Fingerprint,
  kGoogleBackup2048Fingerprint,
  kGeoTrust_Global_CAFingerprint,
};
static const StaticFingerprints kPinset_google_sha256 = {
  sizeof(kPinset_google_sha256_Data) / sizeof(const char*),
  kPinset_google_sha256_Data
};

static const StaticPinset kPinset_google = {
  &kPinset_google_sha1,
  &kPinset_google_sha256
static const StaticFingerprints kPinset_google = {
  sizeof(kPinset_google_Data) / sizeof(const char*),
  kPinset_google_Data
};

static const char* kPinset_tor_sha1_Data[] = {
  kTor1Fingerprint,
  kTor2Fingerprint,
static const char* kPinset_tor_Data[] = {
  kTor3Fingerprint,
};
static const StaticFingerprints kPinset_tor_sha1 = {
  sizeof(kPinset_tor_sha1_Data) / sizeof(const char*),
  kPinset_tor_sha1_Data
};

static const char* kPinset_tor_sha256_Data[] = {
  kDigiCert_High_Assurance_EV_Root_CAFingerprint,
  kGOOGLE_PIN_LetsEncryptAuthorityX1Fingerprint,
  kTor1Fingerprint,
  kGOOGLE_PIN_RapidSSLFingerprint,
  kGOOGLE_PIN_LetsEncryptAuthorityX2Fingerprint,
  kTor2Fingerprint,
};
static const StaticFingerprints kPinset_tor_sha256 = {
  sizeof(kPinset_tor_sha256_Data) / sizeof(const char*),
  kPinset_tor_sha256_Data
};

static const StaticPinset kPinset_tor = {
  &kPinset_tor_sha1,
  &kPinset_tor_sha256
};

static const char* kPinset_twitterCom_sha1_Data[] = {
  kTwitter1Fingerprint,
};
static const StaticFingerprints kPinset_twitterCom_sha1 = {
  sizeof(kPinset_twitterCom_sha1_Data) / sizeof(const char*),
  kPinset_twitterCom_sha1_Data
static const StaticFingerprints kPinset_tor = {
  sizeof(kPinset_tor_Data) / sizeof(const char*),
  kPinset_tor_Data
};

static const char* kPinset_twitterCom_sha256_Data[] = {
static const char* kPinset_twitterCom_Data[] = {
  kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint,
  kVerisign_Class_3_Public_Primary_Certification_Authority___G2Fingerprint,
  kGeoTrust_Global_CA_2Fingerprint,
@@ -575,26 +513,14 @@ static const char* kPinset_twitterCom_sha256_Data[] = {
  kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
  kDigiCert_Global_Root_CAFingerprint,
  kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
};
static const StaticFingerprints kPinset_twitterCom_sha256 = {
  sizeof(kPinset_twitterCom_sha256_Data) / sizeof(const char*),
  kPinset_twitterCom_sha256_Data
};

static const StaticPinset kPinset_twitterCom = {
  &kPinset_twitterCom_sha1,
  &kPinset_twitterCom_sha256
};

static const char* kPinset_twitterCDN_sha1_Data[] = {
  kTwitter1Fingerprint,
};
static const StaticFingerprints kPinset_twitterCDN_sha1 = {
  sizeof(kPinset_twitterCDN_sha1_Data) / sizeof(const char*),
  kPinset_twitterCDN_sha1_Data
static const StaticFingerprints kPinset_twitterCom = {
  sizeof(kPinset_twitterCom_Data) / sizeof(const char*),
  kPinset_twitterCom_Data
};

static const char* kPinset_twitterCDN_sha256_Data[] = {
static const char* kPinset_twitterCDN_Data[] = {
  kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint,
  kComodo_Trusted_Services_rootFingerprint,
  kCOMODO_Certification_AuthorityFingerprint,
@@ -635,19 +561,15 @@ static const char* kPinset_twitterCDN_sha256_Data[] = {
  kDigiCert_Global_Root_CAFingerprint,
  kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
  kComodo_AAA_Services_rootFingerprint,
  kTwitter1Fingerprint,
  kAddTrust_Qualified_Certificates_RootFingerprint,
};
static const StaticFingerprints kPinset_twitterCDN_sha256 = {
  sizeof(kPinset_twitterCDN_sha256_Data) / sizeof(const char*),
  kPinset_twitterCDN_sha256_Data
static const StaticFingerprints kPinset_twitterCDN = {
  sizeof(kPinset_twitterCDN_Data) / sizeof(const char*),
  kPinset_twitterCDN_Data
};

static const StaticPinset kPinset_twitterCDN = {
  &kPinset_twitterCDN_sha1,
  &kPinset_twitterCDN_sha256
};

static const char* kPinset_dropbox_sha256_Data[] = {
static const char* kPinset_dropbox_Data[] = {
  kEntrust_Root_Certification_Authority___EC1Fingerprint,
  kGOOGLE_PIN_ThawtePremiumServerFingerprint,
  kthawte_Primary_Root_CA___G3Fingerprint,
@@ -667,72 +589,35 @@ static const char* kPinset_dropbox_sha256_Data[] = {
  kDigiCert_Global_Root_CAFingerprint,
  kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
};
static const StaticFingerprints kPinset_dropbox_sha256 = {
  sizeof(kPinset_dropbox_sha256_Data) / sizeof(const char*),
  kPinset_dropbox_sha256_Data
};

static const StaticPinset kPinset_dropbox = {
  nullptr,
  &kPinset_dropbox_sha256
};

static const char* kPinset_facebook_sha1_Data[] = {
  kFacebookBackupFingerprint,
};
static const StaticFingerprints kPinset_facebook_sha1 = {
  sizeof(kPinset_facebook_sha1_Data) / sizeof(const char*),
  kPinset_facebook_sha1_Data
static const StaticFingerprints kPinset_dropbox = {
  sizeof(kPinset_dropbox_Data) / sizeof(const char*),
  kPinset_dropbox_Data
};

static const char* kPinset_facebook_sha256_Data[] = {
static const char* kPinset_facebook_Data[] = {
  kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint,
  kDigiCert_High_Assurance_EV_Root_CAFingerprint,
  kGOOGLE_PIN_SymantecClass3EVG3Fingerprint,
  kFacebookBackupFingerprint,
};
static const StaticFingerprints kPinset_facebook_sha256 = {
  sizeof(kPinset_facebook_sha256_Data) / sizeof(const char*),
  kPinset_facebook_sha256_Data
};

static const StaticPinset kPinset_facebook = {
  &kPinset_facebook_sha1,
  &kPinset_facebook_sha256
static const StaticFingerprints kPinset_facebook = {
  sizeof(kPinset_facebook_Data) / sizeof(const char*),
  kPinset_facebook_Data
};

static const char* kPinset_spideroak_sha1_Data[] = {
static const char* kPinset_spideroak_Data[] = {
  kSpiderOak2Fingerprint,
  kSpiderOak3Fingerprint,
};
static const StaticFingerprints kPinset_spideroak_sha1 = {
  sizeof(kPinset_spideroak_sha1_Data) / sizeof(const char*),
  kPinset_spideroak_sha1_Data
};

static const char* kPinset_spideroak_sha256_Data[] = {
  kDigiCert_High_Assurance_EV_Root_CAFingerprint,
  kGeoTrust_Global_CAFingerprint,
};
static const StaticFingerprints kPinset_spideroak_sha256 = {
  sizeof(kPinset_spideroak_sha256_Data) / sizeof(const char*),
  kPinset_spideroak_sha256_Data
};

static const StaticPinset kPinset_spideroak = {
  &kPinset_spideroak_sha1,
  &kPinset_spideroak_sha256
static const StaticFingerprints kPinset_spideroak = {
  sizeof(kPinset_spideroak_Data) / sizeof(const char*),
  kPinset_spideroak_Data
};

static const char* kPinset_yahoo_sha1_Data[] = {
  kYahooBackup2Fingerprint,
static const char* kPinset_yahoo_Data[] = {
  kYahooBackup1Fingerprint,
};
static const StaticFingerprints kPinset_yahoo_sha1 = {
  sizeof(kPinset_yahoo_sha1_Data) / sizeof(const char*),
  kPinset_yahoo_sha1_Data
};

static const char* kPinset_yahoo_sha256_Data[] = {
  kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint,
  kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint,
  kGeoTrust_Primary_Certification_AuthorityFingerprint,
@@ -740,6 +625,7 @@ static const char* kPinset_yahoo_sha256_Data[] = {
  kVeriSign_Class_3_Public_Primary_Certification_Authority___G4Fingerprint,
  kDigiCert_High_Assurance_EV_Root_CAFingerprint,
  kVerisign_Class_2_Public_Primary_Certification_Authority___G3Fingerprint,
  kYahooBackup2Fingerprint,
  kGeoTrust_Global_CAFingerprint,
  kVeriSign_Universal_Root_Certification_AuthorityFingerprint,
  kGeoTrust_Universal_CAFingerprint,
@@ -747,14 +633,9 @@ static const char* kPinset_yahoo_sha256_Data[] = {
  kDigiCert_Global_Root_CAFingerprint,
  kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
};
static const StaticFingerprints kPinset_yahoo_sha256 = {
  sizeof(kPinset_yahoo_sha256_Data) / sizeof(const char*),
  kPinset_yahoo_sha256_Data
};

static const StaticPinset kPinset_yahoo = {
  &kPinset_yahoo_sha1,
  &kPinset_yahoo_sha256
static const StaticFingerprints kPinset_yahoo = {
  sizeof(kPinset_yahoo_Data) / sizeof(const char*),
  kPinset_yahoo_Data
};

/* Domainlist */
@@ -764,7 +645,7 @@ struct TransportSecurityPreload {
  const bool mTestMode;
  const bool mIsMoz;
  const int32_t mId;
  const StaticPinset *pinset;
  const StaticFingerprints* pinset;
};

/* Sort hostnames for binary search. */
@@ -1230,4 +1111,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {

static const int32_t kUnknownId = -1;

static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1472903978258000);
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1473437156700000);
+2 −8
Original line number Diff line number Diff line
@@ -53,17 +53,13 @@ const DOMAINHEADER = "/* Domainlist */\n" +
  "  const bool mTestMode;\n" +
  "  const bool mIsMoz;\n" +
  "  const int32_t mId;\n" +
  "  const StaticPinset* pinset;\n" +
  "  const StaticFingerprints* pinset;\n" +
  "};\n\n";

const PINSETDEF = "/* Pinsets are each an ordered list by the actual value of the fingerprint */\n" +
  "struct StaticFingerprints {\n" +
  "  const size_t size;\n" +
  "  const char* const* data;\n" +
  "};\n\n" +
  "struct StaticPinset {\n" +
  "  const StaticFingerprints* sha1;\n" +
  "  const StaticFingerprints* sha256;\n" +
  "};\n\n";

// Command-line arguments
@@ -463,12 +459,10 @@ function writeFullPinset(certNameToSKD, certSKDToName, pinset) {
  }
  writeFingerprints(certNameToSKD, certSKDToName, pinset.name,
                    pinset.sha256_hashes);
  writeString("static const StaticPinset " + prefix + " = {\n" +
              "  nullptr,\n  &" + prefix + "_sha256\n};\n\n");
}

function writeFingerprints(certNameToSKD, certSKDToName, name, hashes) {
  let varPrefix = "kPinset_" + name + "_sha256";
  let varPrefix = "kPinset_" + name;
  writeString("static const char* " + varPrefix + "_Data[] = {\n");
  let SKDList = [];
  for (let certName of hashes) {