Loading security/manager/ssl/PublicKeyPinningService.cpp +3 −7 Original line number Diff line number Diff line Loading @@ -95,21 +95,17 @@ EvalCert(const CERTCertificate* cert, const StaticFingerprints* fingerprints, /* * Sets certListIntersectsPinset to true if a given chain matches any * fingerprints from the given pinset or the dynamicFingerprints array, or to * false otherwise. * fingerprints from the given static fingerprints or the * dynamicFingerprints array, or to false otherwise. */ static nsresult EvalChain(const CERTCertList* certList, const StaticPinset* pinset, EvalChain(const CERTCertList* certList, const StaticFingerprints* fingerprints, const nsTArray<nsCString>* dynamicFingerprints, /*out*/ bool& certListIntersectsPinset) { certListIntersectsPinset = false; CERTCertificate* currentCert; const StaticFingerprints* fingerprints = nullptr; if (pinset) { fingerprints = pinset->sha256; } if (!fingerprints && !dynamicFingerprints) { MOZ_ASSERT(false, "Must pass in at least one type of pinset"); return NS_ERROR_FAILURE; Loading security/manager/ssl/StaticHPKPins.h +70 −189 Original line number Diff line number Diff line Loading @@ -113,7 +113,7 @@ static const char kEquifax_Secure_eBusiness_CA_1Fingerprint[] = /* FacebookBackup */ static const char kFacebookBackupFingerprint[] = "1ww8E0AYsR2oX5lndk2hwp2Uosk="; "q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; /* GOOGLE_PIN_DigiCertECCSecureServerCA */ static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] = Loading Loading @@ -213,7 +213,7 @@ static const char kGo_Daddy_Root_Certificate_Authority___G2Fingerprint[] = /* GoogleBackup2048 */ static const char kGoogleBackup2048Fingerprint[] = "vq7OyjSnqOco9nyMCDGdy77eijM="; "IPMbDAjLVSGntGO3WP53X/zilCVndez5YJ2+vJvhJsA="; /* Network Solutions Certificate Authority */ static const char kNetwork_Solutions_Certificate_AuthorityFingerprint[] = Loading @@ -221,11 +221,11 @@ static const char kNetwork_Solutions_Certificate_AuthorityFingerprint[] = /* SpiderOak2 */ static const char kSpiderOak2Fingerprint[] = "D0fS/hquA6QprluciyO1hlFUAxg="; "7Y3UnxbffL8aFPXsOJBpGasgpDmngpIhAxGKdQRklQQ="; /* SpiderOak3 */ static const char kSpiderOak3Fingerprint[] = "l5JoIXv4lztZ+C6TJWgxZCHQzS4="; "LkER54vOdlygpTsbYvlpMq1CE/lDAG1AP9xmdtwvV2A="; /* Starfield Class 2 CA */ static const char kStarfield_Class_2_CAFingerprint[] = Loading Loading @@ -257,19 +257,19 @@ static const char kTestSPKIFingerprint[] = /* Tor1 */ static const char kTor1Fingerprint[] = "juNxSTv9UANmpC9kF5GKpmWNx3Y="; "bYz9JTDk89X3qu3fgswG+lBQso5vI0N1f0Rx4go4nLo="; /* Tor2 */ static const char kTor2Fingerprint[] = "lia43lPolzSPVIq34Dw57uYcLD8="; "xXCxhTdn7uxXneJSbQCqoAvuW3ZtQl2pDVTf2sewS8w="; /* Tor3 */ static const char kTor3Fingerprint[] = "rzEyQIKOh77j87n5bjWUNguXF8Y="; "CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo="; /* Twitter1 */ static const char kTwitter1Fingerprint[] = "Vv7zwhR9TtOIN/29MFI4cgHld40="; "vU9M48LzD/CF34wE5PPf4nBwRyosy06X21J0ap8yS5s="; /* UTN USERFirst Email Root CA */ static const char kUTN_USERFirst_Email_Root_CAFingerprint[] = Loading Loading @@ -329,11 +329,11 @@ static const char kXRamp_Global_CA_RootFingerprint[] = /* YahooBackup1 */ static const char kYahooBackup1Fingerprint[] = "uwnZN/atr9+khywDukPzmD9kFiY="; "2fRAUXyxl4A1/XHrKNBmc8bTkzA7y4FB/GLJuNAzCqY="; /* YahooBackup2 */ static const char kYahooBackup2Fingerprint[] = "Ui85k1YWcCl0z/4IlMvrDmI5zEo="; "dolnbtzEBnELx/9lOEQ22e6OZO/QNb6VSSX2XHA3E7A="; /* thawte Primary Root CA */ static const char kthawte_Primary_Root_CAFingerprint[] = Loading @@ -353,13 +353,8 @@ struct StaticFingerprints { const char* const* data; }; struct StaticPinset { const StaticFingerprints* sha1; const StaticFingerprints* sha256; }; /* PreloadedHPKPins.json pinsets */ static const char* kPinset_google_root_pems_sha256_Data[] = { static const char* kPinset_google_root_pems_Data[] = { kEquifax_Secure_CAFingerprint, kComodo_Trusted_Services_rootFingerprint, kCOMODO_ECC_Certification_AuthorityFingerprint, Loading Loading @@ -416,17 +411,12 @@ static const char* kPinset_google_root_pems_sha256_Data[] = { kAffirmTrust_PremiumFingerprint, kAddTrust_Qualified_Certificates_RootFingerprint, }; static const StaticFingerprints kPinset_google_root_pems_sha256 = { sizeof(kPinset_google_root_pems_sha256_Data) / sizeof(const char*), kPinset_google_root_pems_sha256_Data }; static const StaticPinset kPinset_google_root_pems = { nullptr, &kPinset_google_root_pems_sha256 static const StaticFingerprints kPinset_google_root_pems = { sizeof(kPinset_google_root_pems_Data) / sizeof(const char*), kPinset_google_root_pems_Data }; static const char* kPinset_mozilla_sha256_Data[] = { static const char* kPinset_mozilla_Data[] = { kGeoTrust_Global_CA_2Fingerprint, kthawte_Primary_Root_CA___G3Fingerprint, kthawte_Primary_Root_CAFingerprint, Loading @@ -448,113 +438,61 @@ static const char* kPinset_mozilla_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; static const StaticFingerprints kPinset_mozilla_sha256 = { sizeof(kPinset_mozilla_sha256_Data) / sizeof(const char*), kPinset_mozilla_sha256_Data static const StaticFingerprints kPinset_mozilla = { sizeof(kPinset_mozilla_Data) / sizeof(const char*), kPinset_mozilla_Data }; static const StaticPinset kPinset_mozilla = { nullptr, &kPinset_mozilla_sha256 }; static const char* kPinset_mozilla_services_sha256_Data[] = { static const char* kPinset_mozilla_services_Data[] = { kDigiCert_Global_Root_CAFingerprint, }; static const StaticFingerprints kPinset_mozilla_services_sha256 = { sizeof(kPinset_mozilla_services_sha256_Data) / sizeof(const char*), kPinset_mozilla_services_sha256_Data }; static const StaticPinset kPinset_mozilla_services = { nullptr, &kPinset_mozilla_services_sha256 static const StaticFingerprints kPinset_mozilla_services = { sizeof(kPinset_mozilla_services_Data) / sizeof(const char*), kPinset_mozilla_services_Data }; static const char* kPinset_mozilla_test_sha256_Data[] = { static const char* kPinset_mozilla_test_Data[] = { kEnd_Entity_Test_CertFingerprint, }; static const StaticFingerprints kPinset_mozilla_test_sha256 = { sizeof(kPinset_mozilla_test_sha256_Data) / sizeof(const char*), kPinset_mozilla_test_sha256_Data }; static const StaticPinset kPinset_mozilla_test = { nullptr, &kPinset_mozilla_test_sha256 static const StaticFingerprints kPinset_mozilla_test = { sizeof(kPinset_mozilla_test_Data) / sizeof(const char*), kPinset_mozilla_test_Data }; /* Chrome static pinsets */ static const char* kPinset_test_sha256_Data[] = { static const char* kPinset_test_Data[] = { kTestSPKIFingerprint, }; static const StaticFingerprints kPinset_test_sha256 = { sizeof(kPinset_test_sha256_Data) / sizeof(const char*), kPinset_test_sha256_Data }; static const StaticPinset kPinset_test = { nullptr, &kPinset_test_sha256 }; static const char* kPinset_google_sha1_Data[] = { kGoogleBackup2048Fingerprint, }; static const StaticFingerprints kPinset_google_sha1 = { sizeof(kPinset_google_sha1_Data) / sizeof(const char*), kPinset_google_sha1_Data static const StaticFingerprints kPinset_test = { sizeof(kPinset_test_Data) / sizeof(const char*), kPinset_test_Data }; static const char* kPinset_google_sha256_Data[] = { static const char* kPinset_google_Data[] = { kGOOGLE_PIN_GoogleG2Fingerprint, kGoogleBackup2048Fingerprint, kGeoTrust_Global_CAFingerprint, }; static const StaticFingerprints kPinset_google_sha256 = { sizeof(kPinset_google_sha256_Data) / sizeof(const char*), kPinset_google_sha256_Data }; static const StaticPinset kPinset_google = { &kPinset_google_sha1, &kPinset_google_sha256 static const StaticFingerprints kPinset_google = { sizeof(kPinset_google_Data) / sizeof(const char*), kPinset_google_Data }; static const char* kPinset_tor_sha1_Data[] = { kTor1Fingerprint, kTor2Fingerprint, static const char* kPinset_tor_Data[] = { kTor3Fingerprint, }; static const StaticFingerprints kPinset_tor_sha1 = { sizeof(kPinset_tor_sha1_Data) / sizeof(const char*), kPinset_tor_sha1_Data }; static const char* kPinset_tor_sha256_Data[] = { kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGOOGLE_PIN_LetsEncryptAuthorityX1Fingerprint, kTor1Fingerprint, kGOOGLE_PIN_RapidSSLFingerprint, kGOOGLE_PIN_LetsEncryptAuthorityX2Fingerprint, kTor2Fingerprint, }; static const StaticFingerprints kPinset_tor_sha256 = { sizeof(kPinset_tor_sha256_Data) / sizeof(const char*), kPinset_tor_sha256_Data }; static const StaticPinset kPinset_tor = { &kPinset_tor_sha1, &kPinset_tor_sha256 }; static const char* kPinset_twitterCom_sha1_Data[] = { kTwitter1Fingerprint, }; static const StaticFingerprints kPinset_twitterCom_sha1 = { sizeof(kPinset_twitterCom_sha1_Data) / sizeof(const char*), kPinset_twitterCom_sha1_Data static const StaticFingerprints kPinset_tor = { sizeof(kPinset_tor_Data) / sizeof(const char*), kPinset_tor_Data }; static const char* kPinset_twitterCom_sha256_Data[] = { static const char* kPinset_twitterCom_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kVerisign_Class_3_Public_Primary_Certification_Authority___G2Fingerprint, kGeoTrust_Global_CA_2Fingerprint, Loading @@ -575,26 +513,14 @@ static const char* kPinset_twitterCom_sha256_Data[] = { kGeoTrust_Primary_Certification_Authority___G3Fingerprint, kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; static const StaticFingerprints kPinset_twitterCom_sha256 = { sizeof(kPinset_twitterCom_sha256_Data) / sizeof(const char*), kPinset_twitterCom_sha256_Data }; static const StaticPinset kPinset_twitterCom = { &kPinset_twitterCom_sha1, &kPinset_twitterCom_sha256 }; static const char* kPinset_twitterCDN_sha1_Data[] = { kTwitter1Fingerprint, }; static const StaticFingerprints kPinset_twitterCDN_sha1 = { sizeof(kPinset_twitterCDN_sha1_Data) / sizeof(const char*), kPinset_twitterCDN_sha1_Data static const StaticFingerprints kPinset_twitterCom = { sizeof(kPinset_twitterCom_Data) / sizeof(const char*), kPinset_twitterCom_Data }; static const char* kPinset_twitterCDN_sha256_Data[] = { static const char* kPinset_twitterCDN_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kComodo_Trusted_Services_rootFingerprint, kCOMODO_Certification_AuthorityFingerprint, Loading Loading @@ -635,19 +561,15 @@ static const char* kPinset_twitterCDN_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, kComodo_AAA_Services_rootFingerprint, kTwitter1Fingerprint, kAddTrust_Qualified_Certificates_RootFingerprint, }; static const StaticFingerprints kPinset_twitterCDN_sha256 = { sizeof(kPinset_twitterCDN_sha256_Data) / sizeof(const char*), kPinset_twitterCDN_sha256_Data static const StaticFingerprints kPinset_twitterCDN = { sizeof(kPinset_twitterCDN_Data) / sizeof(const char*), kPinset_twitterCDN_Data }; static const StaticPinset kPinset_twitterCDN = { &kPinset_twitterCDN_sha1, &kPinset_twitterCDN_sha256 }; static const char* kPinset_dropbox_sha256_Data[] = { static const char* kPinset_dropbox_Data[] = { kEntrust_Root_Certification_Authority___EC1Fingerprint, kGOOGLE_PIN_ThawtePremiumServerFingerprint, kthawte_Primary_Root_CA___G3Fingerprint, Loading @@ -667,72 +589,35 @@ static const char* kPinset_dropbox_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; static const StaticFingerprints kPinset_dropbox_sha256 = { sizeof(kPinset_dropbox_sha256_Data) / sizeof(const char*), kPinset_dropbox_sha256_Data }; static const StaticPinset kPinset_dropbox = { nullptr, &kPinset_dropbox_sha256 }; static const char* kPinset_facebook_sha1_Data[] = { kFacebookBackupFingerprint, }; static const StaticFingerprints kPinset_facebook_sha1 = { sizeof(kPinset_facebook_sha1_Data) / sizeof(const char*), kPinset_facebook_sha1_Data static const StaticFingerprints kPinset_dropbox = { sizeof(kPinset_dropbox_Data) / sizeof(const char*), kPinset_dropbox_Data }; static const char* kPinset_facebook_sha256_Data[] = { static const char* kPinset_facebook_Data[] = { kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint, kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGOOGLE_PIN_SymantecClass3EVG3Fingerprint, kFacebookBackupFingerprint, }; static const StaticFingerprints kPinset_facebook_sha256 = { sizeof(kPinset_facebook_sha256_Data) / sizeof(const char*), kPinset_facebook_sha256_Data }; static const StaticPinset kPinset_facebook = { &kPinset_facebook_sha1, &kPinset_facebook_sha256 static const StaticFingerprints kPinset_facebook = { sizeof(kPinset_facebook_Data) / sizeof(const char*), kPinset_facebook_Data }; static const char* kPinset_spideroak_sha1_Data[] = { static const char* kPinset_spideroak_Data[] = { kSpiderOak2Fingerprint, kSpiderOak3Fingerprint, }; static const StaticFingerprints kPinset_spideroak_sha1 = { sizeof(kPinset_spideroak_sha1_Data) / sizeof(const char*), kPinset_spideroak_sha1_Data }; static const char* kPinset_spideroak_sha256_Data[] = { kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGeoTrust_Global_CAFingerprint, }; static const StaticFingerprints kPinset_spideroak_sha256 = { sizeof(kPinset_spideroak_sha256_Data) / sizeof(const char*), kPinset_spideroak_sha256_Data }; static const StaticPinset kPinset_spideroak = { &kPinset_spideroak_sha1, &kPinset_spideroak_sha256 static const StaticFingerprints kPinset_spideroak = { sizeof(kPinset_spideroak_Data) / sizeof(const char*), kPinset_spideroak_Data }; static const char* kPinset_yahoo_sha1_Data[] = { kYahooBackup2Fingerprint, static const char* kPinset_yahoo_Data[] = { kYahooBackup1Fingerprint, }; static const StaticFingerprints kPinset_yahoo_sha1 = { sizeof(kPinset_yahoo_sha1_Data) / sizeof(const char*), kPinset_yahoo_sha1_Data }; static const char* kPinset_yahoo_sha256_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint, kGeoTrust_Primary_Certification_AuthorityFingerprint, Loading @@ -740,6 +625,7 @@ static const char* kPinset_yahoo_sha256_Data[] = { kVeriSign_Class_3_Public_Primary_Certification_Authority___G4Fingerprint, kDigiCert_High_Assurance_EV_Root_CAFingerprint, kVerisign_Class_2_Public_Primary_Certification_Authority___G3Fingerprint, kYahooBackup2Fingerprint, kGeoTrust_Global_CAFingerprint, kVeriSign_Universal_Root_Certification_AuthorityFingerprint, kGeoTrust_Universal_CAFingerprint, Loading @@ -747,14 +633,9 @@ static const char* kPinset_yahoo_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; static const StaticFingerprints kPinset_yahoo_sha256 = { sizeof(kPinset_yahoo_sha256_Data) / sizeof(const char*), kPinset_yahoo_sha256_Data }; static const StaticPinset kPinset_yahoo = { &kPinset_yahoo_sha1, &kPinset_yahoo_sha256 static const StaticFingerprints kPinset_yahoo = { sizeof(kPinset_yahoo_Data) / sizeof(const char*), kPinset_yahoo_Data }; /* Domainlist */ Loading @@ -764,7 +645,7 @@ struct TransportSecurityPreload { const bool mTestMode; const bool mIsMoz; const int32_t mId; const StaticPinset *pinset; const StaticFingerprints* pinset; }; /* Sort hostnames for binary search. */ Loading Loading @@ -1230,4 +1111,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { static const int32_t kUnknownId = -1; static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1472903978258000); static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1473437156700000); security/manager/tools/genHPKPStaticPins.js +2 −8 Original line number Diff line number Diff line Loading @@ -53,17 +53,13 @@ const DOMAINHEADER = "/* Domainlist */\n" + " const bool mTestMode;\n" + " const bool mIsMoz;\n" + " const int32_t mId;\n" + " const StaticPinset* pinset;\n" + " const StaticFingerprints* pinset;\n" + "};\n\n"; const PINSETDEF = "/* Pinsets are each an ordered list by the actual value of the fingerprint */\n" + "struct StaticFingerprints {\n" + " const size_t size;\n" + " const char* const* data;\n" + "};\n\n" + "struct StaticPinset {\n" + " const StaticFingerprints* sha1;\n" + " const StaticFingerprints* sha256;\n" + "};\n\n"; // Command-line arguments Loading Loading @@ -463,12 +459,10 @@ function writeFullPinset(certNameToSKD, certSKDToName, pinset) { } writeFingerprints(certNameToSKD, certSKDToName, pinset.name, pinset.sha256_hashes); writeString("static const StaticPinset " + prefix + " = {\n" + " nullptr,\n &" + prefix + "_sha256\n};\n\n"); } function writeFingerprints(certNameToSKD, certSKDToName, name, hashes) { let varPrefix = "kPinset_" + name + "_sha256"; let varPrefix = "kPinset_" + name; writeString("static const char* " + varPrefix + "_Data[] = {\n"); let SKDList = []; for (let certName of hashes) { Loading Loading
security/manager/ssl/PublicKeyPinningService.cpp +3 −7 Original line number Diff line number Diff line Loading @@ -95,21 +95,17 @@ EvalCert(const CERTCertificate* cert, const StaticFingerprints* fingerprints, /* * Sets certListIntersectsPinset to true if a given chain matches any * fingerprints from the given pinset or the dynamicFingerprints array, or to * false otherwise. * fingerprints from the given static fingerprints or the * dynamicFingerprints array, or to false otherwise. */ static nsresult EvalChain(const CERTCertList* certList, const StaticPinset* pinset, EvalChain(const CERTCertList* certList, const StaticFingerprints* fingerprints, const nsTArray<nsCString>* dynamicFingerprints, /*out*/ bool& certListIntersectsPinset) { certListIntersectsPinset = false; CERTCertificate* currentCert; const StaticFingerprints* fingerprints = nullptr; if (pinset) { fingerprints = pinset->sha256; } if (!fingerprints && !dynamicFingerprints) { MOZ_ASSERT(false, "Must pass in at least one type of pinset"); return NS_ERROR_FAILURE; Loading
security/manager/ssl/StaticHPKPins.h +70 −189 Original line number Diff line number Diff line Loading @@ -113,7 +113,7 @@ static const char kEquifax_Secure_eBusiness_CA_1Fingerprint[] = /* FacebookBackup */ static const char kFacebookBackupFingerprint[] = "1ww8E0AYsR2oX5lndk2hwp2Uosk="; "q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; /* GOOGLE_PIN_DigiCertECCSecureServerCA */ static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] = Loading Loading @@ -213,7 +213,7 @@ static const char kGo_Daddy_Root_Certificate_Authority___G2Fingerprint[] = /* GoogleBackup2048 */ static const char kGoogleBackup2048Fingerprint[] = "vq7OyjSnqOco9nyMCDGdy77eijM="; "IPMbDAjLVSGntGO3WP53X/zilCVndez5YJ2+vJvhJsA="; /* Network Solutions Certificate Authority */ static const char kNetwork_Solutions_Certificate_AuthorityFingerprint[] = Loading @@ -221,11 +221,11 @@ static const char kNetwork_Solutions_Certificate_AuthorityFingerprint[] = /* SpiderOak2 */ static const char kSpiderOak2Fingerprint[] = "D0fS/hquA6QprluciyO1hlFUAxg="; "7Y3UnxbffL8aFPXsOJBpGasgpDmngpIhAxGKdQRklQQ="; /* SpiderOak3 */ static const char kSpiderOak3Fingerprint[] = "l5JoIXv4lztZ+C6TJWgxZCHQzS4="; "LkER54vOdlygpTsbYvlpMq1CE/lDAG1AP9xmdtwvV2A="; /* Starfield Class 2 CA */ static const char kStarfield_Class_2_CAFingerprint[] = Loading Loading @@ -257,19 +257,19 @@ static const char kTestSPKIFingerprint[] = /* Tor1 */ static const char kTor1Fingerprint[] = "juNxSTv9UANmpC9kF5GKpmWNx3Y="; "bYz9JTDk89X3qu3fgswG+lBQso5vI0N1f0Rx4go4nLo="; /* Tor2 */ static const char kTor2Fingerprint[] = "lia43lPolzSPVIq34Dw57uYcLD8="; "xXCxhTdn7uxXneJSbQCqoAvuW3ZtQl2pDVTf2sewS8w="; /* Tor3 */ static const char kTor3Fingerprint[] = "rzEyQIKOh77j87n5bjWUNguXF8Y="; "CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo="; /* Twitter1 */ static const char kTwitter1Fingerprint[] = "Vv7zwhR9TtOIN/29MFI4cgHld40="; "vU9M48LzD/CF34wE5PPf4nBwRyosy06X21J0ap8yS5s="; /* UTN USERFirst Email Root CA */ static const char kUTN_USERFirst_Email_Root_CAFingerprint[] = Loading Loading @@ -329,11 +329,11 @@ static const char kXRamp_Global_CA_RootFingerprint[] = /* YahooBackup1 */ static const char kYahooBackup1Fingerprint[] = "uwnZN/atr9+khywDukPzmD9kFiY="; "2fRAUXyxl4A1/XHrKNBmc8bTkzA7y4FB/GLJuNAzCqY="; /* YahooBackup2 */ static const char kYahooBackup2Fingerprint[] = "Ui85k1YWcCl0z/4IlMvrDmI5zEo="; "dolnbtzEBnELx/9lOEQ22e6OZO/QNb6VSSX2XHA3E7A="; /* thawte Primary Root CA */ static const char kthawte_Primary_Root_CAFingerprint[] = Loading @@ -353,13 +353,8 @@ struct StaticFingerprints { const char* const* data; }; struct StaticPinset { const StaticFingerprints* sha1; const StaticFingerprints* sha256; }; /* PreloadedHPKPins.json pinsets */ static const char* kPinset_google_root_pems_sha256_Data[] = { static const char* kPinset_google_root_pems_Data[] = { kEquifax_Secure_CAFingerprint, kComodo_Trusted_Services_rootFingerprint, kCOMODO_ECC_Certification_AuthorityFingerprint, Loading Loading @@ -416,17 +411,12 @@ static const char* kPinset_google_root_pems_sha256_Data[] = { kAffirmTrust_PremiumFingerprint, kAddTrust_Qualified_Certificates_RootFingerprint, }; static const StaticFingerprints kPinset_google_root_pems_sha256 = { sizeof(kPinset_google_root_pems_sha256_Data) / sizeof(const char*), kPinset_google_root_pems_sha256_Data }; static const StaticPinset kPinset_google_root_pems = { nullptr, &kPinset_google_root_pems_sha256 static const StaticFingerprints kPinset_google_root_pems = { sizeof(kPinset_google_root_pems_Data) / sizeof(const char*), kPinset_google_root_pems_Data }; static const char* kPinset_mozilla_sha256_Data[] = { static const char* kPinset_mozilla_Data[] = { kGeoTrust_Global_CA_2Fingerprint, kthawte_Primary_Root_CA___G3Fingerprint, kthawte_Primary_Root_CAFingerprint, Loading @@ -448,113 +438,61 @@ static const char* kPinset_mozilla_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; static const StaticFingerprints kPinset_mozilla_sha256 = { sizeof(kPinset_mozilla_sha256_Data) / sizeof(const char*), kPinset_mozilla_sha256_Data static const StaticFingerprints kPinset_mozilla = { sizeof(kPinset_mozilla_Data) / sizeof(const char*), kPinset_mozilla_Data }; static const StaticPinset kPinset_mozilla = { nullptr, &kPinset_mozilla_sha256 }; static const char* kPinset_mozilla_services_sha256_Data[] = { static const char* kPinset_mozilla_services_Data[] = { kDigiCert_Global_Root_CAFingerprint, }; static const StaticFingerprints kPinset_mozilla_services_sha256 = { sizeof(kPinset_mozilla_services_sha256_Data) / sizeof(const char*), kPinset_mozilla_services_sha256_Data }; static const StaticPinset kPinset_mozilla_services = { nullptr, &kPinset_mozilla_services_sha256 static const StaticFingerprints kPinset_mozilla_services = { sizeof(kPinset_mozilla_services_Data) / sizeof(const char*), kPinset_mozilla_services_Data }; static const char* kPinset_mozilla_test_sha256_Data[] = { static const char* kPinset_mozilla_test_Data[] = { kEnd_Entity_Test_CertFingerprint, }; static const StaticFingerprints kPinset_mozilla_test_sha256 = { sizeof(kPinset_mozilla_test_sha256_Data) / sizeof(const char*), kPinset_mozilla_test_sha256_Data }; static const StaticPinset kPinset_mozilla_test = { nullptr, &kPinset_mozilla_test_sha256 static const StaticFingerprints kPinset_mozilla_test = { sizeof(kPinset_mozilla_test_Data) / sizeof(const char*), kPinset_mozilla_test_Data }; /* Chrome static pinsets */ static const char* kPinset_test_sha256_Data[] = { static const char* kPinset_test_Data[] = { kTestSPKIFingerprint, }; static const StaticFingerprints kPinset_test_sha256 = { sizeof(kPinset_test_sha256_Data) / sizeof(const char*), kPinset_test_sha256_Data }; static const StaticPinset kPinset_test = { nullptr, &kPinset_test_sha256 }; static const char* kPinset_google_sha1_Data[] = { kGoogleBackup2048Fingerprint, }; static const StaticFingerprints kPinset_google_sha1 = { sizeof(kPinset_google_sha1_Data) / sizeof(const char*), kPinset_google_sha1_Data static const StaticFingerprints kPinset_test = { sizeof(kPinset_test_Data) / sizeof(const char*), kPinset_test_Data }; static const char* kPinset_google_sha256_Data[] = { static const char* kPinset_google_Data[] = { kGOOGLE_PIN_GoogleG2Fingerprint, kGoogleBackup2048Fingerprint, kGeoTrust_Global_CAFingerprint, }; static const StaticFingerprints kPinset_google_sha256 = { sizeof(kPinset_google_sha256_Data) / sizeof(const char*), kPinset_google_sha256_Data }; static const StaticPinset kPinset_google = { &kPinset_google_sha1, &kPinset_google_sha256 static const StaticFingerprints kPinset_google = { sizeof(kPinset_google_Data) / sizeof(const char*), kPinset_google_Data }; static const char* kPinset_tor_sha1_Data[] = { kTor1Fingerprint, kTor2Fingerprint, static const char* kPinset_tor_Data[] = { kTor3Fingerprint, }; static const StaticFingerprints kPinset_tor_sha1 = { sizeof(kPinset_tor_sha1_Data) / sizeof(const char*), kPinset_tor_sha1_Data }; static const char* kPinset_tor_sha256_Data[] = { kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGOOGLE_PIN_LetsEncryptAuthorityX1Fingerprint, kTor1Fingerprint, kGOOGLE_PIN_RapidSSLFingerprint, kGOOGLE_PIN_LetsEncryptAuthorityX2Fingerprint, kTor2Fingerprint, }; static const StaticFingerprints kPinset_tor_sha256 = { sizeof(kPinset_tor_sha256_Data) / sizeof(const char*), kPinset_tor_sha256_Data }; static const StaticPinset kPinset_tor = { &kPinset_tor_sha1, &kPinset_tor_sha256 }; static const char* kPinset_twitterCom_sha1_Data[] = { kTwitter1Fingerprint, }; static const StaticFingerprints kPinset_twitterCom_sha1 = { sizeof(kPinset_twitterCom_sha1_Data) / sizeof(const char*), kPinset_twitterCom_sha1_Data static const StaticFingerprints kPinset_tor = { sizeof(kPinset_tor_Data) / sizeof(const char*), kPinset_tor_Data }; static const char* kPinset_twitterCom_sha256_Data[] = { static const char* kPinset_twitterCom_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kVerisign_Class_3_Public_Primary_Certification_Authority___G2Fingerprint, kGeoTrust_Global_CA_2Fingerprint, Loading @@ -575,26 +513,14 @@ static const char* kPinset_twitterCom_sha256_Data[] = { kGeoTrust_Primary_Certification_Authority___G3Fingerprint, kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; static const StaticFingerprints kPinset_twitterCom_sha256 = { sizeof(kPinset_twitterCom_sha256_Data) / sizeof(const char*), kPinset_twitterCom_sha256_Data }; static const StaticPinset kPinset_twitterCom = { &kPinset_twitterCom_sha1, &kPinset_twitterCom_sha256 }; static const char* kPinset_twitterCDN_sha1_Data[] = { kTwitter1Fingerprint, }; static const StaticFingerprints kPinset_twitterCDN_sha1 = { sizeof(kPinset_twitterCDN_sha1_Data) / sizeof(const char*), kPinset_twitterCDN_sha1_Data static const StaticFingerprints kPinset_twitterCom = { sizeof(kPinset_twitterCom_Data) / sizeof(const char*), kPinset_twitterCom_Data }; static const char* kPinset_twitterCDN_sha256_Data[] = { static const char* kPinset_twitterCDN_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kComodo_Trusted_Services_rootFingerprint, kCOMODO_Certification_AuthorityFingerprint, Loading Loading @@ -635,19 +561,15 @@ static const char* kPinset_twitterCDN_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, kComodo_AAA_Services_rootFingerprint, kTwitter1Fingerprint, kAddTrust_Qualified_Certificates_RootFingerprint, }; static const StaticFingerprints kPinset_twitterCDN_sha256 = { sizeof(kPinset_twitterCDN_sha256_Data) / sizeof(const char*), kPinset_twitterCDN_sha256_Data static const StaticFingerprints kPinset_twitterCDN = { sizeof(kPinset_twitterCDN_Data) / sizeof(const char*), kPinset_twitterCDN_Data }; static const StaticPinset kPinset_twitterCDN = { &kPinset_twitterCDN_sha1, &kPinset_twitterCDN_sha256 }; static const char* kPinset_dropbox_sha256_Data[] = { static const char* kPinset_dropbox_Data[] = { kEntrust_Root_Certification_Authority___EC1Fingerprint, kGOOGLE_PIN_ThawtePremiumServerFingerprint, kthawte_Primary_Root_CA___G3Fingerprint, Loading @@ -667,72 +589,35 @@ static const char* kPinset_dropbox_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; static const StaticFingerprints kPinset_dropbox_sha256 = { sizeof(kPinset_dropbox_sha256_Data) / sizeof(const char*), kPinset_dropbox_sha256_Data }; static const StaticPinset kPinset_dropbox = { nullptr, &kPinset_dropbox_sha256 }; static const char* kPinset_facebook_sha1_Data[] = { kFacebookBackupFingerprint, }; static const StaticFingerprints kPinset_facebook_sha1 = { sizeof(kPinset_facebook_sha1_Data) / sizeof(const char*), kPinset_facebook_sha1_Data static const StaticFingerprints kPinset_dropbox = { sizeof(kPinset_dropbox_Data) / sizeof(const char*), kPinset_dropbox_Data }; static const char* kPinset_facebook_sha256_Data[] = { static const char* kPinset_facebook_Data[] = { kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint, kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGOOGLE_PIN_SymantecClass3EVG3Fingerprint, kFacebookBackupFingerprint, }; static const StaticFingerprints kPinset_facebook_sha256 = { sizeof(kPinset_facebook_sha256_Data) / sizeof(const char*), kPinset_facebook_sha256_Data }; static const StaticPinset kPinset_facebook = { &kPinset_facebook_sha1, &kPinset_facebook_sha256 static const StaticFingerprints kPinset_facebook = { sizeof(kPinset_facebook_Data) / sizeof(const char*), kPinset_facebook_Data }; static const char* kPinset_spideroak_sha1_Data[] = { static const char* kPinset_spideroak_Data[] = { kSpiderOak2Fingerprint, kSpiderOak3Fingerprint, }; static const StaticFingerprints kPinset_spideroak_sha1 = { sizeof(kPinset_spideroak_sha1_Data) / sizeof(const char*), kPinset_spideroak_sha1_Data }; static const char* kPinset_spideroak_sha256_Data[] = { kDigiCert_High_Assurance_EV_Root_CAFingerprint, kGeoTrust_Global_CAFingerprint, }; static const StaticFingerprints kPinset_spideroak_sha256 = { sizeof(kPinset_spideroak_sha256_Data) / sizeof(const char*), kPinset_spideroak_sha256_Data }; static const StaticPinset kPinset_spideroak = { &kPinset_spideroak_sha1, &kPinset_spideroak_sha256 static const StaticFingerprints kPinset_spideroak = { sizeof(kPinset_spideroak_Data) / sizeof(const char*), kPinset_spideroak_Data }; static const char* kPinset_yahoo_sha1_Data[] = { kYahooBackup2Fingerprint, static const char* kPinset_yahoo_Data[] = { kYahooBackup1Fingerprint, }; static const StaticFingerprints kPinset_yahoo_sha1 = { sizeof(kPinset_yahoo_sha1_Data) / sizeof(const char*), kPinset_yahoo_sha1_Data }; static const char* kPinset_yahoo_sha256_Data[] = { kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint, kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint, kGeoTrust_Primary_Certification_AuthorityFingerprint, Loading @@ -740,6 +625,7 @@ static const char* kPinset_yahoo_sha256_Data[] = { kVeriSign_Class_3_Public_Primary_Certification_Authority___G4Fingerprint, kDigiCert_High_Assurance_EV_Root_CAFingerprint, kVerisign_Class_2_Public_Primary_Certification_Authority___G3Fingerprint, kYahooBackup2Fingerprint, kGeoTrust_Global_CAFingerprint, kVeriSign_Universal_Root_Certification_AuthorityFingerprint, kGeoTrust_Universal_CAFingerprint, Loading @@ -747,14 +633,9 @@ static const char* kPinset_yahoo_sha256_Data[] = { kDigiCert_Global_Root_CAFingerprint, kGeoTrust_Primary_Certification_Authority___G2Fingerprint, }; static const StaticFingerprints kPinset_yahoo_sha256 = { sizeof(kPinset_yahoo_sha256_Data) / sizeof(const char*), kPinset_yahoo_sha256_Data }; static const StaticPinset kPinset_yahoo = { &kPinset_yahoo_sha1, &kPinset_yahoo_sha256 static const StaticFingerprints kPinset_yahoo = { sizeof(kPinset_yahoo_Data) / sizeof(const char*), kPinset_yahoo_Data }; /* Domainlist */ Loading @@ -764,7 +645,7 @@ struct TransportSecurityPreload { const bool mTestMode; const bool mIsMoz; const int32_t mId; const StaticPinset *pinset; const StaticFingerprints* pinset; }; /* Sort hostnames for binary search. */ Loading Loading @@ -1230,4 +1111,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { static const int32_t kUnknownId = -1; static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1472903978258000); static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1473437156700000);
security/manager/tools/genHPKPStaticPins.js +2 −8 Original line number Diff line number Diff line Loading @@ -53,17 +53,13 @@ const DOMAINHEADER = "/* Domainlist */\n" + " const bool mTestMode;\n" + " const bool mIsMoz;\n" + " const int32_t mId;\n" + " const StaticPinset* pinset;\n" + " const StaticFingerprints* pinset;\n" + "};\n\n"; const PINSETDEF = "/* Pinsets are each an ordered list by the actual value of the fingerprint */\n" + "struct StaticFingerprints {\n" + " const size_t size;\n" + " const char* const* data;\n" + "};\n\n" + "struct StaticPinset {\n" + " const StaticFingerprints* sha1;\n" + " const StaticFingerprints* sha256;\n" + "};\n\n"; // Command-line arguments Loading Loading @@ -463,12 +459,10 @@ function writeFullPinset(certNameToSKD, certSKDToName, pinset) { } writeFingerprints(certNameToSKD, certSKDToName, pinset.name, pinset.sha256_hashes); writeString("static const StaticPinset " + prefix + " = {\n" + " nullptr,\n &" + prefix + "_sha256\n};\n\n"); } function writeFingerprints(certNameToSKD, certSKDToName, name, hashes) { let varPrefix = "kPinset_" + name + "_sha256"; let varPrefix = "kPinset_" + name; writeString("static const char* " + varPrefix + "_Data[] = {\n"); let SKDList = []; for (let certName of hashes) { Loading