diff options
Diffstat (limited to 'security/manager')
11 files changed, 75 insertions, 507 deletions
diff --git a/security/manager/ssl/StaticHPKPins.errors b/security/manager/ssl/StaticHPKPins.errors deleted file mode 100644 index f5b0a1ebb..000000000 --- a/security/manager/ssl/StaticHPKPins.errors +++ /dev/null @@ -1,28 +0,0 @@ -Can't find hash in builtin certs for Chrome nickname GoogleG2, inserting GOOGLE_PIN_GoogleG2 -Can't find hash in builtin certs for Chrome nickname RapidSSL, inserting GOOGLE_PIN_RapidSSL -Can't find hash in builtin certs for Chrome nickname DigiCertSHA2HighAssuranceServerCA, inserting GOOGLE_PIN_DigiCertSHA2HighAssuranceServerCA -Can't find hash in builtin certs for Chrome nickname VeriSignClass1, inserting GOOGLE_PIN_VeriSignClass1 -Can't find hash in builtin certs for Chrome nickname VeriSignClass4_G3, inserting GOOGLE_PIN_VeriSignClass4_G3 -Can't find hash in builtin certs for Chrome nickname VeriSignClass3_G2, inserting GOOGLE_PIN_VeriSignClass3_G2 -Can't find hash in builtin certs for Chrome nickname VeriSignClass2_G2, inserting GOOGLE_PIN_VeriSignClass2_G2 -Can't find hash in builtin certs for Chrome nickname Entrust_SSL, inserting GOOGLE_PIN_Entrust_SSL -Can't find hash in builtin certs for Chrome nickname UTNDATACorpSGC, inserting GOOGLE_PIN_UTNDATACorpSGC -Can't find hash in builtin certs for Chrome nickname GTECyberTrustGlobalRoot, inserting GOOGLE_PIN_GTECyberTrustGlobalRoot -Can't find hash in builtin certs for Chrome nickname GoDaddySecure, inserting GOOGLE_PIN_GoDaddySecure -Can't find hash in builtin certs for Chrome nickname SymantecClass3EVG3, inserting GOOGLE_PIN_SymantecClass3EVG3 -Can't find hash in builtin certs for Chrome nickname DigiCertECCSecureServerCA, inserting GOOGLE_PIN_DigiCertECCSecureServerCA -Can't find hash in builtin certs for Chrome nickname LetsEncryptAuthorityPrimary_X1_X3, inserting GOOGLE_PIN_LetsEncryptAuthorityPrimary_X1_X3 -Can't find hash in builtin certs for Chrome nickname LetsEncryptAuthorityBackup_X2_X4, inserting GOOGLE_PIN_LetsEncryptAuthorityBackup_X2_X4 -Can't find hash in builtin certs for Chrome nickname COMODORSADomainValidationSecureServerCA, inserting GOOGLE_PIN_COMODORSADomainValidationSecureServerCA -Writing pinset test -Writing pinset google -Writing pinset tor -Writing pinset twitterCom -Writing pinset twitterCDN -Writing pinset dropbox -Writing pinset facebook -Writing pinset spideroak -Writing pinset yahoo -Writing pinset swehackCom -Writing pinset ncsccs -Writing pinset tumblr diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h index 323d8ec85..a2313ea72 100644 --- a/security/manager/ssl/StaticHPKPins.h +++ b/security/manager/ssl/StaticHPKPins.h @@ -700,486 +700,13 @@ struct TransportSecurityPreload { /* Sort hostnames for binary search. */ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { - { "0.me.uk", true, true, false, -1, &kPinset_ncsccs }, - { "2mdn.net", true, false, false, -1, &kPinset_google_root_pems }, - { "accounts.firefox.com", true, false, true, 4, &kPinset_mozilla_services }, - { "accounts.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla }, - { "addons.mozilla.org", true, false, true, 1, &kPinset_mozilla }, - { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "android.com", true, false, false, -1, &kPinset_google_root_pems }, - { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services }, - { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN }, - { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "apps.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla }, - { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla }, - { "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "blog.torproject.org", true, false, false, -1, &kPinset_tor }, - { "blogger.com", true, false, false, -1, &kPinset_google_root_pems }, - { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, - { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, - { "business.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom }, - { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "cdn.mozilla.net", true, false, true, -1, &kPinset_mozilla }, - { "cdn.mozilla.org", true, false, true, -1, &kPinset_mozilla }, - { "cg.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "ch.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "chart.apis.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "check.torproject.org", true, false, false, -1, &kPinset_tor }, - { "checkout.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "chfr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "chit.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "chrome-devtools-frontend.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "chrome.com", true, false, false, -1, &kPinset_google_root_pems }, - { "chrome.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "chromiumbugs.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "chromiumcodereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "cl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "cloud.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "cn.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "co.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "code.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "code.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "codereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "codereview.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, - { "contributor.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "cr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "crbug.com", true, false, false, -1, &kPinset_google_root_pems }, - { "crosbug.com", true, false, false, -1, &kPinset_google_root_pems }, - { "crrev.com", true, false, false, -1, &kPinset_google_root_pems }, - { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom }, - { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems }, - { "developers.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "dist.torproject.org", true, false, false, -1, &kPinset_tor }, - { "dk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "dl.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "dns.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "do.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "docs.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "domains.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "doubleclick.net", true, false, false, -1, &kPinset_google_root_pems }, - { "drive.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "dropbox.com", true, false, false, -1, &kPinset_dropbox }, - { "dropboxstatic.com", false, true, false, -1, &kPinset_dropbox }, - { "dropboxusercontent.com", false, true, false, -1, &kPinset_dropbox }, - { "edit.yahoo.com", true, true, false, -1, &kPinset_yahoo }, - { "en-maktoob.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "encrypted.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "es.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "espanol.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, { "exclude-subdomains.pinning.example.com", false, false, false, 0, &kPinset_mozilla_test }, - { "facebook.com", false, false, false, -1, &kPinset_facebook }, - { "fi.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "fi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "firebaseio.com", true, false, false, -1, &kPinset_google_root_pems }, - { "fj.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "fr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "g.co", true, false, false, -1, &kPinset_google_root_pems }, - { "g4w.co", true, false, false, -1, &kPinset_google_root_pems }, - { "ggpht.com", true, false, false, -1, &kPinset_google_root_pems }, - { "gl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "glass.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "gm.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "gmail.com", false, false, false, -1, &kPinset_google_root_pems }, - { "goo.gl", true, false, false, -1, &kPinset_google_root_pems }, - { "google", true, false, false, -1, &kPinset_google_root_pems }, - { "google-analytics.com", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ac", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ad", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ae", true, false, false, -1, &kPinset_google_root_pems }, - { "google.af", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ag", true, false, false, -1, &kPinset_google_root_pems }, - { "google.am", true, false, false, -1, &kPinset_google_root_pems }, - { "google.as", true, false, false, -1, &kPinset_google_root_pems }, - { "google.at", true, false, false, -1, &kPinset_google_root_pems }, - { "google.az", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ba", true, false, false, -1, &kPinset_google_root_pems }, - { "google.be", true, false, false, -1, &kPinset_google_root_pems }, - { "google.bf", true, false, false, -1, &kPinset_google_root_pems }, - { "google.bg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.bi", true, false, false, -1, &kPinset_google_root_pems }, - { "google.bj", true, false, false, -1, &kPinset_google_root_pems }, - { "google.bs", true, false, false, -1, &kPinset_google_root_pems }, - { "google.by", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ca", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cat", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cc", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cd", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cf", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ch", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ci", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cl", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cm", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.ao", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.bw", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.ck", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.cr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.hu", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.id", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.il", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.im", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.in", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.je", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.jp", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.ke", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.kr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.ls", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.ma", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.mz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.nz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.th", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.tz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.ug", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.uk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.uz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.ve", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.vi", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.za", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.zm", true, false, false, -1, &kPinset_google_root_pems }, - { "google.co.zw", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.af", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ag", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ai", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ar", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.au", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.bd", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.bh", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.bn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.bo", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.br", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.by", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.bz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.cn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.co", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.cu", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.cy", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.do", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ec", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.eg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.et", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.fj", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ge", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.gh", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.gi", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.gr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.gt", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.hk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.iq", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.jm", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.jo", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.kh", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.kw", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.lb", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ly", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.mt", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.mx", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.my", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.na", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.nf", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ng", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ni", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.np", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.nr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.om", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.pa", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.pe", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ph", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.pk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.pl", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.pr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.py", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.qa", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ru", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.sa", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.sb", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.sg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.sl", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.sv", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.tj", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.tn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.tr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.tw", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ua", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.uy", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.vc", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.ve", true, false, false, -1, &kPinset_google_root_pems }, - { "google.com.vn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cv", true, false, false, -1, &kPinset_google_root_pems }, - { "google.cz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.de", true, false, false, -1, &kPinset_google_root_pems }, - { "google.dj", true, false, false, -1, &kPinset_google_root_pems }, - { "google.dk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.dm", true, false, false, -1, &kPinset_google_root_pems }, - { "google.dz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ee", true, false, false, -1, &kPinset_google_root_pems }, - { "google.es", true, false, false, -1, &kPinset_google_root_pems }, - { "google.fi", true, false, false, -1, &kPinset_google_root_pems }, - { "google.fm", true, false, false, -1, &kPinset_google_root_pems }, - { "google.fr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ga", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ge", true, false, false, -1, &kPinset_google_root_pems }, - { "google.gg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.gl", true, false, false, -1, &kPinset_google_root_pems }, - { "google.gm", true, false, false, -1, &kPinset_google_root_pems }, - { "google.gp", true, false, false, -1, &kPinset_google_root_pems }, - { "google.gr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.gy", true, false, false, -1, &kPinset_google_root_pems }, - { "google.hk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.hn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.hr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ht", true, false, false, -1, &kPinset_google_root_pems }, - { "google.hu", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ie", true, false, false, -1, &kPinset_google_root_pems }, - { "google.im", true, false, false, -1, &kPinset_google_root_pems }, - { "google.info", true, false, false, -1, &kPinset_google_root_pems }, - { "google.iq", true, false, false, -1, &kPinset_google_root_pems }, - { "google.is", true, false, false, -1, &kPinset_google_root_pems }, - { "google.it", true, false, false, -1, &kPinset_google_root_pems }, - { "google.it.ao", true, false, false, -1, &kPinset_google_root_pems }, - { "google.je", true, false, false, -1, &kPinset_google_root_pems }, - { "google.jo", true, false, false, -1, &kPinset_google_root_pems }, - { "google.jobs", true, false, false, -1, &kPinset_google_root_pems }, - { "google.jp", true, false, false, -1, &kPinset_google_root_pems }, - { "google.kg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ki", true, false, false, -1, &kPinset_google_root_pems }, - { "google.kz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.la", true, false, false, -1, &kPinset_google_root_pems }, - { "google.li", true, false, false, -1, &kPinset_google_root_pems }, - { "google.lk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.lt", true, false, false, -1, &kPinset_google_root_pems }, - { "google.lu", true, false, false, -1, &kPinset_google_root_pems }, - { "google.lv", true, false, false, -1, &kPinset_google_root_pems }, - { "google.md", true, false, false, -1, &kPinset_google_root_pems }, - { "google.me", true, false, false, -1, &kPinset_google_root_pems }, - { "google.mg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.mk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ml", true, false, false, -1, &kPinset_google_root_pems }, - { "google.mn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ms", true, false, false, -1, &kPinset_google_root_pems }, - { "google.mu", true, false, false, -1, &kPinset_google_root_pems }, - { "google.mv", true, false, false, -1, &kPinset_google_root_pems }, - { "google.mw", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ne", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ne.jp", true, false, false, -1, &kPinset_google_root_pems }, - { "google.net", true, false, false, -1, &kPinset_google_root_pems }, - { "google.nl", true, false, false, -1, &kPinset_google_root_pems }, - { "google.no", true, false, false, -1, &kPinset_google_root_pems }, - { "google.nr", true, false, false, -1, &kPinset_google_root_pems }, - { "google.nu", true, false, false, -1, &kPinset_google_root_pems }, - { "google.off.ai", true, false, false, -1, &kPinset_google_root_pems }, - { "google.pk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.pl", true, false, false, -1, &kPinset_google_root_pems }, - { "google.pn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ps", true, false, false, -1, &kPinset_google_root_pems }, - { "google.pt", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ro", true, false, false, -1, &kPinset_google_root_pems }, - { "google.rs", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ru", true, false, false, -1, &kPinset_google_root_pems }, - { "google.rw", true, false, false, -1, &kPinset_google_root_pems }, - { "google.sc", true, false, false, -1, &kPinset_google_root_pems }, - { "google.se", true, false, false, -1, &kPinset_google_root_pems }, - { "google.sh", true, false, false, -1, &kPinset_google_root_pems }, - { "google.si", true, false, false, -1, &kPinset_google_root_pems }, - { "google.sk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.sm", true, false, false, -1, &kPinset_google_root_pems }, - { "google.sn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.so", true, false, false, -1, &kPinset_google_root_pems }, - { "google.st", true, false, false, -1, &kPinset_google_root_pems }, - { "google.td", true, false, false, -1, &kPinset_google_root_pems }, - { "google.tg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.tk", true, false, false, -1, &kPinset_google_root_pems }, - { "google.tl", true, false, false, -1, &kPinset_google_root_pems }, - { "google.tm", true, false, false, -1, &kPinset_google_root_pems }, - { "google.tn", true, false, false, -1, &kPinset_google_root_pems }, - { "google.to", true, false, false, -1, &kPinset_google_root_pems }, - { "google.tt", true, false, false, -1, &kPinset_google_root_pems }, - { "google.us", true, false, false, -1, &kPinset_google_root_pems }, - { "google.uz", true, false, false, -1, &kPinset_google_root_pems }, - { "google.vg", true, false, false, -1, &kPinset_google_root_pems }, - { "google.vu", true, false, false, -1, &kPinset_google_root_pems }, - { "google.ws", true, false, false, -1, &kPinset_google_root_pems }, - { "googleadservices.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googlecode.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googlecommerce.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googlegroups.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, - { "googleplex.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googlesource.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googlesyndication.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googletagmanager.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googletagservices.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googleusercontent.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googlevideo.com", true, false, false, -1, &kPinset_google_root_pems }, - { "googleweblight.com", true, false, false, -1, &kPinset_google_root_pems }, - { "goto.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "gr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "groups.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "gstatic.com", true, false, false, -1, &kPinset_google_root_pems }, - { "gvt1.com", true, false, false, -1, &kPinset_google_root_pems }, - { "gvt2.com", true, false, false, -1, &kPinset_google_root_pems }, - { "gvt3.com", true, false, false, -1, &kPinset_google_root_pems }, - { "hangouts.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "history.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "hk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "hn.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "hostedtalkgadget.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "hu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "id.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "ie.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "in.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "inbox.google.com", true, false, false, -1, &kPinset_google_root_pems }, { "include-subdomains.pinning.example.com", true, false, false, -1, &kPinset_mozilla_test }, - { "it.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "kr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "kz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "li.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "login.corp.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "login.yahoo.com", true, true, false, -1, &kPinset_yahoo }, - { "lt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "lu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "lv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "m.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "mail-settings.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "mail.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "mail.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "maktoob.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "malaysia.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "market.android.com", true, false, false, -1, &kPinset_google_root_pems }, - { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "messenger.com", false, false, false, -1, &kPinset_facebook }, - { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom }, - { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "ncsccs.com", true, true, false, -1, &kPinset_ncsccs }, - { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom }, - { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test }, - { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test }, - { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN }, - { "play.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "pr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "profiles.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "py.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "qc.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "research.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "ro.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "ru.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "rw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "script.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "se.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "secure.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "security.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "services.mozilla.com", true, false, true, 6, &kPinset_mozilla_services }, - { "sg.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "sirburton.com", true, true, false, -1, &kPinset_ncsccs }, - { "sites.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "spideroak.com", true, false, false, -1, &kPinset_spideroak }, - { "spreadsheets.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "static.googleadsserving.cn", true, false, false, -1, &kPinset_google_root_pems }, - { "stats.g.doubleclick.net", true, false, false, -1, &kPinset_google_root_pems }, - { "sv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "swehack.org", true, true, false, -1, &kPinset_swehackCom }, - { "t.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "tablet.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "talk.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "talkgadget.google.com", true, false, false, -1, &kPinset_google_root_pems }, { "test-mode.pinning.example.com", true, true, false, -1, &kPinset_mozilla_test }, - { "th.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "themathematician.uk", true, true, false, -1, &kPinset_ncsccs }, - { "torproject.org", false, false, false, -1, &kPinset_tor }, - { "touch.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "tr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "translate.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, - { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "twimg.com", true, false, false, -1, &kPinset_twitterCDN }, - { "twitter.com", true, false, false, -1, &kPinset_twitterCDN }, - { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "upload.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "urchin.com", true, false, false, -1, &kPinset_google_root_pems }, - { "uy.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "uz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "ve.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "vn.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "w-spotlight.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wallet.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "webfilings-eu-mirror.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "webfilings-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "webfilings-mirror-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "webfilings.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-bigsky-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-demo-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-demo-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-dogfood-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-pentest.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-staging-hr.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-training-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-training-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "wf-trial-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "withgoogle.com", true, false, false, -1, &kPinset_google_root_pems }, - { "withyoutube.com", true, false, false, -1, &kPinset_google_root_pems }, - { "www.dropbox.com", true, false, false, -1, &kPinset_dropbox }, - { "www.facebook.com", true, false, false, -1, &kPinset_facebook }, - { "www.gmail.com", false, false, false, -1, &kPinset_google_root_pems }, - { "www.googlegroups.com", true, false, false, -1, &kPinset_google_root_pems }, - { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, - { "www.messenger.com", true, false, false, -1, &kPinset_facebook }, - { "www.torproject.org", true, false, false, -1, &kPinset_tor }, - { "www.tumblr.com", false, true, false, -1, &kPinset_tumblr }, - { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom }, - { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, - { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "youtu.be", true, false, false, -1, &kPinset_google_root_pems }, - { "youtube-nocookie.com", true, false, false, -1, &kPinset_google_root_pems }, - { "youtube.com", true, false, false, -1, &kPinset_google_root_pems }, - { "ytimg.com", true, false, false, -1, &kPinset_google_root_pems }, - { "za.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, - { "zh.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, }; -// Pinning Preload List Length = 476; +// Pinning Preload List Length = 3; static const int32_t kUnknownId = -1; -static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1524772960289000); +static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1609459199000000); diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 44ee7dcc0..1b7f06a47 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -212,6 +212,7 @@ nsSiteSecurityService::nsSiteSecurityService() , mUsePreloadList(true) , mUseStsService(true) , mPreloadListTimeOffset(0) + , mHPKPEnabled(false) { } @@ -240,6 +241,10 @@ nsSiteSecurityService::Init() "network.stricttransportsecurity.preloadlist", true); mozilla::Preferences::AddStrongObserver(this, "network.stricttransportsecurity.preloadlist"); + mHPKPEnabled = mozilla::Preferences::GetBool( + "security.cert_pinning.hpkp.enabled", false); + mozilla::Preferences::AddStrongObserver(this, + "security.cert_pinning.hpkp.enabled"); mUseStsService = mozilla::Preferences::GetBool( "network.stricttransportsecurity.enabled", true); mozilla::Preferences::AddStrongObserver(this, @@ -687,6 +692,17 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, if (aFailureResult) { *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; } + if (!mHPKPEnabled) { + SSSLOG(("SSS: HPKP disabled: not processing header '%s'", aHeader)); + if (aMaxAge) { + *aMaxAge = 0; + } + if (aIncludeSubdomains) { + *aIncludeSubdomains = false; + } + return NS_OK; + } + SSSLOG(("SSS: processing HPKP header '%s'", aHeader)); NS_ENSURE_ARG(aSSLStatus); @@ -1185,17 +1201,24 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname, mozilla::pkix::Time& aEvalTime, /*out*/ nsTArray<nsCString>& pinArray, /*out*/ bool* aIncludeSubdomains, - /*out*/ bool* afound) { + /*out*/ bool* aFound) { // Child processes are not allowed direct access to this. if (!XRE_IsParentProcess()) { MOZ_CRASH("Child process: no direct access to nsISiteSecurityService::GetKeyPinsForHostname"); } - NS_ENSURE_ARG(afound); + NS_ENSURE_ARG(aFound); NS_ENSURE_ARG(aHostname); + if (!mHPKPEnabled) { + SSSLOG(("HPKP disabled - returning 'pins not found' for %s", + aHostname)); + *aFound = false; + return NS_OK; + } + SSSLOG(("Top of GetKeyPinsForHostname for %s", aHostname)); - *afound = false; + *aFound = false; *aIncludeSubdomains = false; pinArray.Clear(); @@ -1228,7 +1251,7 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname, } pinArray = foundEntry.mSHA256keys; *aIncludeSubdomains = foundEntry.mIncludeSubdomains; - *afound = true; + *aFound = true; return NS_OK; } @@ -1248,6 +1271,13 @@ nsSiteSecurityService::SetKeyPins(const char* aHost, bool aIncludeSubdomains, NS_ENSURE_ARG_POINTER(aResult); NS_ENSURE_ARG_POINTER(aSha256Pins); + + if (!mHPKPEnabled) { + SSSLOG(("SSS: HPKP disabled: not setting pins")); + *aResult = false; + return NS_OK; + } + SSSLOG(("Top of SetPins")); nsTArray<nsCString> sha256keys; @@ -1313,6 +1343,8 @@ nsSiteSecurityService::Observe(nsISupports *subject, "network.stricttransportsecurity.enabled", true); mPreloadListTimeOffset = mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0); + mHPKPEnabled = mozilla::Preferences::GetBool( + "security.cert_pinning.hpkp.enabled", false); mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool( "security.cert_pinning.process_headers_from_non_builtin_roots", false); mMaxMaxAge = mozilla::Preferences::GetInt( diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h index 63afee377..c14543684 100644 --- a/security/manager/ssl/nsSiteSecurityService.h +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -152,6 +152,7 @@ private: bool mUsePreloadList; bool mUseStsService; int64_t mPreloadListTimeOffset; + bool mHPKPEnabled; bool mProcessPKPHeadersFromNonBuiltInRoots; RefPtr<mozilla::DataStorage> mSiteStateStorage; RefPtr<mozilla::DataStorage> mPreloadStateStorage; diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js index 4db133e43..c075428ee 100644 --- a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js +++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js @@ -12,6 +12,7 @@ var { ForgetAboutSite } = Cu.import("resource://gre/modules/ForgetAboutSite.jsm", {}); do_register_cleanup(() => { + Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled"); Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); Services.prefs.clearUserPref( "security.cert_pinning.process_headers_from_non_builtin_roots"); @@ -26,6 +27,7 @@ const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; do_get_profile(); // must be done before instantiating nsIX509CertDB +Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); Services.prefs.setBoolPref( "security.cert_pinning.process_headers_from_non_builtin_roots", true); @@ -44,6 +46,26 @@ var uri = Services.io.newURI("https://a.pinning2.example.com", null, null); var sslStatus = new FakeSSLStatus(constructCertFromFile( "test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem")); + // Test that with HPKP disabled, processing HPKP headers results in no + // information being saved. + add_task(async function() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false); + sss.processHeader( + Ci.nsISiteSecurityService.HEADER_HPKP, + uri, + GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, + secInfo, + 0, + Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST + ); + + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); + Assert.ok( + !sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0), + "a.pinning.example.com should not be HPKP" + ); + }); + // Test the normal case of processing HSTS and HPKP headers for // a.pinning2.example.com, using "Forget About Site" on a.pinning2.example.com, // and then checking that the platform doesn't consider a.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js index 24b32d6bc..ece1757ac 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js +++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js @@ -28,6 +28,7 @@ function add_tests() { PRErrorCodeSuccess, true); add_test(() => { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1); Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true); let uri = Services.io.newURI("https://ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", @@ -45,6 +46,7 @@ function add_tests() { // Clear accumulated state. ssservice.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0); + Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled"); Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots"); Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); run_next_test(); diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js index 4d3c2fac8..f18182002 100644 --- a/security/manager/ssl/tests/unit/test_pinning.js +++ b/security/manager/ssl/tests/unit/test_pinning.js @@ -246,6 +246,9 @@ function check_pinning_telemetry() { } function run_test() { + // Ensure that static pinning works when HPKP is disabled. + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false); + add_tls_server_setup("BadCertServer", "bad_certs"); // Add a user-specified trust anchor. diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic.js b/security/manager/ssl/tests/unit/test_pinning_dynamic.js index 2c314b53a..7333ad6b3 100644 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js +++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js @@ -41,6 +41,7 @@ const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN="; const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="; function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); let stateFile = profileDir.clone(); diff --git a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js index fb4b32353..0dcf6993b 100644 --- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js +++ b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js @@ -98,6 +98,7 @@ const REPORT_URI = "report-uri=\"https://www.example.com/report/\";"; const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;"; function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS); Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true); @@ -138,4 +139,9 @@ function run_test() { checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS); checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2); checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE); + + Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled"); + Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); + Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds"); + Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots"); } diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js index d4165f7f4..1ca277da4 100644 --- a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js +++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js @@ -31,6 +31,7 @@ function checkStateRead(aSubject, aTopic, aData) { } function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); let profileDir = do_get_profile(); let stateFile = profileDir.clone(); stateFile.append(SSS_STATE_FILE_NAME); diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js index a4d8b5297..fefa64ea6 100644 --- a/security/manager/ssl/tests/unit/test_sss_savestate.js +++ b/security/manager/ssl/tests/unit/test_sss_savestate.js @@ -96,6 +96,7 @@ function checkStateWritten(aSubject, aTopic, aData) { } function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100); gProfileDir = do_get_profile(); let SSService = Cc["@mozilla.org/ssservice;1"] |