From 99bad1726e897a82239e543a7a8e8fea36b797c0 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Sat, 28 Mar 2020 01:06:56 +0100
Subject: Issue #1280 - Part 1: Remove HPKP components.

This also removes leftover plumbing for storing preload information
in SiteSecurityService since no service still uses it.
---
 security/certverifier/NSSCertDBTrustDomain.cpp | 19 -------------------
 1 file changed, 19 deletions(-)

(limited to 'security/certverifier/NSSCertDBTrustDomain.cpp')

diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index cf48f6392..fff75ee88 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -12,7 +12,6 @@
 #include "NSSErrorsService.h"
 #include "OCSPRequestor.h"
 #include "OCSPVerificationTrustDomain.h"
-#include "PublicKeyPinningService.h"
 #include "cert.h"
 #include "certdb.h"
 #include "mozilla/Assertions.h"
@@ -862,24 +861,6 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time)
   if (rv != Success) {
     return rv;
   }
-  bool skipPinningChecksBecauseOfMITMMode =
-    (!isBuiltInRoot && mPinningMode == CertVerifier::pinningAllowUserCAMITM);
-  // If mHostname isn't set, we're not verifying in the context of a TLS
-  // handshake, so don't verify HPKP in those cases.
-  if (mHostname && (mPinningMode != CertVerifier::pinningDisabled) &&
-      !skipPinningChecksBecauseOfMITMMode) {
-    bool enforceTestMode =
-      (mPinningMode == CertVerifier::pinningEnforceTestMode);
-    bool chainHasValidPins;
-    nsresult nsrv = PublicKeyPinningService::ChainHasValidPins(
-      certList, mHostname, time, enforceTestMode, chainHasValidPins);
-    if (NS_FAILED(nsrv)) {
-      return Result::FATAL_ERROR_LIBRARY_FAILURE;
-    }
-    if (!chainHasValidPins) {
-      return Result::ERROR_KEY_PINNING_FAILURE;
-    }
-  }
 
   mBuiltChain = Move(certList);
 
-- 
cgit v1.2.3