Get rid of HPKP pinning mode.
This commit is contained in:
parent
3b45cb2e77
commit
2290a2a266
|
@ -41,7 +41,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc,
|
||||||
OcspStrictConfig osc,
|
OcspStrictConfig osc,
|
||||||
OcspGetConfig ogc,
|
OcspGetConfig ogc,
|
||||||
uint32_t certShortLifetimeInDays,
|
uint32_t certShortLifetimeInDays,
|
||||||
PinningMode pinningMode,
|
|
||||||
SHA1Mode sha1Mode,
|
SHA1Mode sha1Mode,
|
||||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||||
|
@ -50,7 +49,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc,
|
||||||
, mOCSPStrict(osc == ocspStrict)
|
, mOCSPStrict(osc == ocspStrict)
|
||||||
, mOCSPGETEnabled(ogc == ocspGetEnabled)
|
, mOCSPGETEnabled(ogc == ocspGetEnabled)
|
||||||
, mCertShortLifetimeInDays(certShortLifetimeInDays)
|
, mCertShortLifetimeInDays(certShortLifetimeInDays)
|
||||||
, mPinningMode(pinningMode)
|
|
||||||
, mSHA1Mode(sha1Mode)
|
, mSHA1Mode(sha1Mode)
|
||||||
, mNameMatchingMode(nameMatchingMode)
|
, mNameMatchingMode(nameMatchingMode)
|
||||||
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
|
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
|
||||||
|
@ -416,7 +414,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
|
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
|
||||||
mOCSPCache, pinArg, ocspGETConfig,
|
mOCSPCache, pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays,
|
mCertShortLifetimeInDays,
|
||||||
pinningDisabled, MIN_RSA_BITS_WEAK,
|
MIN_RSA_BITS_WEAK,
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
SHA1Mode::Allowed,
|
SHA1Mode::Allowed,
|
||||||
NetscapeStepUpPolicy::NeverMatch,
|
NetscapeStepUpPolicy::NeverMatch,
|
||||||
|
@ -485,7 +483,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
NSSCertDBTrustDomain
|
NSSCertDBTrustDomain
|
||||||
trustDomain(trustSSL, evOCSPFetching,
|
trustDomain(trustSSL, evOCSPFetching,
|
||||||
mOCSPCache, pinArg, ocspGETConfig,
|
mOCSPCache, pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS,
|
mCertShortLifetimeInDays, MIN_RSA_BITS,
|
||||||
ValidityCheckingMode::CheckForEV,
|
ValidityCheckingMode::CheckForEV,
|
||||||
sha1ModeConfigurations[i], mNetscapeStepUpPolicy,
|
sha1ModeConfigurations[i], mNetscapeStepUpPolicy,
|
||||||
originAttributes, builtChain);
|
originAttributes, builtChain);
|
||||||
|
@ -566,7 +564,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
|
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
|
||||||
mOCSPCache, pinArg, ocspGETConfig,
|
mOCSPCache, pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays,
|
mCertShortLifetimeInDays,
|
||||||
mPinningMode, keySizeOptions[i],
|
keySizeOptions[i],
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
sha1ModeConfigurations[j],
|
sha1ModeConfigurations[j],
|
||||||
mNetscapeStepUpPolicy,
|
mNetscapeStepUpPolicy,
|
||||||
|
@ -629,7 +627,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
|
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
|
||||||
mOCSPCache, pinArg, ocspGETConfig,
|
mOCSPCache, pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays,
|
mCertShortLifetimeInDays,
|
||||||
pinningDisabled, MIN_RSA_BITS_WEAK,
|
MIN_RSA_BITS_WEAK,
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
SHA1Mode::Allowed, mNetscapeStepUpPolicy,
|
SHA1Mode::Allowed, mNetscapeStepUpPolicy,
|
||||||
originAttributes, builtChain);
|
originAttributes, builtChain);
|
||||||
|
@ -644,7 +642,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
|
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
|
||||||
mOCSPCache, pinArg, ocspGETConfig,
|
mOCSPCache, pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays,
|
mCertShortLifetimeInDays,
|
||||||
pinningDisabled, MIN_RSA_BITS_WEAK,
|
MIN_RSA_BITS_WEAK,
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
SHA1Mode::Allowed,
|
SHA1Mode::Allowed,
|
||||||
NetscapeStepUpPolicy::NeverMatch,
|
NetscapeStepUpPolicy::NeverMatch,
|
||||||
|
@ -671,7 +669,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
|
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
|
||||||
mOCSPCache, pinArg, ocspGETConfig,
|
mOCSPCache, pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays,
|
mCertShortLifetimeInDays,
|
||||||
pinningDisabled, MIN_RSA_BITS_WEAK,
|
MIN_RSA_BITS_WEAK,
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
SHA1Mode::Allowed,
|
SHA1Mode::Allowed,
|
||||||
NetscapeStepUpPolicy::NeverMatch,
|
NetscapeStepUpPolicy::NeverMatch,
|
||||||
|
@ -695,7 +693,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching,
|
NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching,
|
||||||
mOCSPCache, pinArg, ocspGETConfig,
|
mOCSPCache, pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays,
|
mCertShortLifetimeInDays,
|
||||||
pinningDisabled, MIN_RSA_BITS_WEAK,
|
MIN_RSA_BITS_WEAK,
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
SHA1Mode::Allowed,
|
SHA1Mode::Allowed,
|
||||||
NetscapeStepUpPolicy::NeverMatch,
|
NetscapeStepUpPolicy::NeverMatch,
|
||||||
|
@ -728,7 +726,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
|
|
||||||
NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache,
|
NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache,
|
||||||
pinArg, ocspGETConfig, mCertShortLifetimeInDays,
|
pinArg, ocspGETConfig, mCertShortLifetimeInDays,
|
||||||
pinningDisabled, MIN_RSA_BITS_WEAK,
|
MIN_RSA_BITS_WEAK,
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
SHA1Mode::Allowed,
|
SHA1Mode::Allowed,
|
||||||
NetscapeStepUpPolicy::NeverMatch,
|
NetscapeStepUpPolicy::NeverMatch,
|
||||||
|
@ -740,7 +738,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching,
|
NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching,
|
||||||
mOCSPCache, pinArg, ocspGETConfig,
|
mOCSPCache, pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays,
|
mCertShortLifetimeInDays,
|
||||||
pinningDisabled, MIN_RSA_BITS_WEAK,
|
MIN_RSA_BITS_WEAK,
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
SHA1Mode::Allowed,
|
SHA1Mode::Allowed,
|
||||||
NetscapeStepUpPolicy::NeverMatch,
|
NetscapeStepUpPolicy::NeverMatch,
|
||||||
|
@ -753,7 +751,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
||||||
defaultOCSPFetching, mOCSPCache,
|
defaultOCSPFetching, mOCSPCache,
|
||||||
pinArg, ocspGETConfig,
|
pinArg, ocspGETConfig,
|
||||||
mCertShortLifetimeInDays,
|
mCertShortLifetimeInDays,
|
||||||
pinningDisabled,
|
|
||||||
MIN_RSA_BITS_WEAK,
|
MIN_RSA_BITS_WEAK,
|
||||||
ValidityCheckingMode::CheckingOff,
|
ValidityCheckingMode::CheckingOff,
|
||||||
SHA1Mode::Allowed,
|
SHA1Mode::Allowed,
|
||||||
|
|
|
@ -139,13 +139,6 @@ public:
|
||||||
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
|
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
|
||||||
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
|
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
|
||||||
|
|
||||||
enum PinningMode {
|
|
||||||
pinningDisabled = 0,
|
|
||||||
pinningAllowUserCAMITM = 1,
|
|
||||||
pinningStrict = 2,
|
|
||||||
pinningEnforceTestMode = 3
|
|
||||||
};
|
|
||||||
|
|
||||||
enum class SHA1Mode {
|
enum class SHA1Mode {
|
||||||
Allowed = 0,
|
Allowed = 0,
|
||||||
Forbidden = 1,
|
Forbidden = 1,
|
||||||
|
@ -172,7 +165,7 @@ public:
|
||||||
|
|
||||||
CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
||||||
OcspGetConfig ogc, uint32_t certShortLifetimeInDays,
|
OcspGetConfig ogc, uint32_t certShortLifetimeInDays,
|
||||||
PinningMode pinningMode, SHA1Mode sha1Mode,
|
SHA1Mode sha1Mode,
|
||||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||||
CertificateTransparencyMode ctMode);
|
CertificateTransparencyMode ctMode);
|
||||||
|
@ -184,7 +177,6 @@ public:
|
||||||
const bool mOCSPStrict;
|
const bool mOCSPStrict;
|
||||||
const bool mOCSPGETEnabled;
|
const bool mOCSPGETEnabled;
|
||||||
const uint32_t mCertShortLifetimeInDays;
|
const uint32_t mCertShortLifetimeInDays;
|
||||||
const PinningMode mPinningMode;
|
|
||||||
const SHA1Mode mSHA1Mode;
|
const SHA1Mode mSHA1Mode;
|
||||||
const BRNameMatchingPolicy::Mode mNameMatchingMode;
|
const BRNameMatchingPolicy::Mode mNameMatchingMode;
|
||||||
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
|
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
|
||||||
|
@ -214,8 +206,7 @@ private:
|
||||||
|
|
||||||
mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result);
|
mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result);
|
||||||
mozilla::pkix::Result CertListContainsExpectedKeys(
|
mozilla::pkix::Result CertListContainsExpectedKeys(
|
||||||
const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time,
|
const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time);
|
||||||
CertVerifier::PinningMode pinningMode);
|
|
||||||
|
|
||||||
} } // namespace mozilla::psm
|
} } // namespace mozilla::psm
|
||||||
|
|
||||||
|
|
|
@ -51,7 +51,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
|
||||||
/*optional but shouldn't be*/ void* pinArg,
|
/*optional but shouldn't be*/ void* pinArg,
|
||||||
CertVerifier::OcspGetConfig ocspGETConfig,
|
CertVerifier::OcspGetConfig ocspGETConfig,
|
||||||
uint32_t certShortLifetimeInDays,
|
uint32_t certShortLifetimeInDays,
|
||||||
CertVerifier::PinningMode pinningMode,
|
|
||||||
unsigned int minRSABits,
|
unsigned int minRSABits,
|
||||||
ValidityCheckingMode validityCheckingMode,
|
ValidityCheckingMode validityCheckingMode,
|
||||||
CertVerifier::SHA1Mode sha1Mode,
|
CertVerifier::SHA1Mode sha1Mode,
|
||||||
|
@ -64,7 +63,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
|
||||||
, mPinArg(pinArg)
|
, mPinArg(pinArg)
|
||||||
, mOCSPGetConfig(ocspGETConfig)
|
, mOCSPGetConfig(ocspGETConfig)
|
||||||
, mCertShortLifetimeInDays(certShortLifetimeInDays)
|
, mCertShortLifetimeInDays(certShortLifetimeInDays)
|
||||||
, mPinningMode(pinningMode)
|
|
||||||
, mMinRSABits(minRSABits)
|
, mMinRSABits(minRSABits)
|
||||||
, mValidityCheckingMode(validityCheckingMode)
|
, mValidityCheckingMode(validityCheckingMode)
|
||||||
, mSHA1Mode(sha1Mode)
|
, mSHA1Mode(sha1Mode)
|
||||||
|
|
|
@ -76,7 +76,6 @@ public:
|
||||||
OCSPCache& ocspCache, void* pinArg,
|
OCSPCache& ocspCache, void* pinArg,
|
||||||
CertVerifier::OcspGetConfig ocspGETConfig,
|
CertVerifier::OcspGetConfig ocspGETConfig,
|
||||||
uint32_t certShortLifetimeInDays,
|
uint32_t certShortLifetimeInDays,
|
||||||
CertVerifier::PinningMode pinningMode,
|
|
||||||
unsigned int minRSABits,
|
unsigned int minRSABits,
|
||||||
ValidityCheckingMode validityCheckingMode,
|
ValidityCheckingMode validityCheckingMode,
|
||||||
CertVerifier::SHA1Mode sha1Mode,
|
CertVerifier::SHA1Mode sha1Mode,
|
||||||
|
@ -178,7 +177,6 @@ private:
|
||||||
void* mPinArg; // non-owning!
|
void* mPinArg; // non-owning!
|
||||||
const CertVerifier::OcspGetConfig mOCSPGetConfig;
|
const CertVerifier::OcspGetConfig mOCSPGetConfig;
|
||||||
const uint32_t mCertShortLifetimeInDays;
|
const uint32_t mCertShortLifetimeInDays;
|
||||||
CertVerifier::PinningMode mPinningMode;
|
|
||||||
const unsigned int mMinRSABits;
|
const unsigned int mMinRSABits;
|
||||||
ValidityCheckingMode mValidityCheckingMode;
|
ValidityCheckingMode mValidityCheckingMode;
|
||||||
CertVerifier::SHA1Mode mSHA1Mode;
|
CertVerifier::SHA1Mode mSHA1Mode;
|
||||||
|
|
|
@ -20,12 +20,12 @@ public:
|
||||||
|
|
||||||
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
||||||
OcspGetConfig ogc, uint32_t certShortLifetimeInDays,
|
OcspGetConfig ogc, uint32_t certShortLifetimeInDays,
|
||||||
PinningMode pinningMode, SHA1Mode sha1Mode,
|
SHA1Mode sha1Mode,
|
||||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||||
CertificateTransparencyMode ctMode)
|
CertificateTransparencyMode ctMode)
|
||||||
: mozilla::psm::CertVerifier(odc, osc, ogc, certShortLifetimeInDays,
|
: mozilla::psm::CertVerifier(odc, osc, ogc, certShortLifetimeInDays,
|
||||||
pinningMode, sha1Mode, nameMatchingMode,
|
sha1Mode, nameMatchingMode,
|
||||||
netscapeStepUpPolicy, ctMode)
|
netscapeStepUpPolicy, ctMode)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
|
@ -1588,14 +1588,6 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
|
||||||
PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
|
PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
|
||||||
PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
|
PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
|
||||||
|
|
||||||
CertVerifier::PinningMode pinningMode =
|
|
||||||
static_cast<CertVerifier::PinningMode>
|
|
||||||
(Preferences::GetInt("security.cert_pinning.enforcement_level",
|
|
||||||
CertVerifier::pinningDisabled));
|
|
||||||
if (pinningMode > CertVerifier::pinningEnforceTestMode) {
|
|
||||||
pinningMode = CertVerifier::pinningDisabled;
|
|
||||||
}
|
|
||||||
|
|
||||||
CertVerifier::SHA1Mode sha1Mode = static_cast<CertVerifier::SHA1Mode>
|
CertVerifier::SHA1Mode sha1Mode = static_cast<CertVerifier::SHA1Mode>
|
||||||
(Preferences::GetInt("security.pki.sha1_enforcement_level",
|
(Preferences::GetInt("security.pki.sha1_enforcement_level",
|
||||||
static_cast<int32_t>(CertVerifier::SHA1Mode::Allowed)));
|
static_cast<int32_t>(CertVerifier::SHA1Mode::Allowed)));
|
||||||
|
@ -1655,7 +1647,7 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
|
||||||
lock);
|
lock);
|
||||||
mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
|
mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
|
||||||
certShortLifetimeInDays,
|
certShortLifetimeInDays,
|
||||||
pinningMode, sha1Mode,
|
sha1Mode,
|
||||||
nameMatchingMode,
|
nameMatchingMode,
|
||||||
netscapeStepUpPolicy,
|
netscapeStepUpPolicy,
|
||||||
ctMode);
|
ctMode);
|
||||||
|
|
|
@ -87,8 +87,6 @@ SiteHSTSState::ToString(nsCString& aString)
|
||||||
|
|
||||||
////////////////////////////////////////////////////////////////////////////////
|
////////////////////////////////////////////////////////////////////////////////
|
||||||
|
|
||||||
const uint64_t kSixtyDaysInSeconds = 60 * 24 * 60 * 60;
|
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
HostIsIPAddress(const char *hostname)
|
HostIsIPAddress(const char *hostname)
|
||||||
{
|
{
|
||||||
|
@ -398,8 +396,6 @@ ParseSSSHeaders(uint32_t aType,
|
||||||
// Unrecognized directives (that are otherwise syntactically valid) are
|
// Unrecognized directives (that are otherwise syntactically valid) are
|
||||||
// ignored, and the rest of the header is parsed as normal.
|
// ignored, and the rest of the header is parsed as normal.
|
||||||
|
|
||||||
bool foundReportURI = false;
|
|
||||||
|
|
||||||
NS_NAMED_LITERAL_CSTRING(max_age_var, "max-age");
|
NS_NAMED_LITERAL_CSTRING(max_age_var, "max-age");
|
||||||
NS_NAMED_LITERAL_CSTRING(include_subd_var, "includesubdomains");
|
NS_NAMED_LITERAL_CSTRING(include_subd_var, "includesubdomains");
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue