зеркало из https://github.com/mozilla/gecko-dev.git
bug 1278041 - skip TLS Feature checks so HPKP can be set r=mgoodwin
This is safe because TLS Feature checks have already been done when connecting to the site in the first place. MozReview-Commit-ID: HfbcrAv4bCJ --HG-- extra : rebase_source : d1f22c1a4e2c8535e10bd071c937a1aac7b8e2fd
This commit is contained in:
Родитель
3737a41c35
Коммит
540b8f3d01
|
@ -702,12 +702,20 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI,
|
|||
UniqueCERTCertList certList;
|
||||
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
|
||||
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
|
||||
// We don't want this verification to cause any network traffic that would
|
||||
// block execution. Also, since we don't have access to the original stapled
|
||||
// OCSP response, we can't enforce this aspect of the TLS Feature extension.
|
||||
// This is ok, because it will have been enforced when we originally connected
|
||||
// to the site (or it's disabled, in which case we wouldn't want to enforce it
|
||||
// anyway).
|
||||
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY |
|
||||
CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
|
||||
if (certVerifier->VerifySSLServerCert(nssCert, nullptr, // stapled ocsp
|
||||
now, nullptr, // pinarg
|
||||
host.get(), // hostname
|
||||
certList,
|
||||
false, // don't store intermediates
|
||||
CertVerifier::FLAG_LOCAL_ONLY)
|
||||
flags)
|
||||
!= SECSuccess) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
|
|
@ -27,6 +27,29 @@ function add_tests() {
|
|||
add_ocsp_test("ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
|
||||
PRErrorCodeSuccess, true);
|
||||
|
||||
add_test(() => {
|
||||
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
|
||||
Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
|
||||
let uri = Services.io.newURI("https://ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
|
||||
null, null);
|
||||
let keyHash = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
|
||||
let backupKeyHash = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN=";
|
||||
let header = `max-age=1000; pin-sha256="${keyHash}"; pin-sha256="${backupKeyHash}"`;
|
||||
let ssservice = Cc["@mozilla.org/ssservice;1"]
|
||||
.getService(Ci.nsISiteSecurityService);
|
||||
let sslStatus = new FakeSSLStatus();
|
||||
sslStatus.serverCert = constructCertFromFile("ocsp_certs/must-staple-ee-with-must-staple-int.pem");
|
||||
ssservice.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, header, sslStatus, 0);
|
||||
ok(ssservice.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
|
||||
"ocsp-stapling-must-staple-ee-with-must-staple-int.example.com should have HPKP set");
|
||||
|
||||
// Clear accumulated state.
|
||||
ssservice.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0);
|
||||
Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
|
||||
Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
// Next, a case where it's present in the intermediate, not the ee
|
||||
add_ocsp_test("ocsp-stapling-plain-ee-with-must-staple-int.example.com",
|
||||
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true);
|
||||
|
|
Загрузка…
Ссылка в новой задаче