bug 1278041 - skip TLS Feature checks so HPKP can be set r=mgoodwin

This is safe because TLS Feature checks have already been done when connecting
to the site in the first place.

MozReview-Commit-ID: HfbcrAv4bCJ

--HG--
extra : rebase_source : d1f22c1a4e2c8535e10bd071c937a1aac7b8e2fd
This commit is contained in:
David Keeler 2016-06-20 16:36:36 -07:00
Родитель 3737a41c35
Коммит 540b8f3d01
2 изменённых файлов: 32 добавлений и 1 удалений

Просмотреть файл

@ -702,12 +702,20 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI,
UniqueCERTCertList certList;
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
// We don't want this verification to cause any network traffic that would
// block execution. Also, since we don't have access to the original stapled
// OCSP response, we can't enforce this aspect of the TLS Feature extension.
// This is ok, because it will have been enforced when we originally connected
// to the site (or it's disabled, in which case we wouldn't want to enforce it
// anyway).
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY |
CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
if (certVerifier->VerifySSLServerCert(nssCert, nullptr, // stapled ocsp
now, nullptr, // pinarg
host.get(), // hostname
certList,
false, // don't store intermediates
CertVerifier::FLAG_LOCAL_ONLY)
flags)
!= SECSuccess) {
return NS_ERROR_FAILURE;
}

Просмотреть файл

@ -27,6 +27,29 @@ function add_tests() {
add_ocsp_test("ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
PRErrorCodeSuccess, true);
add_test(() => {
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
let uri = Services.io.newURI("https://ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
null, null);
let keyHash = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
let backupKeyHash = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN=";
let header = `max-age=1000; pin-sha256="${keyHash}"; pin-sha256="${backupKeyHash}"`;
let ssservice = Cc["@mozilla.org/ssservice;1"]
.getService(Ci.nsISiteSecurityService);
let sslStatus = new FakeSSLStatus();
sslStatus.serverCert = constructCertFromFile("ocsp_certs/must-staple-ee-with-must-staple-int.pem");
ssservice.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, header, sslStatus, 0);
ok(ssservice.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
"ocsp-stapling-must-staple-ee-with-must-staple-int.example.com should have HPKP set");
// Clear accumulated state.
ssservice.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0);
Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
run_next_test();
});
// Next, a case where it's present in the intermediate, not the ee
add_ocsp_test("ocsp-stapling-plain-ee-with-must-staple-int.example.com",
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true);