diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 974a07e4ceee..8f0816b3ac7e 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -702,12 +702,20 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, UniqueCERTCertList certList; RefPtr certVerifier(GetDefaultCertVerifier()); NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED); + // We don't want this verification to cause any network traffic that would + // block execution. Also, since we don't have access to the original stapled + // OCSP response, we can't enforce this aspect of the TLS Feature extension. + // This is ok, because it will have been enforced when we originally connected + // to the site (or it's disabled, in which case we wouldn't want to enforce it + // anyway). + CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY | + CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST; if (certVerifier->VerifySSLServerCert(nssCert, nullptr, // stapled ocsp now, nullptr, // pinarg host.get(), // hostname certList, false, // don't store intermediates - CertVerifier::FLAG_LOCAL_ONLY) + flags) != SECSuccess) { return NS_ERROR_FAILURE; } diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js index 14df7deb7276..24b32d6bcf27 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js +++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js @@ -27,6 +27,29 @@ function add_tests() { add_ocsp_test("ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", PRErrorCodeSuccess, true); + add_test(() => { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1); + Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true); + let uri = Services.io.newURI("https://ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", + null, null); + let keyHash = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="; + let backupKeyHash = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN="; + let header = `max-age=1000; pin-sha256="${keyHash}"; pin-sha256="${backupKeyHash}"`; + let ssservice = Cc["@mozilla.org/ssservice;1"] + .getService(Ci.nsISiteSecurityService); + let sslStatus = new FakeSSLStatus(); + sslStatus.serverCert = constructCertFromFile("ocsp_certs/must-staple-ee-with-must-staple-int.pem"); + ssservice.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, header, sslStatus, 0); + ok(ssservice.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0), + "ocsp-stapling-must-staple-ee-with-must-staple-int.example.com should have HPKP set"); + + // Clear accumulated state. + ssservice.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0); + Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots"); + Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); + run_next_test(); + }); + // Next, a case where it's present in the intermediate, not the ee add_ocsp_test("ocsp-stapling-plain-ee-with-must-staple-int.example.com", MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true);