Bug 1020485: Enable pinning in test mode for accounts.firefox.com (r=keeler)

security/manager/boot/src/StaticHPKPins.h

@@ -475,6 +475,16 @@ static const StaticPinset kPinset_mozilla = {
   &kPinset_mozilla_sha256
 };
 
+static const char* kPinset_mozilla_fxa_sha256_Data[] = {
+  kDigiCert_Global_Root_CAFingerprint,
+};
+static const StaticFingerprints kPinset_mozilla_fxa_sha256 = { 1, kPinset_mozilla_fxa_sha256_Data };
+
+static const StaticPinset kPinset_mozilla_fxa = {
+  nullptr,
+  &kPinset_mozilla_fxa_sha256
+};
+
 static const char* kPinset_mozilla_test_sha256_Data[] = {
   kEnd_Entity_Test_CertFingerprint,
 };
@@ -660,6 +670,7 @@ struct TransportSecurityPreload {
 
 /* Sort hostnames for binary search. */
 static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
+  { "accounts.firefox.com", true, true, false, 4, &kPinset_mozilla_fxa },
   { "accounts.google.com", true, true, false, -1, &kPinset_google_root_pems },
   { "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla },
   { "addons.mozilla.org", true, false, true, 1, &kPinset_mozilla },
@@ -984,8 +995,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "ytimg.com", true, true, false, -1, &kPinset_google_root_pems },
 };
 
-static const int kPublicKeyPinningPreloadListLength = 322;
+static const int kPublicKeyPinningPreloadListLength = 323;
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1412704831237000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1412966638293000);

security/manager/tools/PreloadedHPKPins.json

@@ -9,12 +9,11 @@
 //
 // "pinsets" is a list of objects. Each object has the following members:
 //   name: (string) the name of the pinset
-//   static_spki_hashes: (list of strings) the set of allowed SPKIs hashes
+//   sha256_hashes: (list of strings) the set of allowed SPKIs hashes
 //
 // For a given pinset, a certificate is accepted if at least one of the
-// "static_spki_hashes" SPKIs is found in the chain.
+// Subject Public Key Infos (SPKIs) is found in the chain.  SPKIs are specified
-// SPKIs are specified as names, which must match up with the name given
+// as names, which must match up with the name given in the Mozilla root store.
-// in the Mozilla root store.
 //
 // "entries" is a list of objects. Each object has the following members:
 //   name: (string) the DNS name of the host in question
@@ -78,6 +77,12 @@
         "VeriSign Universal Root Certification Authority"
       ]
     },
+    {
+      "name": "mozilla_fxa",
+      "sha256_hashes": [
+        "DigiCert Global Root CA"
+      ]
+    },
     // For pinning tests on pinning.example.com, the certificate must be 'End
     // Entity Test Cert'
     {
@@ -176,6 +181,8 @@
       "pins": "mozilla", "test_mode": false, "id": 2 },
     { "name": "aus4.mozilla.org", "include_subdomains": true,
       "pins": "mozilla", "test_mode": true, "id": 3 },
+    { "name": "accounts.firefox.com", "include_subdomains": true,
+      "pins": "mozilla_fxa", "test_mode": true, "id": 4 },
     { "name": "cdn.mozilla.net", "include_subdomains": true,
       "pins": "mozilla", "test_mode": false },
     { "name": "cdn.mozilla.org", "include_subdomains": true,