Bug 1083085 - Update where getHSTSPreloadList.js and genHPKPStaticPins.js think Chromium's lists are. r=mmc, a=lsblakk
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 21 Oct 2014 15:20:02 -0700
changeset 233451 31a5a1aa4b8d134451c0d7d80d795b93321b3141
parent 233450 825b125bba70f6bce6e515d59749c607121447eb
child 233452 ed6e7b46e77abfc0f221ac1c46ce226ec96c55f4
push id4187
push userbhearsum@mozilla.com
push dateFri, 28 Nov 2014 15:29:12 +0000
treeherdermozilla-beta@f23cc6a30c11 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmmc, lsblakk
bugs1083085
milestone35.0a2
Bug 1083085 - Update where getHSTSPreloadList.js and genHPKPStaticPins.js think Chromium's lists are. r=mmc, a=lsblakk
security/manager/tools/PreloadedHPKPins.json
security/manager/tools/genHPKPStaticPins.js
security/manager/tools/getHSTSPreloadList.js
--- a/security/manager/tools/PreloadedHPKPins.json
+++ b/security/manager/tools/PreloadedHPKPins.json
@@ -24,18 +24,18 @@
 // pinsets that reference certificates not in our root program (for example,
 // Facebook).
 
 // equifax -> aus3
 // Geotrust Primary -> www.mozilla.org
 // Geotrust Global -> *. addons.mozilla.org
 {
   "chromium_data" : {
-    "cert_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs",
-    "json_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json",
+    "cert_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.certs?format=TEXT",
+    "json_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT",
     "substitute_pinsets": {
       // Use the larger google_root_pems pinset instead of google
       "google": "google_root_pems"
     },
     "production_pinsets": [
       "google_root_pems"
     ],
     "production_domains": [
--- a/security/manager/tools/genHPKPStaticPins.js
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -127,17 +127,25 @@ function download(filename) {
   catch (e) {
     throw "ERROR: problem downloading '" + filename + "': " + e;
   }
 
   if (req.status != 200) {
     throw("ERROR: problem downloading '" + filename + "': status " +
           req.status);
   }
-  return req.responseText;
+
+  var resultDecoded;
+  try {
+    resultDecoded = atob(req.responseText);
+  }
+  catch (e) {
+    throw "ERROR: could not decode data as base64 from '" + filename + "': " + e;
+  }
+  return resultDecoded;
 }
 
 function downloadAsJson(filename) {
   // we have to filter out '//' comments
   var result = download(filename).replace(/\/\/[^\n]*\n/g, "");
   var data = null;
   try {
     data = JSON.parse(result);
--- a/security/manager/tools/getHSTSPreloadList.js
+++ b/security/manager/tools/getHSTSPreloadList.js
@@ -25,17 +25,17 @@ let mozDir = Cc["@mozilla.org/file/direc
              .get("CurProcD", Ci.nsILocalFile);
 let mozDirURI = ios.newFileURI(mozDir);
 resHandler.setSubstitution("app", mozDirURI);
 
 Cu.import("resource://gre/modules/Services.jsm");
 Cu.import("resource://gre/modules/FileUtils.jsm");
 Cu.import("resource:///modules/XPCOMUtils.jsm");
 
-const SOURCE = "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json";
+const SOURCE = "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT";
 const OUTPUT = "nsSTSPreloadList.inc";
 const ERROR_OUTPUT = "nsSTSPreloadList.errors";
 const MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 18;
 const MAX_CONCURRENT_REQUESTS = 5;
 const MAX_RETRIES = 3;
 const REQUEST_TIMEOUT = 30 * 1000;
 const ERROR_NONE = "no error";
 const ERROR_CONNECTING_TO_HOST = "could not connect to host";
@@ -72,18 +72,26 @@ function download() {
   catch (e) {
     throw "ERROR: problem downloading '" + SOURCE + "': " + e;
   }
 
   if (req.status != 200) {
     throw "ERROR: problem downloading '" + SOURCE + "': status " + req.status;
   }
 
+  var resultDecoded;
+  try {
+    resultDecoded = atob(req.responseText);
+  }
+  catch (e) {
+    throw "ERROR: could not decode data as base64 from '" + SOURCE + "': " + e;
+  }
+
   // we have to filter out '//' comments
-  var result = req.responseText.replace(/\/\/[^\n]*\n/g, "");
+  var result = resultDecoded.replace(/\/\/[^\n]*\n/g, "");
   var data = null;
   try {
     data = JSON.parse(result);
   }
   catch (e) {
     throw "ERROR: could not parse data from '" + SOURCE + "': " + e;
   }
   return data;
@@ -151,39 +159,50 @@ function processStsHeader(host, header, 
            maxAge: maxAge.value,
            includeSubdomains: includeSubdomains.value,
            error: error,
            retries: host.retries - 1,
            forceInclude: forceInclude,
            originalIncludeSubdomains: host.originalIncludeSubdomains };
 }
 
-function RedirectStopper() {};
+// RedirectAndAuthStopper prevents redirects and HTTP authentication
+function RedirectAndAuthStopper() {};
 
-RedirectStopper.prototype = {
+RedirectAndAuthStopper.prototype = {
   // nsIChannelEventSink
   asyncOnChannelRedirect: function(oldChannel, newChannel, flags, callback) {
     throw Cr.NS_ERROR_ENTITY_CHANGED;
   },
 
+  // nsIAuthPrompt2
+  promptAuth: function(channel, level, authInfo) {
+    return false;
+  },
+
+  asyncPromptAuth: function(channel, callback, context, level, authInfo) {
+    throw Cr.NS_ERROR_NOT_IMPLEMENTED;
+  },
+
   getInterface: function(iid) {
     return this.QueryInterface(iid);
   },
 
-  QueryInterface: XPCOMUtils.generateQI([Ci.nsIChannelEventSink])
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIChannelEventSink,
+                                         Ci.nsIAuthPrompt2])
 };
 
 function getHSTSStatus(host, resultList) {
   var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
             .createInstance(Ci.nsIXMLHttpRequest);
   var inResultList = false;
   var uri = "https://" + host.name + "/";
   req.open("GET", uri, true);
   req.timeout = REQUEST_TIMEOUT;
-  req.channel.notificationCallbacks = new RedirectStopper();
+  req.channel.notificationCallbacks = new RedirectAndAuthStopper();
   req.onreadystatechange = function(event) {
     if (!inResultList && req.readyState == 4) {
       inResultList = true;
       var header = req.getResponseHeader("strict-transport-security");
       resultList.push(processStsHeader(host, header, req.status,
                                        req.channel.securityInfo));
     }
   };