Bug 1036142: Don't use kPublicKeyPinningPreloadListLength (r=keeler)
authorMonica Chew <mmc@mozilla.com>
Wed, 09 Jul 2014 12:58:40 -0700
changeset 214004 f3b37ad2b42f039e11398c4b19ca658d585e29a3
parent 214003 f5138653a32a32bd8a8187f1e34e129da819b082
child 214005 2a5d0b30705505a1aa74ede709d844ad62378987
push id3857
push userraliiev@mozilla.com
push dateTue, 02 Sep 2014 16:39:23 +0000
treeherdermozilla-beta@5638b907b505 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1036142
milestone33.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1036142: Don't use kPublicKeyPinningPreloadListLength (r=keeler)
security/manager/boot/src/PublicKeyPinningService.cpp
security/manager/boot/src/StaticHPKPins.h
security/manager/tools/genHPKPStaticPins.js
--- a/security/manager/boot/src/PublicKeyPinningService.cpp
+++ b/security/manager/boot/src/PublicKeyPinningService.cpp
@@ -163,20 +163,20 @@ CheckPinsForHostname(const CERTCertList 
   TransportSecurityPreload *foundEntry = nullptr;
   char *evalHost = const_cast<char*>(hostname);
   char *evalPart;
   // Notice how the (xx = strchr) prevents pins for unqualified domain names.
   while (!foundEntry && (evalPart = strchr(evalHost, '.'))) {
     PR_LOG(gPublicKeyPinningLog, PR_LOG_DEBUG,
            ("pkpin: Querying pinsets for host: '%s'\n", evalHost));
     foundEntry = (TransportSecurityPreload *)bsearch(evalHost,
-                                      kPublicKeyPinningPreloadList,
-                                      kPublicKeyPinningPreloadListLength,
-                                      sizeof(TransportSecurityPreload),
-                                      TransportSecurityPreloadCompare);
+      kPublicKeyPinningPreloadList,
+      sizeof(kPublicKeyPinningPreloadList) / sizeof(TransportSecurityPreload),
+      sizeof(TransportSecurityPreload),
+      TransportSecurityPreloadCompare);
     if (foundEntry) {
       PR_LOG(gPublicKeyPinningLog, PR_LOG_DEBUG,
              ("pkpin: Found pinset for host: '%s'\n", evalHost));
       if (evalHost != hostname) {
         if (!foundEntry->mIncludeSubdomains) {
           // Does not apply to this host, continue iterating
           foundEntry = nullptr;
         }
--- a/security/manager/boot/src/StaticHPKPins.h
+++ b/security/manager/boot/src/StaticHPKPins.h
@@ -424,17 +424,20 @@ static const char* kPinset_google_root_p
   kVerisign_Class_3_Public_Primary_Certification_AuthorityFingerprint,
   kVerisign_Class_3_Public_Primary_Certification_AuthorityFingerprint,
   kTC_TrustCenter_Universal_CA_IFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
   kComodo_AAA_Services_rootFingerprint,
   kAffirmTrust_PremiumFingerprint,
   kAddTrust_Qualified_Certificates_RootFingerprint,
 };
-static const StaticFingerprints kPinset_google_root_pems_sha256 = { 64, kPinset_google_root_pems_sha256_Data };
+static const StaticFingerprints kPinset_google_root_pems_sha256 = {
+  sizeof(kPinset_google_root_pems_sha256_Data) / sizeof(const char*),
+  kPinset_google_root_pems_sha256_Data
+};
 
 static const StaticPinset kPinset_google_root_pems = {
   nullptr,
   &kPinset_google_root_pems_sha256
 };
 
 static const char* kPinset_mozilla_sha256_Data[] = {
   kGeoTrust_Global_CA_2Fingerprint,
@@ -454,87 +457,111 @@ static const char* kPinset_mozilla_sha25
   kGeoTrust_Universal_CA_2Fingerprint,
   kGeoTrust_Global_CAFingerprint,
   kVeriSign_Universal_Root_Certification_AuthorityFingerprint,
   kGeoTrust_Universal_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
 };
-static const StaticFingerprints kPinset_mozilla_sha256 = { 21, kPinset_mozilla_sha256_Data };
+static const StaticFingerprints kPinset_mozilla_sha256 = {
+  sizeof(kPinset_mozilla_sha256_Data) / sizeof(const char*),
+  kPinset_mozilla_sha256_Data
+};
 
 static const StaticPinset kPinset_mozilla = {
   nullptr,
   &kPinset_mozilla_sha256
 };
 
 static const char* kPinset_mozilla_fxa_sha256_Data[] = {
   kDigiCert_Global_Root_CAFingerprint,
 };
-static const StaticFingerprints kPinset_mozilla_fxa_sha256 = { 1, kPinset_mozilla_fxa_sha256_Data };
+static const StaticFingerprints kPinset_mozilla_fxa_sha256 = {
+  sizeof(kPinset_mozilla_fxa_sha256_Data) / sizeof(const char*),
+  kPinset_mozilla_fxa_sha256_Data
+};
 
 static const StaticPinset kPinset_mozilla_fxa = {
   nullptr,
   &kPinset_mozilla_fxa_sha256
 };
 
 static const char* kPinset_mozilla_test_sha256_Data[] = {
   kEnd_Entity_Test_CertFingerprint,
 };
-static const StaticFingerprints kPinset_mozilla_test_sha256 = { 1, kPinset_mozilla_test_sha256_Data };
+static const StaticFingerprints kPinset_mozilla_test_sha256 = {
+  sizeof(kPinset_mozilla_test_sha256_Data) / sizeof(const char*),
+  kPinset_mozilla_test_sha256_Data
+};
 
 static const StaticPinset kPinset_mozilla_test = {
   nullptr,
   &kPinset_mozilla_test_sha256
 };
 
 /* Chrome static pinsets */
 static const char* kPinset_test_sha1_Data[] = {
   kTestSPKIFingerprint,
 };
-static const StaticFingerprints kPinset_test_sha1 = { 1, kPinset_test_sha1_Data };
+static const StaticFingerprints kPinset_test_sha1 = {
+  sizeof(kPinset_test_sha1_Data) / sizeof(const char*),
+  kPinset_test_sha1_Data
+};
 
 static const StaticPinset kPinset_test = {
   &kPinset_test_sha1,
   nullptr
 };
 
 static const char* kPinset_google_sha1_Data[] = {
   kGoogleG2Fingerprint,
   kGoogleBackup2048Fingerprint,
 };
-static const StaticFingerprints kPinset_google_sha1 = { 2, kPinset_google_sha1_Data };
+static const StaticFingerprints kPinset_google_sha1 = {
+  sizeof(kPinset_google_sha1_Data) / sizeof(const char*),
+  kPinset_google_sha1_Data
+};
 
 static const StaticPinset kPinset_google = {
   &kPinset_google_sha1,
   nullptr
 };
 
 static const char* kPinset_tor_sha1_Data[] = {
   kTor1Fingerprint,
   kTor2Fingerprint,
   kTor3Fingerprint,
 };
-static const StaticFingerprints kPinset_tor_sha1 = { 3, kPinset_tor_sha1_Data };
+static const StaticFingerprints kPinset_tor_sha1 = {
+  sizeof(kPinset_tor_sha1_Data) / sizeof(const char*),
+  kPinset_tor_sha1_Data
+};
 
 static const char* kPinset_tor_sha256_Data[] = {
   kDigiCert_High_Assurance_EV_Root_CAFingerprint,
   kGOOGLE_PIN_RapidSSLFingerprint,
 };
-static const StaticFingerprints kPinset_tor_sha256 = { 2, kPinset_tor_sha256_Data };
+static const StaticFingerprints kPinset_tor_sha256 = {
+  sizeof(kPinset_tor_sha256_Data) / sizeof(const char*),
+  kPinset_tor_sha256_Data
+};
 
 static const StaticPinset kPinset_tor = {
   &kPinset_tor_sha1,
   &kPinset_tor_sha256
 };
 
 static const char* kPinset_twitterCom_sha1_Data[] = {
   kTwitter1Fingerprint,
 };
-static const StaticFingerprints kPinset_twitterCom_sha1 = { 1, kPinset_twitterCom_sha1_Data };
+static const StaticFingerprints kPinset_twitterCom_sha1 = {
+  sizeof(kPinset_twitterCom_sha1_Data) / sizeof(const char*),
+  kPinset_twitterCom_sha1_Data
+};
 
 static const char* kPinset_twitterCom_sha256_Data[] = {
   kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint,
   kVerisign_Class_3_Public_Primary_Certification_Authority___G2Fingerprint,
   kGeoTrust_Global_CA_2Fingerprint,
   kDigiCert_Assured_ID_Root_CAFingerprint,
   kVerisign_Class_1_Public_Primary_Certification_Authority___G3Fingerprint,
   kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint,
@@ -549,27 +576,33 @@ static const char* kPinset_twitterCom_sh
   kGeoTrust_Global_CAFingerprint,
   kVeriSign_Universal_Root_Certification_AuthorityFingerprint,
   kGeoTrust_Universal_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kVerisign_Class_3_Public_Primary_Certification_AuthorityFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
 };
-static const StaticFingerprints kPinset_twitterCom_sha256 = { 21, kPinset_twitterCom_sha256_Data };
+static const StaticFingerprints kPinset_twitterCom_sha256 = {
+  sizeof(kPinset_twitterCom_sha256_Data) / sizeof(const char*),
+  kPinset_twitterCom_sha256_Data
+};
 
 static const StaticPinset kPinset_twitterCom = {
   &kPinset_twitterCom_sha1,
   &kPinset_twitterCom_sha256
 };
 
 static const char* kPinset_twitterCDN_sha1_Data[] = {
   kTwitter1Fingerprint,
 };
-static const StaticFingerprints kPinset_twitterCDN_sha1 = { 1, kPinset_twitterCDN_sha1_Data };
+static const StaticFingerprints kPinset_twitterCDN_sha1 = {
+  sizeof(kPinset_twitterCDN_sha1_Data) / sizeof(const char*),
+  kPinset_twitterCDN_sha1_Data
+};
 
 static const char* kPinset_twitterCDN_sha256_Data[] = {
   kVerisign_Class_2_Public_Primary_Certification_Authority___G2Fingerprint,
   kComodo_Trusted_Services_rootFingerprint,
   kCOMODO_Certification_AuthorityFingerprint,
   kVerisign_Class_3_Public_Primary_Certification_Authority___G2Fingerprint,
   kAddTrust_Low_Value_Services_RootFingerprint,
   kUTN_USERFirst_Object_Root_CAFingerprint,
@@ -605,49 +638,61 @@ static const char* kPinset_twitterCDN_sh
   kGOOGLE_PIN_Entrust_SSLFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kVerisign_Class_3_Public_Primary_Certification_AuthorityFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
   kComodo_AAA_Services_rootFingerprint,
   kAddTrust_Qualified_Certificates_RootFingerprint,
 };
-static const StaticFingerprints kPinset_twitterCDN_sha256 = { 42, kPinset_twitterCDN_sha256_Data };
+static const StaticFingerprints kPinset_twitterCDN_sha256 = {
+  sizeof(kPinset_twitterCDN_sha256_Data) / sizeof(const char*),
+  kPinset_twitterCDN_sha256_Data
+};
 
 static const StaticPinset kPinset_twitterCDN = {
   &kPinset_twitterCDN_sha1,
   &kPinset_twitterCDN_sha256
 };
 
 static const char* kPinset_tor2web_sha256_Data[] = {
   kGOOGLE_PIN_Tor2webFingerprint,
   kGOOGLE_PIN_AlphaSSL_G2Fingerprint,
 };
-static const StaticFingerprints kPinset_tor2web_sha256 = { 2, kPinset_tor2web_sha256_Data };
+static const StaticFingerprints kPinset_tor2web_sha256 = {
+  sizeof(kPinset_tor2web_sha256_Data) / sizeof(const char*),
+  kPinset_tor2web_sha256_Data
+};
 
 static const StaticPinset kPinset_tor2web = {
   nullptr,
   &kPinset_tor2web_sha256
 };
 
 static const char* kPinset_cryptoCat_sha256_Data[] = {
   kDigiCert_High_Assurance_EV_Root_CAFingerprint,
   kGOOGLE_PIN_CryptoCat1Fingerprint,
 };
-static const StaticFingerprints kPinset_cryptoCat_sha256 = { 2, kPinset_cryptoCat_sha256_Data };
+static const StaticFingerprints kPinset_cryptoCat_sha256 = {
+  sizeof(kPinset_cryptoCat_sha256_Data) / sizeof(const char*),
+  kPinset_cryptoCat_sha256_Data
+};
 
 static const StaticPinset kPinset_cryptoCat = {
   nullptr,
   &kPinset_cryptoCat_sha256
 };
 
 static const char* kPinset_lavabit_sha256_Data[] = {
   kGOOGLE_PIN_LibertylavabitcomFingerprint,
 };
-static const StaticFingerprints kPinset_lavabit_sha256 = { 1, kPinset_lavabit_sha256_Data };
+static const StaticFingerprints kPinset_lavabit_sha256 = {
+  sizeof(kPinset_lavabit_sha256_Data) / sizeof(const char*),
+  kPinset_lavabit_sha256_Data
+};
 
 static const StaticPinset kPinset_lavabit = {
   nullptr,
   &kPinset_lavabit_sha256
 };
 
 static const char* kPinset_dropbox_sha256_Data[] = {
   kGOOGLE_PIN_EntrustRootEC1Fingerprint,
@@ -664,17 +709,20 @@ static const char* kPinset_dropbox_sha25
   kthawte_Primary_Root_CA___G2Fingerprint,
   kEntrust_Root_Certification_AuthorityFingerprint,
   kGOOGLE_PIN_Entrust_G2Fingerprint,
   kGeoTrust_Global_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G3Fingerprint,
   kDigiCert_Global_Root_CAFingerprint,
   kGeoTrust_Primary_Certification_Authority___G2Fingerprint,
 };
-static const StaticFingerprints kPinset_dropbox_sha256 = { 18, kPinset_dropbox_sha256_Data };
+static const StaticFingerprints kPinset_dropbox_sha256 = {
+  sizeof(kPinset_dropbox_sha256_Data) / sizeof(const char*),
+  kPinset_dropbox_sha256_Data
+};
 
 static const StaticPinset kPinset_dropbox = {
   nullptr,
   &kPinset_dropbox_sha256
 };
 
 /* Domainlist */
 struct TransportSecurityPreload {
@@ -1010,13 +1058,13 @@ static const TransportSecurityPreload kP
   { "www.torproject.org", true, true, false, -1, &kPinset_tor },
   { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
   { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
   { "youtu.be", true, false, false, -1, &kPinset_google_root_pems },
   { "youtube.com", true, false, false, -1, &kPinset_google_root_pems },
   { "ytimg.com", true, false, false, -1, &kPinset_google_root_pems },
 };
 
-static const int kPublicKeyPinningPreloadListLength = 325;
+// Pinning Preload List Length = 325;
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1413306296143000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1413400280364000);
--- a/security/manager/tools/genHPKPStaticPins.js
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -21,17 +21,16 @@ if (arguments.length != 3) {
 const { 'classes': Cc, 'interfaces': Ci, 'utils': Cu, 'results': Cr } = Components;
 
 let { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
 let { FileUtils } = Cu.import("resource://gre/modules/FileUtils.jsm", {});
 let { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
 
 let gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
                 .getService(Ci.nsIX509CertDB);
-gCertDB.QueryInterface(Ci.nsIX509CertDB);
 
 const BUILT_IN_NICK_PREFIX = "Builtin Object Token:";
 const SHA1_PREFIX = "sha1/";
 const SHA256_PREFIX = "sha256/";
 const GOOGLE_PIN_PREFIX = "GOOGLE_PIN_";
 
 // Pins expire in 14 weeks (6 weeks on Beta + 8 weeks on stable)
 const PINNING_MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 14;
@@ -426,18 +425,19 @@ function writeFingerprints(certNameToSKD
   for (let skd of SKDList.sort()) {
     writeString("  " + nameToAlias(certSKDToName[skd]) + ",\n");
   }
   if (hashes.length == 0) {
     // ANSI C requires that an initialiser list be non-empty.
     writeString("  0\n");
   }
   writeString("};\n");
-  writeString("static const StaticFingerprints " + varPrefix + " = { " +
-          hashes.length + ", " + varPrefix + "_Data };\n\n");
+  writeString("static const StaticFingerprints " + varPrefix + " = {\n  " +
+    "sizeof(" + varPrefix + "_Data) / sizeof(const char*),\n  " + varPrefix +
+    "_Data\n};\n\n");
 }
 
 function writeEntry(entry) {
   let printVal = "  { \"" + entry.name + "\",\ ";
   if (entry.include_subdomains) {
     printVal += "true, ";
   } else {
     printVal += "false, ";
@@ -478,18 +478,17 @@ function writeDomainList(chromeImportedE
   let sortedEntries = gStaticPins.entries;
   sortedEntries.push.apply(sortedEntries, chromeImportedEntries);
   for (let entry of sortedEntries.sort(compareByName)) {
     count++;
     writeEntry(entry);
   }
   writeString("};\n");
 
-  writeString("\nstatic const int kPublicKeyPinningPreloadListLength = " +
-          count + ";\n");
+  writeString("\n// Pinning Preload List Length = " + count + ";\n");
   writeString("\nstatic const int32_t kUnknownId = -1;\n");
 }
 
 function writeFile(certNameToSKD, certSKDToName,
                    chromeImportedPinsets, chromeImportedEntries) {
   // Compute used pins from both Chrome's and our pinsets, so we can output
   // them later.
   usedFingerprints = {};