1013504 - genHPKPStaticPins.js needs an error file in hg

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[[:mmc] Monica Chew (no longer reading bugmail)]

So we can track changes to errors.

Comment 1

[[:mmc] Monica Chew (no longer reading bugmail)]

Attachment: Introduce error file for genHPKPStaticPins.js (

Comment 2

[[:mmc] Monica Chew (no longer reading bugmail)]

Attachment: Introduce error file for genHPKPStaticPins.js (

Comment 3

[[:mmc] Monica Chew (no longer reading bugmail)]

Comment on attachment 8425672 [details] [diff] [review]
Introduce error file for genHPKPStaticPins.js (

Review of attachment 8425672 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/manager/boot/src/StaticHPKPins.errors
@@ +1,3 @@
> ++ set -e
> ++ OBJ=obj-x86_64-unknown-linux-gnu
> ++ obj-x86_64-unknown-linux-gnu/dist/bin/run-mozilla.sh obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell /home/mchew/mozilla-central/security/manager/tools/genHPKPStaticPins.js /home/mchew/mozilla-central/security/manager/tools/PreloadedHPKPins.json /home/mchew/mozilla-central/security/manager/ssl/tests/unit/tlsserver/default-ee.der /home/mchew/mozilla-central/security/manager/boot/src/StaticHPKPins.h

These will go away once it's integrated into the build. The HPKP JS generator writes to an errors file specifically. I think that's inferior to redirecting stdout and stderr in the bash script driver, because it will miss throws, etc. Also the NS_WARNINGS will go away on non-debug builds.

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Comment on attachment 8425672 [details] [diff] [review]
Introduce error file for genHPKPStaticPins.js (

Review of attachment 8425672 [details] [diff] [review]:
-----------------------------------------------------------------

13:06    keeler | mmc: for bug 1013504, is the added file the stderr/stdout of running xpcshell on genHPKPStatisPins.js?
13:06       mmc | keeler, yes it is
13:06       mmc | i'm almost done with the bash script updates
13:06       mmc | it's just that the bash script requires checking out the errors file from hg
13:06       mmc | so there's a bit of a bootstrapping issue
13:06    keeler | ah...
13:06    keeler | what bug is the bash script for?
13:06       mmc | sec
13:07       mmc | keeler, Bug 1004279
13:09    keeler | mmc: cool - thanks. So this is basically for bootstrapping and will be more useful when the automation is hooked up?
13:09       mmc | yes, sorry i should have put that in the bug description
13:09    keeler | no worries :)

r=me

::: security/manager/boot/src/StaticHPKPins.h
@@ +778,5 @@
>  static const int kPublicKeyPinningPreloadListLength = 307;
>  
>  static const int32_t kUnknownId = -1;
>  
> +static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1411498007030000);

I'm not sure we need to touch this file when checking in the errors file, but it probably doesn't matter at this point.

Comment 5

[[:mmc] Monica Chew (no longer reading bugmail)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/3c522cd0fa6d

Comment 6

[[:mmc] Monica Chew (no longer reading bugmail)]

Btw, running this from the bash generator yields something much less spammy:

Can't find hash in builtin certs for Chrome nickname RapidSSL, inserting GOOGLE_PIN_RapidSSL
Can't find hash in builtin certs for Chrome nickname Entrust_G2, inserting GOOGLE_PIN_Entrust_G2
Can't find hash in builtin certs for Chrome nickname Tor2web, inserting GOOGLE_PIN_Tor2web
Can't find hash in builtin certs for Chrome nickname AlphaSSL_G2, inserting GOOGLE_PIN_AlphaSSL_G2
Can't find hash in builtin certs for Chrome nickname CryptoCat1, inserting GOOGLE_PIN_CryptoCat1
Can't find hash in builtin certs for Chrome nickname Libertylavabitcom, inserting GOOGLE_PIN_Libertylavabitcom

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/3c522cd0fa6d