remove 1024 bit roots from google_root_pems

RESOLVED FIXED in Firefox 32

Status

()

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: mmc, Assigned: mmc)

Tracking

Trunk
mozilla33
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox30 unaffected, firefox31 unaffected, firefox32+ fixed, firefox33 fixed)

Details

Attachments

(1 attachment, 2 obsolete attachments)

bug 1029561 removed some certs that are in google_root_pems, thus breaking the pinset generator (on purpose, since we should not be relying on builtins that don't exist).
Depends on: 1029561
Created attachment 8452418 [details] [diff] [review]
Remove deprecated certs from google_root_pems (
Assignee: nobody → mmc
Status: NEW → ASSIGNED
Comment on attachment 8452418 [details] [diff] [review]
Remove deprecated certs from google_root_pems (

Review of attachment 8452418 [details] [diff] [review]:
-----------------------------------------------------------------

Ugh -- I guess the way the code is written now we import PEMs from Chrome's transport_security_static.certs, which includes builtins that we no longer support. Is this the desired behavior?

Either way, we should notify AGL.

::: security/manager/boot/src/StaticHPKPins.h
@@ +1003,5 @@
>    { "wf-staging-hr.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
>    { "wf-training-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
>    { "wf-training-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
>    { "wf-trial-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
> +  { "www.dropbox.com", true, true, false, -1, &kPinset_dropbox },

Looks like they rolled back this change to www only.
Attachment #8452418 - Flags: review?(dkeeler)
> 
> Ugh -- I guess the way the code is written now we import PEMs from Chrome's
> transport_security_static.certs, which includes builtins that we no longer
> support. Is this the desired behavior?

What I mean to say is that twitterCDN includes some of these 1024-bit roots, which we import from the raw PEM file. If that's not the desired behavior, that should be a followup bug.
Comment on attachment 8452418 [details] [diff] [review]
Remove deprecated certs from google_root_pems (

Review of attachment 8452418 [details] [diff] [review]:
-----------------------------------------------------------------

I think it's correct that we import certs from google's list - if they were intermediates, they wouldn't be in our root program, but we still want to be able to pin to their fingerprints, right?
Anyway, this looks correct to me.

::: security/manager/boot/src/StaticHPKPins.h
@@ +1014,5 @@
>    { "youtube.com", true, false, false, -1, &kPinset_google_root_pems },
>    { "ytimg.com", true, false, false, -1, &kPinset_google_root_pems },
>  };
>  
> +static const int kPublicKeyPinningPreloadListLength = 325;

We discussed what happened here. Let's file a bug on using the static length of these data structures.
Attachment #8452418 - Flags: review?(dkeeler) → review+
Created attachment 8452702 [details] [diff] [review]
Aurora-specific patch for removing google's 1024-bit root certs (
Attachment #8452418 - Attachment is obsolete: true
Comment on attachment 8452702 [details] [diff] [review]
Aurora-specific patch for removing google's 1024-bit root certs (

Approval Request Comment
[Feature/regressing bug #]: 1029561 removed these root certs from our builtins, which breaks pin generation on aurora now that buildbot generates these.

[User impact if declined]: buildbot generation will break on aurora, we will ship incorrect expiration dates and pinned certs for FF32

[Describe test coverage new/current, TBPL]: pinning is unittested in security/manager/ssl/tests/unit/test_pinning.js, buildbot errors appear as changes to security/manager/boot/src/StaticHPKPins.errors

[Risks and why]: low risk

[String/UUID change made/needed]: none
Attachment #8452702 - Flags: approval-mozilla-aurora?
Created attachment 8452707 [details] [diff] [review]
Don't use kPublicKeyPinningPreloadListLength (
Attachment #8452707 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/ee1da9d45ce2
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
status-firefox30: --- → unaffected
status-firefox31: --- → unaffected
status-firefox32: --- → affected
status-firefox33: --- → fixed
tracking-firefox32: --- → +
Comment on attachment 8452702 [details] [diff] [review]
Aurora-specific patch for removing google's 1024-bit root certs (

Aurora+
Attachment #8452702 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
status-firefox32: affected → fixed
You need to log in before you can comment on or make changes to this bug.