Closed
Bug 1205406
Opened 9 years ago
Closed 7 years ago
adapt automatic hpkp updates to deal with removal of default-ee.der in bug 1203312
Categories
(Release Engineering :: General, defect)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: keeler, Unassigned)
References
Details
Currently the automatic HPKP update script reads a given test certificate and uses its key to define the pinning test key set. Since bug 1203312 involves converting the tlsserver certificates to the new generated-at-built-time system, default-ee.der won't exist in the tree after it lands. I think this is ok, though, since a side effect of moving to the new system is the test pinning key is now a well-known and stable key: https://dxr.mozilla.org/mozilla-central/rev/9ed17db42e3e46f1c712e4dffd62d54e915e0fac/security/manager/ssl/tests/unit/pykey.py#116 My current approach in bug 1203312 is to hard-code the pinning test key hash value in security/manager/tools/genHPKPStaticPins.js. It looks like the automation script will still need to be updated to reflect that default-ee.der will no longer exist, though.
Reporter | ||
Comment 1•9 years ago
|
||
Actually, another option that might be easier to coordinate would be to keep a stub 'default-ee.der' file in the tree that genHPKPStaticPins.js ignores after bug 1203312. That way we could just wait to update the automation script until all affected trees have the changes from bug 1203312.
Reporter | ||
Comment 3•7 years ago
|
||
We could, but I wouldn't say it's essential. We basically just have to remove the unused second argument in the in-tree script at the same time as we change the infrastructure that calls it: https://dxr.mozilla.org/mozilla-central/rev/e03e0c60462c775c7558a1dc9d5cf2076c3cd1f9/security/manager/tools/genHPKPStaticPins.js#69
Flags: needinfo?(dkeeler)
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Assignee | ||
Updated•6 years ago
|
Component: General Automation → General
You need to log in
before you can comment on or make changes to this bug.
Description
•