1205406 - adapt automatic hpkp updates to deal with removal of default-ee.der in bug 1203312

Status: RESOLVED INCOMPLETE

(Release Engineering :: General, defect)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Currently the automatic HPKP update script reads a given test certificate and uses its key to define the pinning test key set. Since bug 1203312 involves converting the tlsserver certificates to the new generated-at-built-time system, default-ee.der won't exist in the tree after it lands. I think this is ok, though, since a side effect of moving to the new system is the test pinning key is now a well-known and stable key:

https://dxr.mozilla.org/mozilla-central/rev/9ed17db42e3e46f1c712e4dffd62d54e915e0fac/security/manager/ssl/tests/unit/pykey.py#116

My current approach in bug 1203312 is to hard-code the pinning test key hash value in security/manager/tools/genHPKPStaticPins.js. It looks like the automation script will still need to be updated to reflect that default-ee.der will no longer exist, though.

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Actually, another option that might be easier to coordinate would be to keep a stub 'default-ee.der' file in the tree that genHPKPStaticPins.js ignores after bug 1203312. That way we could just wait to update the automation script until all affected trees have the changes from bug 1203312.

Comment 2

[Chris AtLee [:catlee]]

Is this something we still want to do?

Comment 3

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

We could, but I wouldn't say it's essential. We basically just have to remove the unused second argument in the in-tree script at the same time as we change the infrastructure that calls it: https://dxr.mozilla.org/mozilla-central/rev/e03e0c60462c775c7558a1dc9d5cf2076c3cd1f9/security/manager/tools/genHPKPStaticPins.js#69