Closed
Bug 1229284
Opened 9 years ago
Closed 8 years ago
Remove support for SHA-1 hashes in genHPKPStaticPins.js
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: Cykesiopka, Assigned: Cykesiopka)
References
Details
Attachments
(1 file, 1 obsolete file)
|
14.60 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
See Bug 224968 comment 5 through Bug 224968 comment 8: genHPKPStaticPins.js no longer needs to support SHA-1 hashes, so the relevant code should be removed at some point to simplify the script.
|
Assignee | |
Comment 1•9 years ago
|
||
(In reply to Cykesiopka from comment #0) > See Bug 224968 comment 5 through Bug 224968 comment 8: genHPKPStaticPins.js Oops, Bug 1224968 comment 5 through Bug 1224968 comment 8.
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → cykesiopka.bmo
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•9 years ago
|
||
Bug 1229284 - Remove support for SHA-1 hashes in genHPKPStaticPins.js.
Attachment #8698332 -
Flags: review?(dkeeler)
https://reviewboard.mozilla.org/r/27947/#review25133 This looks great. I just have a couple of suggestions. In a follow-up, we should probably simplify the actual pinning code to not even attempt sha-1 pins (since they're all null now anyway). ::: security/manager/tools/genHPKPStaticPins.js:255 (Diff revision 1) > certNameToSKD[chromeName] = hash; Hmmm - I think certNameToSKD is undefined/unused in this function (this is a preexisting problem, but we should probably fix it). ::: security/manager/tools/genHPKPStaticPins.js:457 (Diff revision 1) > if (pinset.sha256_hashes && pinset.sha256_hashes.length > 0) { pinset.sha256_hashes should always have a value now, right? We should make this a fatal error otherwise. ::: security/manager/tools/genHPKPStaticPins.js:565 (Diff revision 1) > if (pinset.sha256_hashes) { Same idea here.
|
|
Assignee | |
Comment 4•9 years ago
|
||
https://reviewboard.mozilla.org/r/27947/#review25133 Thanks for the review! > In a follow-up, we should probably simplify the actual pinning code to not even attempt sha-1 pins Filed Bug 123332. > Hmmm - I think certNameToSKD is undefined/unused in this function (this is a preexisting problem, but we should probably fix it). Turns out that while certNameToSKD isn't in the param list of the function, it is defined at the global scope and used.
|
|
Assignee | |
Comment 5•9 years ago
|
||
+ Address review comments. v1 has r+ on the ReviewBoard side, but for some reason this wasn't propagated to the Bugzilla side.
Attachment #8698332 -
Attachment is obsolete: true
Attachment #8698332 -
Flags: review?(dkeeler)
Attachment #8699489 -
Flags: review+
|
|
Assignee | |
Comment 6•9 years ago
|
||
NPOTB, but: https://treeherder.mozilla.org/#/jobs?repo=try&revision=80746ee0f581
Keywords: checkin-needed
|
||
Comment 8•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/934aa92f8d54
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•