Closed
Bug 1229284
Opened 9 years ago
Closed 8 years ago
Remove support for SHA-1 hashes in genHPKPStaticPins.js
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla46
Tracking | Status | |
---|---|---|
firefox46 | --- | fixed |
People
(Reporter: Cykesiopka, Assigned: Cykesiopka)
References
Details
Attachments
(1 file, 1 obsolete file)
14.60 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
See Bug 224968 comment 5 through Bug 224968 comment 8: genHPKPStaticPins.js no longer needs to support SHA-1 hashes, so the relevant code should be removed at some point to simplify the script.
Assignee | ||
Comment 1•9 years ago
|
||
(In reply to Cykesiopka from comment #0) > See Bug 224968 comment 5 through Bug 224968 comment 8: genHPKPStaticPins.js Oops, Bug 1224968 comment 5 through Bug 1224968 comment 8.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → cykesiopka.bmo
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•9 years ago
|
||
Bug 1229284 - Remove support for SHA-1 hashes in genHPKPStaticPins.js.
Attachment #8698332 -
Flags: review?(dkeeler)
https://reviewboard.mozilla.org/r/27947/#review25133 This looks great. I just have a couple of suggestions. In a follow-up, we should probably simplify the actual pinning code to not even attempt sha-1 pins (since they're all null now anyway). ::: security/manager/tools/genHPKPStaticPins.js:255 (Diff revision 1) > certNameToSKD[chromeName] = hash; Hmmm - I think certNameToSKD is undefined/unused in this function (this is a preexisting problem, but we should probably fix it). ::: security/manager/tools/genHPKPStaticPins.js:457 (Diff revision 1) > if (pinset.sha256_hashes && pinset.sha256_hashes.length > 0) { pinset.sha256_hashes should always have a value now, right? We should make this a fatal error otherwise. ::: security/manager/tools/genHPKPStaticPins.js:565 (Diff revision 1) > if (pinset.sha256_hashes) { Same idea here.
Assignee | ||
Comment 4•9 years ago
|
||
https://reviewboard.mozilla.org/r/27947/#review25133 Thanks for the review! > In a follow-up, we should probably simplify the actual pinning code to not even attempt sha-1 pins Filed Bug 123332. > Hmmm - I think certNameToSKD is undefined/unused in this function (this is a preexisting problem, but we should probably fix it). Turns out that while certNameToSKD isn't in the param list of the function, it is defined at the global scope and used.
Assignee | ||
Comment 5•9 years ago
|
||
+ Address review comments. v1 has r+ on the ReviewBoard side, but for some reason this wasn't propagated to the Bugzilla side.
Attachment #8698332 -
Attachment is obsolete: true
Attachment #8698332 -
Flags: review?(dkeeler)
Attachment #8699489 -
Flags: review+
Assignee | ||
Comment 6•9 years ago
|
||
NPOTB, but: https://treeherder.mozilla.org/#/jobs?repo=try&revision=80746ee0f581
Keywords: checkin-needed
Comment 8•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/934aa92f8d54
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•