Closed
Bug 1229284
Opened 10 years ago
Closed 10 years ago
Remove support for SHA-1 hashes in genHPKPStaticPins.js
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: Cykesiopka, Assigned: Cykesiopka)
References
Details
Attachments
(1 file, 1 obsolete file)
|
14.60 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
See Bug 224968 comment 5 through Bug 224968 comment 8: genHPKPStaticPins.js no longer needs to support SHA-1 hashes, so the relevant code should be removed at some point to simplify the script.
|
Assignee | |
Comment 1•10 years ago
|
||
(In reply to Cykesiopka from comment #0)
> See Bug 224968 comment 5 through Bug 224968 comment 8: genHPKPStaticPins.js
Oops, Bug 1224968 comment 5 through Bug 1224968 comment 8.
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → cykesiopka.bmo
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•10 years ago
|
||
Bug 1229284 - Remove support for SHA-1 hashes in genHPKPStaticPins.js.
Attachment #8698332 -
Flags: review?(dkeeler)
|
|
||
Comment 3•10 years ago
|
||
https://reviewboard.mozilla.org/r/27947/#review25133
This looks great. I just have a couple of suggestions. In a follow-up, we should probably simplify the actual pinning code to not even attempt sha-1 pins (since they're all null now anyway).
::: security/manager/tools/genHPKPStaticPins.js:255
(Diff revision 1)
> certNameToSKD[chromeName] = hash;
Hmmm - I think certNameToSKD is undefined/unused in this function (this is a preexisting problem, but we should probably fix it).
::: security/manager/tools/genHPKPStaticPins.js:457
(Diff revision 1)
> if (pinset.sha256_hashes && pinset.sha256_hashes.length > 0) {
pinset.sha256_hashes should always have a value now, right? We should make this a fatal error otherwise.
::: security/manager/tools/genHPKPStaticPins.js:565
(Diff revision 1)
> if (pinset.sha256_hashes) {
Same idea here.
|
|
Assignee | |
Comment 4•10 years ago
|
||
https://reviewboard.mozilla.org/r/27947/#review25133
Thanks for the review!
> In a follow-up, we should probably simplify the actual pinning code to not even attempt sha-1 pins
Filed Bug 123332.
> Hmmm - I think certNameToSKD is undefined/unused in this function (this is a preexisting problem, but we should probably fix it).
Turns out that while certNameToSKD isn't in the param list of the function, it is defined at the global scope and used.
|
|
Assignee | |
Comment 5•10 years ago
|
||
+ Address review comments.
v1 has r+ on the ReviewBoard side, but for some reason this wasn't propagated to the Bugzilla side.
Attachment #8698332 -
Attachment is obsolete: true
Attachment #8698332 -
Flags: review?(dkeeler)
Attachment #8699489 -
Flags: review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
Keywords: checkin-needed
Keywords: checkin-needed
|
||
Comment 8•10 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•