1300305 - No HSTS/HPKP/blocklist updates on Trunk

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[Ryan VanderMeulen [:RyanVM]]

Looks like Aurora updated fine today, which indicates that bug 1298056 worked to solve that issue. However, no updates on trunk indicates that something seems awry still.

Comment 1

[Phil Ringnalda (:philor)]

http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64/mozilla-central-linux64-periodicupdate-bm91-build1-build0.txt.gz - opaque as always.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Well, it looks like the HSTS update succeeded just fine, but then the HPKP update failed. :catlee, I was under the impression that these jobs ran separately (so that if one failed, it wouldn't necessarily keep the others from succeeding). Is that no longer the case? Was it ever the case?

In the meantime, I'll keep investigating the HPKP failure.

Comment 3

[Dana Keeler (she/her) (use needinfo) [:keeler]]

This was my fault. Kathleen told me there were some root removals in bug 1296689 that might affect pinning. Lo and behold, they affected pinning.

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Attachment: bug 1300305 - update preloaded HPKP information to deal with "Equifax Secure CA" removal DONTBUILD NPOTB

The root with the nickname "Equifax Secure CA" was removed from NSS in bug
1296689 (confusingly, "Equifax Secure CA" doesn't appear in the subject DN of
that certificate, which is "OU=Equifax Secure Certificate
Authority,O=Equifax,C=US"). This removes the dependency on that root as well as
fixes dumpGoogleRoots.js to automatically handle this sort of thing in the
future.

Review commit: https://reviewboard.mozilla.org/r/77008/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/77008/

Comment 5

[:Cykesiopka]

Comment on attachment 8788557 [details]
bug 1300305 - update preloaded HPKP information to deal with "Equifax Secure CA" removal DONTBUILD NPOTB

https://reviewboard.mozilla.org/r/77008/#review75332

Looks good, although we probably need some way of catching root certs that were previously present when we ran dumpGoogleRoots.js from being removed if they are still listed in PreloadedHPKPins.json.
Maybe for another bug.

::: security/manager/tools/dumpGoogleRoots.js:61
(Diff revision 1)
>    }
>    return roots;
>  }
>  
> +function makeFormattedNickname(cert) {
> +  if (root.nickname.includes("Builtin Object Token:")) {

This line and the ones below all need to refer to ```cert``` instead of ```root```.
Also, I guess technically ```includes(...)``` should be ```startsWith(...)``` instead, but it doesn't really matter.

Comment 6

[:Cykesiopka]

(In reply to Phil Ringnalda (:philor) from comment #1)
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-
> linux64/mozilla-central-linux64-periodicupdate-bm91-build1-build0.txt.gz -
> opaque as always.

The error message shows up locally, but not in automation for some reason. Maybe the automation script doesn't redirect the error messages to the log or something.

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8788557 [details]
bug 1300305 - update preloaded HPKP information to deal with "Equifax Secure CA" removal DONTBUILD NPOTB

https://reviewboard.mozilla.org/r/77008/#review75332

Thanks!
This is a manual step anyway, so I think we can just review any changes as we see them.

> This line and the ones below all need to refer to ```cert``` instead of ```root```.
> Also, I guess technically ```includes(...)``` should be ```startsWith(...)``` instead, but it doesn't really matter.

Heh - whoops. Fixed that and updated includes to startsWith.

Comment 8

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8788557 [details]
bug 1300305 - update preloaded HPKP information to deal with "Equifax Secure CA" removal DONTBUILD NPOTB

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/77008/diff/1-2/

Comment 9

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8788557 [details]
bug 1300305 - update preloaded HPKP information to deal with "Equifax Secure CA" removal DONTBUILD NPOTB

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/77008/diff/2-3/

Comment 10

[Pulsebot]

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/55ad430c18f0
update preloaded HPKP information to deal with "Equifax Secure CA" removal DONTBUILD NPOTB r=Cykesiopka

Comment 11

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/55ad430c18f0

Comment 12

[Chris AtLee [:catlee]]

(In reply to David Keeler [:keeler] (use needinfo?) from comment #2)
> Well, it looks like the HSTS update succeeded just fine, but then the HPKP
> update failed. :catlee, I was under the impression that these jobs ran
> separately (so that if one failed, it wouldn't necessarily keep the others
> from succeeding). Is that no longer the case? Was it ever the case?
> 
> In the meantime, I'll keep investigating the HPKP failure.

I'm really not sure. These are implemented here:

https://dxr.mozilla.org/build-central/source/tools/scripts/periodic_file_updates/periodic_file_updates.sh

Comment 13

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Ah - thanks for the pointer. It looks like if multiple of {--hsts, --hpkp, --blocklist} are specified when running that, if one of the steps involved in generating the new files fails, then none of the commit steps (at the bottom) will run, even if a different subtask succeeded.