Closed Bug 1395957 Opened 3 years ago Closed 3 years ago

Public-Key-Pins cannot be noted if the pinned keys exceed 1024 bytes

Categories

(Core :: Security: PSM, defect)

55 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1190127

People

(Reporter: mozilla_bugzilla95c, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170826053331

Steps to reproduce:

(Tested on firefox 55.0.3 64-bit on Arch Linux)

Go to a website that sets a Public-Key-Pins header with more than 22 (sha256) pinned keys (e.g. my site c4k3.net).

I tested it by gradually reducing the length of the header. When it lists 22 pinned keys, the HPKP info is updated correctly and no error appears, but at 23 pinned keys the info is not updated and the error appear.

It does not appear to be related to the total length of the header, as the error still appears with 23 pinned keys but the report-uri directive removed.

I would guess the underlying issue is that the entry in SiteSecurityServiceState.txt is limited to 1024 bytes. In base64, a sha256 sum is 45 bytes, 22 * 45 = 990, 23 * 45 = 1035.


Actual results:

If there is already a HPKP entry for that site in SiteSecurityServiceState.txt, they remain unchanged even if the header defines new keys. If there is no HPKP entry for the site, nothing happens.

No matter what, in the web console, the error "Public-Key-Pins: An error occurred noting the site as a Public-Key-Pins host.[Learn More]" appears.


Expected results:

The HPKP entry for the site should have updated.
Component: Untriaged → Security: PSM
Thanks. We have bug 1190127 for this.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1190127
You need to log in before you can comment on or make changes to this bug.