Closed Bug 1395957 Opened 3 years ago Closed 3 years ago
Public-Key-Pins cannot be noted if the pinned keys exceed 1024 bytes
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170826053331 Steps to reproduce: (Tested on firefox 55.0.3 64-bit on Arch Linux) Go to a website that sets a Public-Key-Pins header with more than 22 (sha256) pinned keys (e.g. my site c4k3.net). I tested it by gradually reducing the length of the header. When it lists 22 pinned keys, the HPKP info is updated correctly and no error appears, but at 23 pinned keys the info is not updated and the error appear. It does not appear to be related to the total length of the header, as the error still appears with 23 pinned keys but the report-uri directive removed. I would guess the underlying issue is that the entry in SiteSecurityServiceState.txt is limited to 1024 bytes. In base64, a sha256 sum is 45 bytes, 22 * 45 = 990, 23 * 45 = 1035. Actual results: If there is already a HPKP entry for that site in SiteSecurityServiceState.txt, they remain unchanged even if the header defines new keys. If there is no HPKP entry for the site, nothing happens. No matter what, in the web console, the error "Public-Key-Pins: An error occurred noting the site as a Public-Key-Pins host.[Learn More]" appears. Expected results: The HPKP entry for the site should have updated.
Thanks. We have bug 1190127 for this.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1190127
You need to log in before you can comment on or make changes to this bug.