SecurityEngineering/Public Key Pinning/Implementation Details: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 26: | Line 26: | ||
| (See anything involving "chainValidation".) | | (See anything involving "chainValidation".) | ||
|} | |} | ||
=== What to do when Firefox's root certs change === | |||
* Look at http://mxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json | |||
to see if the root is pinned by anyone. | |||
* If the root is in use, file a Bugzilla bug (Product Core, Component Security:PSM) to request that the pinning list | |||
be regenerated and that the corresponding site operators be notified when the root change is checked in (linking back to my root change | |||
request bug). | |||
=== Something is Broken, and we Think it's Pinning === | === Something is Broken, and we Think it's Pinning === | ||
TODO | TODO | ||
Revision as of 18:12, 28 August 2014
Public Key Pinning Implementation Cheat Sheet
This page attempts to document the implementation of HTTP Public Key Pinning (HPKP) in Firefox. Currently the implementation is limited to a set of preloaded pins that ships with the browser. This set of pins is generated partially from data provided by Mozilla and partially from data provided by Google's Chromium project.
Important Files
| security/manager/boot/src/StaticHPKPins.h | The built-in preload list. |
| security/manager/boot/src/StaticHPKPins.errors | A log of debugging information from the last time the preload list was generated. |
| security/manager/tools/genHPKPStaticPins.js | Generates the preload list. |
| security/manager/tools/PreloadedHPKPins.json | Mozilla-specific information used when generating the preload list. |
| security/manager/boot/src/PublicKeyPinningService.cpp | The core of the HPKP implementation. |
| security/certverifier/NSSCertDBTrustDomain.cpp | NSSCertDBTrustDomain::IsChainValid is where certificate verification (indirectly) calls into the PublicKeyPinningService. |
| security/certverifier/CertVerifier.cpp | (See anything involving "chainValidation".) |
What to do when Firefox's root certs change
to see if the root is pinned by anyone.
- If the root is in use, file a Bugzilla bug (Product Core, Component Security:PSM) to request that the pinning list
be regenerated and that the corresponding site operators be notified when the root change is checked in (linking back to my root change request bug).
Something is Broken, and we Think it's Pinning
TODO