SecurityEngineering/Public Key Pinning/Implementation Details: Difference between revisions
Jump to navigation
Jump to search
(Created page with "== Public Key Pinning Implementation Cheat Sheet == This page attempts to document the implementation of HTTP Public Key Pinning (HPKP) in Firefox. Currently the implementatio...") |
|||
| Line 3: | Line 3: | ||
=== Important Files === | === Important Files === | ||
{| | |||
|- | |||
| [https://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/StaticHPKPins.h security/manager/boot/src/StaticHPKPins.h] | |||
| The built-in preload list. | |||
|- | |||
| [https://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/StaticHPKPins.errors security/manager/boot/src/StaticHPKPins.errors] | |||
| A log of debugging information from the last time the preload list was generated. | |||
|- | |||
| [https://mxr.mozilla.org/mozilla-central/source/security/manager/tools/genHPKPStaticPins.js security/manager/tools/genHPKPStaticPins.js] | |||
| Generates the preload list. | |||
|- | |||
| [https://mxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json security/manager/tools/PreloadedHPKPins.json] | |||
| Mozilla-specific information used when generating the preload list. | |||
|- | |||
| [https://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/PublicKeyPinningService.cpp security/manager/boot/src/PublicKeyPinningService.cpp] | |||
| The core of the HPKP implementation. | |||
|- | |||
| [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp security/certverifier/NSSCertDBTrustDomain.cpp] | |||
| NSSCertDBTrustDomain::IsChainValid is where certificate verification (indirectly) calls into the PublicKeyPinningService. | |||
|- | |||
| [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/CertVerifier.cpp security/certverifier/CertVerifier.cpp] | |||
| (See anything involving "chainValidation".) | |||
|} | |||
=== Something is Broken, and we Think it's Pinning === | === Something is Broken, and we Think it's Pinning === | ||
TODO | TODO | ||
Revision as of 23:33, 18 July 2014
Public Key Pinning Implementation Cheat Sheet
This page attempts to document the implementation of HTTP Public Key Pinning (HPKP) in Firefox. Currently the implementation is limited to a set of preloaded pins that ships with the browser. This set of pins is generated partially from data provided by Mozilla and partially from data provided by Google's Chromium project.
Important Files
| security/manager/boot/src/StaticHPKPins.h | The built-in preload list. |
| security/manager/boot/src/StaticHPKPins.errors | A log of debugging information from the last time the preload list was generated. |
| security/manager/tools/genHPKPStaticPins.js | Generates the preload list. |
| security/manager/tools/PreloadedHPKPins.json | Mozilla-specific information used when generating the preload list. |
| security/manager/boot/src/PublicKeyPinningService.cpp | The core of the HPKP implementation. |
| security/certverifier/NSSCertDBTrustDomain.cpp | NSSCertDBTrustDomain::IsChainValid is where certificate verification (indirectly) calls into the PublicKeyPinningService. |
| security/certverifier/CertVerifier.cpp | (See anything involving "chainValidation".) |
Something is Broken, and we Think it's Pinning
TODO