The Tor Browser / annotate

security/manager/tools/genHPKPStaticPins.js@141e0f1194b1 (annotated)

security/manager/tools/genHPKPStaticPins.js

Wed, 31 Dec 2014 07:16:47 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 07:16:47 +0100
branch
TOR_BUG_9701
changeset 3
141e0f1194b1
permissions
-rw-r--r--

Revert simplistic fix pending revisit of Mozilla integration attempt.

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 // How to run this file:
michael@0 6 // 1. [obtain firefox source code]
michael@0 7 // 2. [build/obtain firefox binaries]
michael@0 8 // 3. run `[path to]/run-mozilla.sh [path to]/xpcshell \
michael@0 9 // [path to]/genHPKPStaticpins.js \
michael@0 10 // [absolute path to]/PreloadedHPKPins.json \
michael@0 11 // [absolute path to]/default-ee.der \
michael@0 12 // [absolute path to]/StaticHPKPins.h
michael@0 13
michael@0 14 if (arguments.length != 3) {
michael@0 15 throw "Usage: genHPKPStaticPins.js " +
michael@0 16 "<absolute path to PreloadedHPKPins.json> " +
michael@0 17 "<absolute path to default-ee.der> " +
michael@0 18 "<absolute path to StaticHPKPins.h>";
michael@0 19 }
michael@0 20
michael@0 21 const { 'classes': Cc, 'interfaces': Ci, 'utils': Cu, 'results': Cr } = Components;
michael@0 22
michael@0 23 let { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
michael@0 24 let { FileUtils } = Cu.import("resource://gre/modules/FileUtils.jsm", {});
michael@0 25 let { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
michael@0 26
michael@0 27 let gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
michael@0 28 .getService(Ci.nsIX509CertDB);
michael@0 29
michael@0 30 const BUILT_IN_NICK_PREFIX = "Builtin Object Token:";
michael@0 31 const SHA1_PREFIX = "sha1/";
michael@0 32 const SHA256_PREFIX = "sha256/";
michael@0 33 const GOOGLE_PIN_PREFIX = "GOOGLE_PIN_";
michael@0 34
michael@0 35 // Pins expire in 14 weeks (6 weeks on Beta + 8 weeks on stable)
michael@0 36 const PINNING_MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 14;
michael@0 37
michael@0 38 const FILE_HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
michael@0 39 " * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
michael@0 40 " * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
michael@0 41 "\n" +
michael@0 42 "/*****************************************************************************/\n" +
michael@0 43 "/* This is an automatically generated file. If you're not */\n" +
michael@0 44 "/* PublicKeyPinningService.cpp, you shouldn't be #including it. */\n" +
michael@0 45 "/*****************************************************************************/\n" +
michael@0 46 "#include <stdint.h>" +
michael@0 47 "\n";
michael@0 48
michael@0 49 const DOMAINHEADER = "/* Domainlist */\n" +
michael@0 50 "struct TransportSecurityPreload {\n" +
michael@0 51 " const char* mHost;\n" +
michael@0 52 " const bool mIncludeSubdomains;\n" +
michael@0 53 " const bool mTestMode;\n" +
michael@0 54 " const bool mIsMoz;\n" +
michael@0 55 " const int32_t mId;\n" +
michael@0 56 " const StaticPinset *pinset;\n" +
michael@0 57 "};\n\n";
michael@0 58
michael@0 59 const PINSETDEF = "/* Pinsets are each an ordered list by the actual value of the fingerprint */\n" +
michael@0 60 "struct StaticFingerprints {\n" +
michael@0 61 " const size_t size;\n" +
michael@0 62 " const char* const* data;\n" +
michael@0 63 "};\n\n" +
michael@0 64 "struct StaticPinset {\n" +
michael@0 65 " const StaticFingerprints* sha1;\n" +
michael@0 66 " const StaticFingerprints* sha256;\n" +
michael@0 67 "};\n\n";
michael@0 68
michael@0 69 // Command-line arguments
michael@0 70 var gStaticPins = parseJson(arguments[0]);
michael@0 71 var gTestCertFile = arguments[1];
michael@0 72
michael@0 73 // Open the output file.
michael@0 74 let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
michael@0 75 file.initWithPath(arguments[2]);
michael@0 76 let gFileOutputStream = FileUtils.openSafeFileOutputStream(file);
michael@0 77
michael@0 78 function writeString(string) {
michael@0 79 gFileOutputStream.write(string, string.length);
michael@0 80 }
michael@0 81
michael@0 82 function readFileToString(filename) {
michael@0 83 let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
michael@0 84 file.initWithPath(filename);
michael@0 85 let stream = Cc["@mozilla.org/network/file-input-stream;1"]
michael@0 86 .createInstance(Ci.nsIFileInputStream);
michael@0 87 stream.init(file, -1, 0, 0);
michael@0 88 let buf = NetUtil.readInputStreamToString(stream, stream.available());
michael@0 89 return buf;
michael@0 90 }
michael@0 91
michael@0 92 function stripComments(buf) {
michael@0 93 var lines = buf.split("\n");
michael@0 94 let entryRegex = /^\s*\/\//;
michael@0 95 let data = "";
michael@0 96 for (let i = 0; i < lines.length; ++i) {
michael@0 97 let match = entryRegex.exec(lines[i]);
michael@0 98 if (!match) {
michael@0 99 data = data + lines[i];
michael@0 100 }
michael@0 101 }
michael@0 102 return data;
michael@0 103 }
michael@0 104
michael@0 105 function isBuiltinToken(tokenName) {
michael@0 106 return tokenName == "Builtin Object Token";
michael@0 107 }
michael@0 108
michael@0 109 function isCertBuiltIn(cert) {
michael@0 110 let tokenNames = cert.getAllTokenNames({});
michael@0 111 if (!tokenNames) {
michael@0 112 return false;
michael@0 113 }
michael@0 114 if (tokenNames.some(isBuiltinToken)) {
michael@0 115 return true;
michael@0 116 }
michael@0 117 return false;
michael@0 118 }
michael@0 119
michael@0 120 function download(filename) {
michael@0 121 var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
michael@0 122 .createInstance(Ci.nsIXMLHttpRequest);
michael@0 123 req.open("GET", filename, false); // doing the request synchronously
michael@0 124 try {
michael@0 125 req.send();
michael@0 126 }
michael@0 127 catch (e) {
michael@0 128 throw "ERROR: problem downloading '" + filename + "': " + e;
michael@0 129 }
michael@0 130
michael@0 131 if (req.status != 200) {
michael@0 132 throw("ERROR: problem downloading '" + filename + "': status " +
michael@0 133 req.status);
michael@0 134 }
michael@0 135 return req.responseText;
michael@0 136 }
michael@0 137
michael@0 138 function downloadAsJson(filename) {
michael@0 139 // we have to filter out '//' comments
michael@0 140 var result = download(filename).replace(/\/\/[^\n]*\n/g, "");
michael@0 141 var data = null;
michael@0 142 try {
michael@0 143 data = JSON.parse(result);
michael@0 144 }
michael@0 145 catch (e) {
michael@0 146 throw "ERROR: could not parse data from '" + filename + "': " + e;
michael@0 147 }
michael@0 148 return data;
michael@0 149 }
michael@0 150
michael@0 151 // Returns a Subject Public Key Digest from the given pem, if it exists.
michael@0 152 function getSKDFromPem(pem) {
michael@0 153 let cert = gCertDB.constructX509FromBase64(pem, pem.length);
michael@0 154 return cert.sha256SubjectPublicKeyInfoDigest;
michael@0 155 }
michael@0 156
michael@0 157 // Downloads the static certs file and tries to map Google Chrome nicknames
michael@0 158 // to Mozilla nicknames, as well as storing any hashes for pins for which we
michael@0 159 // don't have root PEMs. Each entry consists of a line containing the name of
michael@0 160 // the pin followed either by a hash in the format "sha1/" + base64(hash), or
michael@0 161 // a PEM encoded certificate. For certificates that we have in our database,
michael@0 162 // return a map of Google's nickname to ours. For ones that aren't return a
michael@0 163 // map of Google's nickname to sha1 values. This code is modeled after agl's
michael@0 164 // https://github.com/agl/transport-security-state-generate, which doesn't
michael@0 165 // live in the Chromium repo because go is not an official language in
michael@0 166 // Chromium.
michael@0 167 // For all of the entries in this file:
michael@0 168 // - If the entry has a hash format, find the Mozilla pin name (cert nickname)
michael@0 169 // and stick the hash into certSKDToName
michael@0 170 // - If the entry has a PEM format, parse the PEM, find the Mozilla pin name
michael@0 171 // and stick the hash in certSKDToName
michael@0 172 // We MUST be able to find a corresponding cert nickname for the Chrome names,
michael@0 173 // otherwise we skip all pinsets referring to that Chrome name.
michael@0 174 function downloadAndParseChromeCerts(filename, certSKDToName) {
michael@0 175 // Prefixes that we care about.
michael@0 176 const BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
michael@0 177 const END_CERT = "-----END CERTIFICATE-----";
michael@0 178
michael@0 179 // Parsing states.
michael@0 180 const PRE_NAME = 0;
michael@0 181 const POST_NAME = 1;
michael@0 182 const IN_CERT = 2;
michael@0 183 let state = PRE_NAME;
michael@0 184
michael@0 185 let lines = download(filename).split("\n");
michael@0 186 let name = "";
michael@0 187 let pemCert = "";
michael@0 188 let hash = "";
michael@0 189 let chromeNameToHash = {};
michael@0 190 let chromeNameToMozName = {}
michael@0 191 for (let i = 0; i < lines.length; ++i) {
michael@0 192 let line = lines[i];
michael@0 193 // Skip comments and newlines.
michael@0 194 if (line.length == 0 || line[0] == '#') {
michael@0 195 continue;
michael@0 196 }
michael@0 197 switch(state) {
michael@0 198 case PRE_NAME:
michael@0 199 chromeName = line;
michael@0 200 state = POST_NAME;
michael@0 201 break;
michael@0 202 case POST_NAME:
michael@0 203 if (line.startsWith(SHA1_PREFIX) ||
michael@0 204 line.startsWith(SHA256_PREFIX)) {
michael@0 205 if (line.startsWith(SHA1_PREFIX)) {
michael@0 206 hash = line.substring(SHA1_PREFIX.length);
michael@0 207 } else if (line.startsWith(SHA256_PREFIX)) {
michael@0 208 hash = line.substring(SHA256_PREFIX);
michael@0 209 }
michael@0 210 // Store the entire prefixed hash, so we can disambiguate sha1 from
michael@0 211 // sha256 later.
michael@0 212 chromeNameToHash[chromeName] = line;
michael@0 213 certNameToSKD[chromeName] = hash;
michael@0 214 certSKDToName[hash] = chromeName;
michael@0 215 state = PRE_NAME;
michael@0 216 } else if (line.startsWith(BEGIN_CERT)) {
michael@0 217 state = IN_CERT;
michael@0 218 } else {
michael@0 219 throw "ERROR: couldn't parse Chrome certificate file " + line;
michael@0 220 }
michael@0 221 break;
michael@0 222 case IN_CERT:
michael@0 223 if (line.startsWith(END_CERT)) {
michael@0 224 state = PRE_NAME;
michael@0 225 hash = getSKDFromPem(pemCert);
michael@0 226 pemCert = "";
michael@0 227 if (hash in certSKDToName) {
michael@0 228 mozName = certSKDToName[hash];
michael@0 229 } else {
michael@0 230 // Not one of our built-in certs. Prefix the name with
michael@0 231 // GOOGLE_PIN_.
michael@0 232 mozName = GOOGLE_PIN_PREFIX + chromeName;
michael@0 233 dump("Can't find hash in builtin certs for Chrome nickname " +
michael@0 234 chromeName + ", inserting " + mozName + "\n");
michael@0 235 certSKDToName[hash] = mozName;
michael@0 236 certNameToSKD[mozName] = hash;
michael@0 237 }
michael@0 238 chromeNameToMozName[chromeName] = mozName;
michael@0 239 } else {
michael@0 240 pemCert += line;
michael@0 241 }
michael@0 242 break;
michael@0 243 default:
michael@0 244 throw "ERROR: couldn't parse Chrome certificate file " + line;
michael@0 245 }
michael@0 246 }
michael@0 247 return [ chromeNameToHash, chromeNameToMozName ];
michael@0 248 }
michael@0 249
michael@0 250 // We can only import pinsets from chrome if for every name in the pinset:
michael@0 251 // - We have a hash from Chrome's static certificate file
michael@0 252 // - We have a builtin cert
michael@0 253 // If the pinset meets these requirements, we store a map array of pinset
michael@0 254 // objects:
michael@0 255 // {
michael@0 256 // pinset_name : {
michael@0 257 // // Array of names with entries in certNameToSKD
michael@0 258 // sha1_hashes: [],
michael@0 259 // sha256_hashes: []
michael@0 260 // }
michael@0 261 // }
michael@0 262 // and an array of imported pinset entries:
michael@0 263 // { name: string, include_subdomains: boolean, test_mode: boolean,
michael@0 264 // pins: pinset_name }
michael@0 265 function downloadAndParseChromePins(filename,
michael@0 266 chromeNameToHash,
michael@0 267 chromeNameToMozName,
michael@0 268 certNameToSKD,
michael@0 269 certSKDToName) {
michael@0 270 let chromePreloads = downloadAsJson(filename);
michael@0 271 let chromePins = chromePreloads.pinsets;
michael@0 272 let chromeImportedPinsets = {};
michael@0 273 let chromeImportedEntries = [];
michael@0 274
michael@0 275 chromePins.forEach(function(pin) {
michael@0 276 let valid = true;
michael@0 277 let pinset = { name: pin.name, sha1_hashes: [], sha256_hashes: [] };
michael@0 278 // Translate the Chrome pinset format to ours
michael@0 279 pin.static_spki_hashes.forEach(function(name) {
michael@0 280 if (name in chromeNameToHash) {
michael@0 281 let hash = chromeNameToHash[name];
michael@0 282 if (hash.startsWith(SHA1_PREFIX)) {
michael@0 283 hash = hash.substring(SHA1_PREFIX.length);
michael@0 284 pinset.sha1_hashes.push(certSKDToName[hash]);
michael@0 285 } else if (hash.startsWith(SHA256_PREFIX)) {
michael@0 286 hash = hash.substring(SHA256_PREFIX.length);
michael@0 287 pinset.sha256_hashes.push(certSKDToName[hash]);
michael@0 288 } else {
michael@0 289 throw("Unsupported hash type: " + chromeNameToHash[name]);
michael@0 290 }
michael@0 291 // We should have already added hashes for all of these when we
michael@0 292 // imported the certificate file.
michael@0 293 if (!certNameToSKD[name]) {
michael@0 294 throw("No hash for name: " + name);
michael@0 295 }
michael@0 296 } else if (name in chromeNameToMozName) {
michael@0 297 pinset.sha256_hashes.push(chromeNameToMozName[name]);
michael@0 298 } else {
michael@0 299 dump("Skipping Chrome pinset " + pinset.name + ", couldn't find " +
michael@0 300 "builtin " + name + " from cert file\n");
michael@0 301 valid = false;
michael@0 302 }
michael@0 303 });
michael@0 304 if (valid) {
michael@0 305 chromeImportedPinsets[pinset.name] = pinset;
michael@0 306 }
michael@0 307 });
michael@0 308
michael@0 309 // Grab the domain entry lists. Chrome's entry format is similar to
michael@0 310 // ours, except theirs includes a HSTS mode.
michael@0 311 const cData = gStaticPins.chromium_data;
michael@0 312 let entries = chromePreloads.entries;
michael@0 313 entries.forEach(function(entry) {
michael@0 314 let pinsetName = cData.substitute_pinsets[entry.pins];
michael@0 315 if (!pinsetName) {
michael@0 316 pinsetName = entry.pins;
michael@0 317 }
michael@0 318 let isProductionDomain =
michael@0 319 (cData.production_domains.indexOf(entry.name) != -1);
michael@0 320 let isProductionPinset =
michael@0 321 (cData.production_pinsets.indexOf(pinsetName) != -1);
michael@0 322 let excludeDomain =
michael@0 323 (cData.exclude_domains.indexOf(entry.name) != -1);
michael@0 324 let isTestMode = !isProductionPinset && !isProductionDomain;
michael@0 325 if (entry.pins && !excludeDomain && chromeImportedPinsets[entry.pins]) {
michael@0 326 chromeImportedEntries.push({
michael@0 327 name: entry.name,
michael@0 328 include_subdomains: entry.include_subdomains,
michael@0 329 test_mode: isTestMode,
michael@0 330 is_moz: false,
michael@0 331 pins: pinsetName });
michael@0 332 }
michael@0 333 });
michael@0 334 return [ chromeImportedPinsets, chromeImportedEntries ];
michael@0 335 }
michael@0 336
michael@0 337 // Returns a pair of maps [certNameToSKD, certSKDToName] between cert
michael@0 338 // nicknames and digests of the SPKInfo for the mozilla trust store
michael@0 339 function loadNSSCertinfo(derTestFile, extraCertificates) {
michael@0 340 let allCerts = gCertDB.getCerts();
michael@0 341 let enumerator = allCerts.getEnumerator();
michael@0 342 let certNameToSKD = {};
michael@0 343 let certSKDToName = {};
michael@0 344 while (enumerator.hasMoreElements()) {
michael@0 345 let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
michael@0 346 if (!isCertBuiltIn(cert)) {
michael@0 347 continue;
michael@0 348 }
michael@0 349 let name = cert.nickname.substr(BUILT_IN_NICK_PREFIX.length);
michael@0 350 let SKD = cert.sha256SubjectPublicKeyInfoDigest;
michael@0 351 certNameToSKD[name] = SKD;
michael@0 352 certSKDToName[SKD] = name;
michael@0 353 }
michael@0 354
michael@0 355 for (let cert of extraCertificates) {
michael@0 356 let name = cert.commonName;
michael@0 357 let SKD = cert.sha256SubjectPublicKeyInfoDigest;
michael@0 358 certNameToSKD[name] = SKD;
michael@0 359 certSKDToName[SKD] = name;
michael@0 360 }
michael@0 361
michael@0 362 {
michael@0 363 // A certificate for *.example.com.
michael@0 364 let der = readFileToString(derTestFile);
michael@0 365 let testCert = gCertDB.constructX509(der, der.length);
michael@0 366 // We can't include this cert in the previous loop, because it skips
michael@0 367 // non-builtin certs and the nickname is not built-in to the cert.
michael@0 368 let name = "End Entity Test Cert";
michael@0 369 let SKD = testCert.sha256SubjectPublicKeyInfoDigest;
michael@0 370 certNameToSKD[name] = SKD;
michael@0 371 certSKDToName[SKD] = name;
michael@0 372 }
michael@0 373 return [certNameToSKD, certSKDToName];
michael@0 374 }
michael@0 375
michael@0 376 function parseJson(filename) {
michael@0 377 let json = stripComments(readFileToString(filename));
michael@0 378 return JSON.parse(json);
michael@0 379 }
michael@0 380
michael@0 381 function nameToAlias(certName) {
michael@0 382 // change the name to a string valid as a c identifier
michael@0 383 // remove non-ascii characters
michael@0 384 certName = certName.replace( /[^[:ascii:]]/g, "_");
michael@0 385 // replace non word characters
michael@0 386 certName = certName.replace(/[^A-Za-z0-9]/g ,"_");
michael@0 387
michael@0 388 return "k" + certName + "Fingerprint";
michael@0 389 }
michael@0 390
michael@0 391 function compareByName (a, b) {
michael@0 392 return a.name.localeCompare(b.name);
michael@0 393 }
michael@0 394
michael@0 395 function genExpirationTime() {
michael@0 396 let now = new Date();
michael@0 397 let nowMillis = now.getTime();
michael@0 398 let expirationMillis = nowMillis + (PINNING_MINIMUM_REQUIRED_MAX_AGE * 1000);
michael@0 399 let expirationMicros = expirationMillis * 1000;
michael@0 400 return "static const PRTime kPreloadPKPinsExpirationTime = INT64_C(" +
michael@0 401 expirationMicros +");\n";
michael@0 402 }
michael@0 403
michael@0 404 function writeFullPinset(certNameToSKD, certSKDToName, pinset) {
michael@0 405 // We aren't guaranteed to have sha1 hashes in our own imported pins.
michael@0 406 let prefix = "kPinset_" + pinset.name;
michael@0 407 let sha1Name = "nullptr";
michael@0 408 let sha256Name = "nullptr";
michael@0 409 if (pinset.sha1_hashes && pinset.sha1_hashes.length > 0) {
michael@0 410 writeFingerprints(certNameToSKD, certSKDToName, pinset.name,
michael@0 411 pinset.sha1_hashes, "sha1");
michael@0 412 sha1Name = "&" + prefix + "_sha1";
michael@0 413 }
michael@0 414 if (pinset.sha256_hashes && pinset.sha256_hashes.length > 0) {
michael@0 415 writeFingerprints(certNameToSKD, certSKDToName, pinset.name,
michael@0 416 pinset.sha256_hashes, "sha256");
michael@0 417 sha256Name = "&" + prefix + "_sha256";
michael@0 418 }
michael@0 419 writeString("static const StaticPinset " + prefix + " = {\n" +
michael@0 420 " " + sha1Name + ",\n " + sha256Name + "\n};\n\n");
michael@0 421 }
michael@0 422
michael@0 423 function writeFingerprints(certNameToSKD, certSKDToName, name, hashes, type) {
michael@0 424 let varPrefix = "kPinset_" + name + "_" + type;
michael@0 425 writeString("static const char* " + varPrefix + "_Data[] = {\n");
michael@0 426 let SKDList = [];
michael@0 427 for (let certName of hashes) {
michael@0 428 if (!(certName in certNameToSKD)) {
michael@0 429 throw "Can't find " + certName + " in certNameToSKD";
michael@0 430 }
michael@0 431 SKDList.push(certNameToSKD[certName]);
michael@0 432 }
michael@0 433 for (let skd of SKDList.sort()) {
michael@0 434 writeString(" " + nameToAlias(certSKDToName[skd]) + ",\n");
michael@0 435 }
michael@0 436 if (hashes.length == 0) {
michael@0 437 // ANSI C requires that an initialiser list be non-empty.
michael@0 438 writeString(" 0\n");
michael@0 439 }
michael@0 440 writeString("};\n");
michael@0 441 writeString("static const StaticFingerprints " + varPrefix + " = {\n " +
michael@0 442 "sizeof(" + varPrefix + "_Data) / sizeof(const char*),\n " + varPrefix +
michael@0 443 "_Data\n};\n\n");
michael@0 444 }
michael@0 445
michael@0 446 function writeEntry(entry) {
michael@0 447 let printVal = " { \"" + entry.name + "\",\ ";
michael@0 448 if (entry.include_subdomains) {
michael@0 449 printVal += "true, ";
michael@0 450 } else {
michael@0 451 printVal += "false, ";
michael@0 452 }
michael@0 453 // Default to test mode if not specified.
michael@0 454 let testMode = true;
michael@0 455 if (entry.hasOwnProperty("test_mode")) {
michael@0 456 testMode = entry.test_mode;
michael@0 457 }
michael@0 458 if (testMode) {
michael@0 459 printVal += "true, ";
michael@0 460 } else {
michael@0 461 printVal += "false, ";
michael@0 462 }
michael@0 463 if (entry.is_moz || (entry.pins == "mozilla")) {
michael@0 464 printVal += "true, ";
michael@0 465 } else {
michael@0 466 printVal += "false, ";
michael@0 467 }
michael@0 468 if (entry.id >= 256) {
michael@0 469 throw("Not enough buckets in histogram");
michael@0 470 }
michael@0 471 if (entry.id >= 0) {
michael@0 472 printVal += entry.id + ", ";
michael@0 473 } else {
michael@0 474 printVal += "-1, ";
michael@0 475 }
michael@0 476 printVal += "&kPinset_" + entry.pins;
michael@0 477 printVal += " },\n";
michael@0 478 writeString(printVal);
michael@0 479 }
michael@0 480
michael@0 481 function writeDomainList(chromeImportedEntries) {
michael@0 482 writeString("/* Sort hostnames for binary search. */\n");
michael@0 483 writeString("static const TransportSecurityPreload " +
michael@0 484 "kPublicKeyPinningPreloadList[] = {\n");
michael@0 485 let count = 0;
michael@0 486 let sortedEntries = gStaticPins.entries;
michael@0 487 sortedEntries.push.apply(sortedEntries, chromeImportedEntries);
michael@0 488 for (let entry of sortedEntries.sort(compareByName)) {
michael@0 489 count++;
michael@0 490 writeEntry(entry);
michael@0 491 }
michael@0 492 writeString("};\n");
michael@0 493
michael@0 494 writeString("\n// Pinning Preload List Length = " + count + ";\n");
michael@0 495 writeString("\nstatic const int32_t kUnknownId = -1;\n");
michael@0 496 }
michael@0 497
michael@0 498 function writeFile(certNameToSKD, certSKDToName,
michael@0 499 chromeImportedPinsets, chromeImportedEntries) {
michael@0 500 // Compute used pins from both Chrome's and our pinsets, so we can output
michael@0 501 // them later.
michael@0 502 usedFingerprints = {};
michael@0 503 gStaticPins.pinsets.forEach(function(pinset) {
michael@0 504 // We aren't guaranteed to have sha1_hashes in our own JSON.
michael@0 505 if (pinset.sha1_hashes) {
michael@0 506 pinset.sha1_hashes.forEach(function(name) {
michael@0 507 usedFingerprints[name] = true;
michael@0 508 });
michael@0 509 }
michael@0 510 if (pinset.sha256_hashes) {
michael@0 511 pinset.sha256_hashes.forEach(function(name) {
michael@0 512 usedFingerprints[name] = true;
michael@0 513 });
michael@0 514 }
michael@0 515 });
michael@0 516 for (let key in chromeImportedPinsets) {
michael@0 517 let pinset = chromeImportedPinsets[key];
michael@0 518 pinset.sha1_hashes.forEach(function(name) {
michael@0 519 usedFingerprints[name] = true;
michael@0 520 });
michael@0 521 pinset.sha256_hashes.forEach(function(name) {
michael@0 522 usedFingerprints[name] = true;
michael@0 523 });
michael@0 524 }
michael@0 525
michael@0 526 writeString(FILE_HEADER);
michael@0 527
michael@0 528 // Write actual fingerprints.
michael@0 529 Object.keys(usedFingerprints).sort().forEach(function(certName) {
michael@0 530 if (certName) {
michael@0 531 writeString("/* " + certName + " */\n");
michael@0 532 writeString("static const char " + nameToAlias(certName) + "[] =\n");
michael@0 533 writeString(" \"" + certNameToSKD[certName] + "\";\n");
michael@0 534 writeString("\n");
michael@0 535 }
michael@0 536 });
michael@0 537
michael@0 538 // Write the pinsets
michael@0 539 writeString(PINSETDEF);
michael@0 540 writeString("/* PreloadedHPKPins.json pinsets */\n");
michael@0 541 gStaticPins.pinsets.sort(compareByName).forEach(function(pinset) {
michael@0 542 writeFullPinset(certNameToSKD, certSKDToName, pinset);
michael@0 543 });
michael@0 544 writeString("/* Chrome static pinsets */\n");
michael@0 545 for (let key in chromeImportedPinsets) {
michael@0 546 writeFullPinset(certNameToSKD, certSKDToName, chromeImportedPinsets[key]);
michael@0 547 }
michael@0 548
michael@0 549 // Write the domainlist entries.
michael@0 550 writeString(DOMAINHEADER);
michael@0 551 writeDomainList(chromeImportedEntries);
michael@0 552 writeString("\n");
michael@0 553 writeString(genExpirationTime());
michael@0 554 }
michael@0 555
michael@0 556 function loadExtraCertificates(certStringList) {
michael@0 557 let constructedCerts = [];
michael@0 558 for (let certString of certStringList) {
michael@0 559 constructedCerts.push(gCertDB.constructX509FromBase64(certString));
michael@0 560 }
michael@0 561 return constructedCerts;
michael@0 562 }
michael@0 563
michael@0 564 let extraCertificates = loadExtraCertificates(gStaticPins.extra_certificates);
michael@0 565 let [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(gTestCertFile,
michael@0 566 extraCertificates);
michael@0 567 let [ chromeNameToHash, chromeNameToMozName ] = downloadAndParseChromeCerts(
michael@0 568 gStaticPins.chromium_data.cert_file_url, certSKDToName);
michael@0 569 let [ chromeImportedPinsets, chromeImportedEntries ] =
michael@0 570 downloadAndParseChromePins(gStaticPins.chromium_data.json_file_url,
michael@0 571 chromeNameToHash, chromeNameToMozName, certNameToSKD, certSKDToName);
michael@0 572
michael@0 573 writeFile(certNameToSKD, certSKDToName, chromeImportedPinsets,
michael@0 574 chromeImportedEntries);
michael@0 575
michael@0 576 FileUtils.closeSafeFileOutputStream(gFileOutputStream);

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial