Opened 3 years ago

Last modified 9 months ago

#20149 assigned enhancement

Test that static public key pins are working

Reported by: gk Owned by: boklm
Priority: High Milestone:
Component: Applications/Quality Assurance and Testing Version:
Severity: Major Keywords: tbb-security, tls
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It might be smart to have a test for verifying that the static PKPs in Firefox are working. It seems to me we can use https://pinning-test.badssl.com for that.

This seems especially worthwhile as the pinning woes are not over with the switch to ESR 45.4.0 yet. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1303127 for more details.

Child Tickets

Change History (6)

comment:1 Changed 3 years ago by gk

Owner: changed from cypherpunks to boklm
Status: newassigned

comment:2 Changed 3 years ago by gk

Type: defectenhancement

comment:3 Changed 3 years ago by boklm

In 59782207d2e5976d11226496f3dec57917cc5962 I added a test that checks that key pinning on https://pinning-test.badssl.com/ is working. We are checking that the page fails to load, and that the error pages has MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE as errorCode.

We are checking that it is working at the current date. I think I can add an other test on Linux that uses libfaketime to check that it also works at a date 2 or 3 months in the future.

comment:4 Changed 3 years ago by mcs

Cc: brade mcs added

comment:5 in reply to:  3 Changed 3 years ago by mcs

Replying to boklm:

In 59782207d2e5976d11226496f3dec57917cc5962 I added a test that checks that key pinning on https://pinning-test.badssl.com/ is working. We are checking that the page fails to load, and that the error pages has MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE as errorCode.

The above test looks OK to me.

We are checking that it is working at the current date. I think I can add an other test on Linux that uses libfaketime to check that it also works at a date 2 or 3 months in the future.

That seems like a good idea. Should we also check, as part of our build process, that the timestamp in security/manager/ssl/StaticHPKPins.h is reasonable? I guess that would be a redundant check, but it might still be a good idea.

comment:6 Changed 9 months ago by traumschule

Keywords: tls added
Note: See TracTickets for help on using tickets.