SecurityEngineering/Public Key Pinning/Implementation Details

From MozillaWiki
Jump to: navigation, search

Public Key Pinning Implementation Cheat Sheet

This page attempts to document the implementation of HTTP Public Key Pinning (HPKP) in Firefox. Currently the implementation is limited to a set of preloaded pins that ships with the browser. This set of pins is generated partially from data provided by Mozilla and partially from data provided by Google's Chromium project.

Important Files

security/manager/ssl/StaticHPKPins.h The built-in preload list.
security/manager/ssl/StaticHPKPins.errors A log of debugging information from the last time the preload list was generated.
security/manager/tools/genHPKPStaticPins.js Generates the preload list.
security/manager/tools/PreloadedHPKPins.json Mozilla-specific information used when generating the preload list.
security/manager/ssl/PublicKeyPinningService.cpp The core of the HPKP implementation.
security/certverifier/NSSCertDBTrustDomain.cpp NSSCertDBTrustDomain::IsChainValid is where certificate verification (indirectly) calls into the PublicKeyPinningService.
security/certverifier/CertVerifier.cpp (See anything involving "chainValidation".)

What to do when Firefox's root certs change

Something is Broken, and we Think it's Pinning