Skip to content

Commit

Permalink
Correctly documentation of Firefox client behavior
Browse files Browse the repository at this point in the history 
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1846866 ignores pref
- https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 ignores notAfter
- https://bugzilla.mozilla.org/show_bug.cgi?id=1713628 ignores notBefore

"Only end-entity certs can potentially end up here." (in
ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): verified
locally and also observed before in the armagadd-on-2.0 incident
(https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired
intermediates were accepted, then we would not have had the incident.
  • Loading branch information
@Rob--W
Rob--W committed Aug 3, 2023
1 parent 7bc7ab2 commit 1670d00
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
7 changes: 2 additions & 5 deletions signer/contentsignaturepki/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,8 @@ signature:
signature. In practice, this file usually contains three
certificates: the end-entity that issues the content signature, the
intermediate issuer and the root of the Firefox private PKI. Firefox
is configured to only accept signatures from the private PKI, as
controlled via the
`security.content.signature.root_hash` preference, where
the value is the hexadecimal of the sha256 of the DER of the root
certificate.
is configured to only accept signatures from the private PKI, which
is hard-coded in Firefox (https://bugzilla.mozilla.org/1846866).

When Firefox verifies a content signature, it first retrieves the X5U
and checks the signature validity using the end-entity certificate, the
Expand Down
3 changes: 3 additions & 0 deletions signer/xpi/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,8 +271,11 @@ graph LR
VerifyPK7Signature == Extract hash of SF signature file ==> VerifySignature
VerifySignature == Extract Signing Certificate ==> VerifyCertificate
VerifyCertificate == Get Trusted Root ==> BuildCertChain
%% NOTE: Only end-entity certs can potentially end up here. Intermediates/root do not.
BuildCertChain == ERROR_EXPIRED_CERTIFICATE ==> Success
BuildCertChain == ERROR_NOT_YET_VALID_CERTIFICATE ==> Success
Success --> VerifyPK7Signature
%% Expired intermediates/root will reach this state:
BuildCertChain == else ==> Error
Error --> VerifyPK7Signature
end
Expand Down

0 comments on commit 1670d00

Please sign in to comment.