From 1670d00df602f1fb150db633be0c8bb493009d59 Mon Sep 17 00:00:00 2001 From: Rob Wu Date: Thu, 3 Aug 2023 02:30:02 +0200 Subject: [PATCH] Correctly documentation of Firefox client behavior References: - https://bugzilla.mozilla.org/show_bug.cgi?id=1846866 ignores pref - https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 ignores notAfter - https://bugzilla.mozilla.org/show_bug.cgi?id=1713628 ignores notBefore "Only end-entity certs can potentially end up here." (in ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): verified locally and also observed before in the armagadd-on-2.0 incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired intermediates were accepted, then we would not have had the incident. --- signer/contentsignaturepki/README.md | 7 ++----- signer/xpi/README.md | 3 +++ 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/signer/contentsignaturepki/README.md b/signer/contentsignaturepki/README.md index eb9dfdf7d..84e26d2c7 100644 --- a/signer/contentsignaturepki/README.md +++ b/signer/contentsignaturepki/README.md @@ -64,11 +64,8 @@ signature: signature. In practice, this file usually contains three certificates: the end-entity that issues the content signature, the intermediate issuer and the root of the Firefox private PKI. Firefox - is configured to only accept signatures from the private PKI, as - controlled via the - `security.content.signature.root_hash` preference, where - the value is the hexadecimal of the sha256 of the DER of the root - certificate. + is configured to only accept signatures from the private PKI, which + is hard-coded in Firefox (https://bugzilla.mozilla.org/1846866). When Firefox verifies a content signature, it first retrieves the X5U and checks the signature validity using the end-entity certificate, the diff --git a/signer/xpi/README.md b/signer/xpi/README.md index cb1c4e3af..d26340eed 100644 --- a/signer/xpi/README.md +++ b/signer/xpi/README.md @@ -271,8 +271,11 @@ graph LR VerifyPK7Signature == Extract hash of SF signature file ==> VerifySignature VerifySignature == Extract Signing Certificate ==> VerifyCertificate VerifyCertificate == Get Trusted Root ==> BuildCertChain +%% NOTE: Only end-entity certs can potentially end up here. Intermediates/root do not. BuildCertChain == ERROR_EXPIRED_CERTIFICATE ==> Success + BuildCertChain == ERROR_NOT_YET_VALID_CERTIFICATE ==> Success Success --> VerifyPK7Signature +%% Expired intermediates/root will reach this state: BuildCertChain == else ==> Error Error --> VerifyPK7Signature end