summaryrefslogtreecommitdiffstats
path: root/security/manager/tools/dumpGoogleRoots.js
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/tools/dumpGoogleRoots.js')
-rw-r--r--security/manager/tools/dumpGoogleRoots.js108
1 files changed, 108 insertions, 0 deletions
diff --git a/security/manager/tools/dumpGoogleRoots.js b/security/manager/tools/dumpGoogleRoots.js
new file mode 100644
index 0000000000..464febacc5
--- /dev/null
+++ b/security/manager/tools/dumpGoogleRoots.js
@@ -0,0 +1,108 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file is a helper script that generates the list of certificates that
+// make up the preloaded pinset for Google properties.
+//
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell dumpGoogleRoots.js'
+// 4. [paste the output into the appropriate section in
+// security/manager/tools/PreloadedHPKPins.json]
+
+Services.prefs.setBoolPref("network.process.enabled", false);
+
+function downloadRoots() {
+ let req = new XMLHttpRequest();
+ req.open("GET", "https://pki.google.com/roots.pem", false);
+ try {
+ req.send();
+ } catch (e) {
+ throw new Error("ERROR: problem downloading Google Root PEMs: " + e);
+ }
+
+ if (req.status != 200) {
+ throw new Error(
+ "ERROR: problem downloading Google Root PEMs. Status: " + req.status
+ );
+ }
+
+ let pem = req.responseText;
+ let roots = [];
+ let currentPEM = "";
+ let readingRoot = false;
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ for (let line of pem.split(/[\r\n]/)) {
+ if (line == "-----END CERTIFICATE-----") {
+ if (currentPEM) {
+ roots.push(certDB.constructX509FromBase64(currentPEM));
+ }
+ currentPEM = "";
+ readingRoot = false;
+ continue;
+ }
+ if (readingRoot) {
+ currentPEM += line;
+ }
+ if (line == "-----BEGIN CERTIFICATE-----") {
+ readingRoot = true;
+ }
+ }
+ return roots;
+}
+
+function makeFormattedNickname(cert, knownNicknames) {
+ if (cert.displayName in knownNicknames) {
+ return `"${cert.displayName}"`;
+ }
+ // Otherwise, this isn't a built-in and we have to comment it out.
+ return `// "${cert.displayName}"`;
+}
+
+function gatherKnownNicknames() {
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let nicknames = {};
+ for (let cert of certDB.getCerts()) {
+ nicknames[cert.displayName] = true;
+ }
+ return nicknames;
+}
+
+var knownNicknames = gatherKnownNicknames();
+var roots = downloadRoots();
+var rootNicknames = [];
+for (var root of roots) {
+ rootNicknames.push(makeFormattedNickname(root, knownNicknames));
+}
+rootNicknames.sort(function (rootA, rootB) {
+ let rootALowercase = rootA.toLowerCase().replace(/(^[^"]*")|"/g, "");
+ let rootBLowercase = rootB.toLowerCase().replace(/(^[^"]*")|"/g, "");
+ if (rootALowercase < rootBLowercase) {
+ return -1;
+ }
+ if (rootALowercase > rootBLowercase) {
+ return 1;
+ }
+ return 0;
+});
+dump(" {\n");
+dump(' "name": "google_root_pems",\n');
+dump(' "sha256_hashes": [\n');
+var first = true;
+for (var nickname of rootNicknames) {
+ if (!first) {
+ dump(",\n");
+ }
+ first = false;
+ dump(" " + nickname);
+}
+dump("\n");
+dump(" ]\n");
+dump(" }\n");