-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Public Key Pinning #3707
HTTP Public Key Pinning #3707
Conversation
I have signed and agree to the terms of the SpringSource Individual Contributor License Agreement. |
* @author Tim Ysewyn | ||
* @since 4.1 | ||
*/ | ||
public final class HpkpHeaderWriter implements HeaderWriter { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be valuable to provide example values for every javadoc argument.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not quite sure what you want here. I already added some examples on top of the class.
Do you mean we should provide an example outcome after executing each method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TYsewyn For example, you might include the following for setMaxAgeInSeconds
@param maxAgeInSeconds the maximum amount of time (in seconds) to regard the host
as a known pinned host. (i.e. TimeUnit.DAYS.toSeconds(30) would set this to 30 days)
You might provide information on setPins that explains the value of the map.
... original javadoc ...
To get a pin of
Public-Key-Pins:
pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=";
pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="
Map<String,String> pins = new HashMap<String,String>();
pins.put("LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=", "sha256");
pins.put("E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=", "sha256");
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it! By the end of the day (GMT+1 over here) you'll have the fixes!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TYsewyn Since only sha256 pin is currently supported perhaps we should have a method that allows adding a (or a set of) sha256 pin(s)?
We might also provide details on how to calculate the hash (or a link to something rather permanent that describes how).
Thanks for the PR @TYsewyn :) Overall this looks very good! I have provided one comment inline. One additional item is listed below. If necessary we can likely divide some of this work into distinct tasks, but ultimately I think the feature will get a lot more use if we provide a few additional items (in order of preference):
What are your thoughts? Would you consider updating the PR with the additional items? |
I'll start working on it later today. Is the Java and XML configuration support located in the config module? Couldn't find it yesterday, but I'll probably have overlooked it.. |
I'm currently working on the XML configuration support and created a version for 4.1. |
@TYsewyn Awesome to hear! Yes please bump it up. |
Making the final changes as we speak.. Only need to run some tests en squash some commits :) |
I just noticed that I didn't wrote any test for the java configuration, woops.. Will fix that tomorrow! |
@TYsewyn Awesome news! I'm looking forward to the update with the tests! |
In the meantime, have some fun with the new XML config support ;) |
From what I can tell, I think this feature is complete and ready to be shipped with 4.1 @rwinch! :) |
@rwinch Did you already have the time to review this PR by any chance? :) |
@TYsewyn Sorry I haven't had time just yet. I've been busy getting Spring Session 1.1 released. Now I am working on Spring Security 4.0.4.RELEASE (out tomorrow). Then finally I will be getting to some PRs for Spring Security, Spring Session, and Spring LDAP. This means you should expect to hear from me by Monday. |
* | ||
* @param reportUri the URI where the browser should send the report to. | ||
*/ | ||
public HpkpConfig reportUri(URI reportUri) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be nice to support a String variant as well (this makes for a easier to read DSL)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also overload .setReportUri(URI reportUri)
in HPKPHeaderWriter
then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Yes
@TYsewyn Thanks again for this PR! I did a review of the code and the only things that need addressed are:
It is real late here, so I will likely want to take a look at this again first thing in the morning when I have a clear head. If you can get those changes in, then I think we can merge tomorrow :) Sorry again for the delays on the review and thanks for such an outstanding PR! |
* @param algorithm the cryptographic hash algorithm. | ||
* @throws IllegalArgumentException if algorithm or pin is null | ||
*/ | ||
public void addPin(String pin, String algorithm) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would go as far as to say we should change this method to addSha256Pins(String... pins) since the only currently supported pin is sha256 and the setPins method would provide more flexibility if they need additional pin types and we haven't had a chance to update.
@rwinch The changes are made as proposed. I also rebased the commits of this feature branch onto the master for easy merging ;-) |
.headers() | ||
.httpPublicKeyPinning() | ||
.includeSubdomains(true) | ||
.reportUri(new URI("http://example.net/pkp-report")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should perhaps update to use the new String method
If you are able, squashing your commits is appreciated too. If not, this is something I can do for you. |
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. (For example, sometimes attackers can compromise certificate authorities, and then can mis-issue certificates for a web origin.) The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use 1 or more of those public keys in its certificate chain. This commit will add this new functionality. Fixes gh-3706
@rwinch Can we close this PR since it is merged? |
@TYsewyn Yes thank you! |
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites
to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
(For example, sometimes attackers can compromise certificate authorities,
and then can mis-issue certificates for a web origin.)
The HTTPS web server serves a list of public key hashes, and on subsequent connections
clients expect that server to use 1 or more of those public keys in its certificate chain.
This commit will add this new functionality.
Fixes gh-3706