New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 595493 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner: ----
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocked on:
issue 710841

Blocking:
issue 587954
issue 736188


Participants' hotlists:
HSTS-Preload


Sign in to add a comment

Move preload list conversion (JSON > header) into the build process

Project Member Reported by lgar...@chromium.org, Mar 16 2016

Issue description

Currently we use a script called transport_security_state_static_generate.go convert preload list from JSON [1] into a header file [2].

There are two important parts:
1) Convert the data into a Huffman tree.
2) Parse SPKIs from source data (certs and public keys) [3] to produce hashes.

I'd like to include at least #1 in the build process.

#2 is slower and more complicated, but the preloaded SPKIs change less than once per Chrome version on average – we can manually update a list of hashes in each CL (e.g. by including the hashes in the .certs file directly).


Benefits:
a) Easy to merge and cherry-pick changes onto different branches.
b) Allows sending logically separate changes (e.g. separated removals and additions) to the commit queue at the same time.
  - This allows the preload list maintainer to handle unrelated additions, changes, and removals in “one sitting” without having to create a unified CL or dependent CLs.
c) This avoids large CLs. Each preload list update currently takes up 500KB permanently on each developer's machine.

In fact, c) is now my biggest concern. I didn't think about this until I hit the default CL patch limit for per-file diffs [4], but I am trying to reduce the number of HSTS preload list changes until we can make sure that preload list updates don't result in large updates to the source code.



[1] https://github.com/agl/transport-security-state-generate
[2] https://chromium.googlesource.com/chromium/src/+blame/master/net/http/transport_security_state_static.json
[3] https://chromium.googlesource.com/chromium/src/+blame/master/net/http/transport_security_state_static.certs
[4] https://codereview.chromium.org/1765083003#msg9
 
This issue required me to commit https://codereview.chromium.org/2034843003
The commit is now associated with me for purely logistical issues (and there was no way to split it up, due to co-dependent code and data changes) - I don't like stealing credit. :-(
Components: Internals>Network>DomainSecurityPolicy
The M55 changes were merged to M54 in a regular process ( Issue 655854 ), but I couldn't go through the commit queue and didn't think to run the unit tests.

This required a fix by asanka@ [1] and an M54 post-stable revert [2] that I still have to follow up on. More work for everyone, and some sites are broken for 6 extra weeks.

Also, the merge to M54 ran into trouble because I had to merge *two* CLs in order to use clean patches of existing commits. That is, I had to merge [3] in order to merge [4] in order to avoid running transport_securty_state_generate in a custom git-drover checkout (with a hand-checkout of the pins file). See [5].

Post-mortem to follow.

We really need to find time to fix this issue, but I've sent an email to infra-dev@ asking if they could raise Rietveld upload limits so we could go through the commit queue until that happens.

[1] https://chromium.googlesource.com/chromium/src/+/c0f81dce2f86e7dd4f87d68a1fc8501e29db2aad
[2] https://codereview.chromium.org/2461313002
[3] https://chromium.googlesource.com/chromium/src/+/a098fb135e247b02b70b8a9628922456be7f9750
[4] https://chromium.googlesource.com/chromium/src/+/93786d31433b6c3513da5680dfe121c9b1aa5ef2
[5] https://bugs.chromium.org/p/chromium/issues/detail?id=655854#c8
Cc: mart...@martijnc.be
Martijn, I believe you expressed interest in this in a bug.
How serious were you about that, and do you have an idea of when you might realistically be done?

*in a doc comment
I'm still working on this. Yesterday I finished to code that generates the trie and the Huffman coding. The output is identical to the output of the current Go tool*.

The things remaining on my todo list for this;
  - Parse the certificates in the .pins file and calculate the SPKI SHA256 digests
  - Add the "pre-generation" checks the Go tool does (checks for double entries, ...)
  - Test, test, test
  - Cleanup the code

The biggest todo will be the certificate bits (I never worked with BoringSSL before). The other items should be pretty straightforward.

Unless the BoringSSL/certificate bits turn into a big problem, I estimate to have something up for review in ~2 weeks.

* if you patch these (https://github.com/chromium/hstspreload/pull/91) changes into your local copy first. This has to be done so that ordering is the same.
Okay, that sounds excellent!

I'd like to do what I can to help you finish this quickly, although I haven't worked with BoringSSL either. Anything else you need to know at this point?
(Do you know how to integrate the C++ "script" into the Chrome build process?)

Also, you closed (https://github.com/chromium/hstspreload/pull/91); should I reopen and merge?
Turns out the Chromium codebase is full of BoringSSL code "examples" :). I had a look at the other consumers and got the certificate/SPKI parsing working. The digests I get match those currently in the header file.

Not very familiar with the build system (yet) either but I'll look into that. I was planning to land the tool first and make it part of the build process in a follow up CL. It probably involves removing the blob from git resulting in a large CL which will upset Rietveld?

I created the pull request so I could link to those changes. You can reopen and merge it if you want but I'd like to add additional changes first. The other lists (kSPKIHash_*) are sorted (or not sorted) differently between both tools as well. Having everything in the same order will make testing and reviewing easier.
Summary: Move preload list conversion (JSON > header) into the build process (was: Move preload list conversion (JSON > data string) into the build process)
Project Member

Comment 10 by bugdroid1@chromium.org, Dec 13 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/09983e3dcc7573863a52ef827870613dde3cd83e

commit 09983e3dcc7573863a52ef827870613dde3cd83e
Author: Lucas Garron <lgarron@chromium.org>
Date: Tue Dec 13 22:35:06 2016

Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this script into the build process.

This scripts generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the script manually:
out/Default/domain_security_preload_generator net/http/transport_security_state_static.json net/http/transport_security_state_static.pins net/tools/domain_security_preload_generator/resources/transport_security_state_static.template /home/you/output.h -v

[1] https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_state_static_generate/transport_security_state_static_generate.go
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG= 595493 
R=agl@chromium.org, lgarron@chromium.org

Review-Url: https://codereview.chromium.org/2551153003 .
Cr-Commit-Position: refs/heads/master@{#438316}

[modify] https://crrev.com/09983e3dcc7573863a52ef827870613dde3cd83e/net/http/transport_security_state_static.h

Project Member

Comment 11 by bugdroid1@chromium.org, Dec 14 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b

commit 40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b
Author: martijn <martijn@martijnc.be>
Date: Wed Dec 14 00:26:45 2016

Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this tool into the build process.

This tool generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the tool manually:
out/Default/domain_security_preload_generator net/http/transport_security_state_static.json net/http/transport_security_state_static.pins net/tools/domain_security_preload_generator/resources/transport_security_state_static.template /home/you/output.h -v

[1] https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_state_static_generate/transport_security_state_static_generate.go
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG= 595493 
R=agl@chromium.org, lgarron@chromium.org

Committed: https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870613dde3cd83e
Review-Url: https://codereview.chromium.org/2551153003
Cr-Commit-Position: refs/heads/master@{#438358}

[modify] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/BUILD.gn
[modify] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/net.gypi
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/bit_writer.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/bit_writer.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/cert_util.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/cert_util.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/domain_security_entry.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/domain_security_entry.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/domain_security_preload_generator.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/pinset.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/pinset.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/pinsets.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/pinsets.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/preloaded_state_generator.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/preloaded_state_generator.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/spki_hash.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/spki_hash.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/trie/trie_bit_buffer.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/trie/trie_writer.cc
[add] https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b/net/tools/domain_security_preload_generator/trie/trie_writer.h

Project Member

Comment 12 by bugdroid1@chromium.org, Jan 25 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0827d0b947920ab29833389c2e5402f82a48bfec

commit 0827d0b947920ab29833389c2e5402f82a48bfec
Author: martijn <martijn@martijnc.be>
Date: Wed Jan 25 22:01:07 2017

Rename domain_security_preload_generator.

This CL renames the tool and some of its classes for clarity.

  - The tool is renamed to transport_security_state_generator because all
    related code is named similarly. The tool itself also already lives in
    the net::transport_security_state namespace.

  - HuffmanFrequencyTracker is renamed to HuffmanBuilder which covers
    the functionality in the class a lot better.

  - The DomainSecurityEntry class is renamed to TransportSecurityStateEntry
    in line with the rename of the tool. DomainSecurityEntries is similarly
    renamed to TransportSecurityStateEntries.

  - Adds a comment to the top of the generated file which informs the reader
    that the file is generated by this tool.

This CL only contains renames/moves and no behavioral changes.

BUG= 595493 

Review-Url: https://codereview.chromium.org/2632073002
Cr-Commit-Position: refs/heads/master@{#446135}

[modify] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/BUILD.gn
[delete] https://crrev.com/cc933ae6d6a44d3827aae9d2009336f56e245190/net/tools/domain_security_preload_generator/domain_security_entry.cc
[delete] https://crrev.com/cc933ae6d6a44d3827aae9d2009336f56e245190/net/tools/domain_security_preload_generator/domain_security_entry.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/bit_writer.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/bit_writer.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/cert_util.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/cert_util.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/huffman/huffman_builder.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/huffman/huffman_builder.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/pinset.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/pinset.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/pinsets.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/pinsets.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/preloaded_state_generator.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/preloaded_state_generator.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/resources/transport_security_state_static.template
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/spki_hash.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/spki_hash.h
[add] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/transport_security_state_entry.cc
[add] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/transport_security_state_entry.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/transport_security_state_generator.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/trie/trie_bit_buffer.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/trie/trie_bit_buffer.h
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/trie/trie_writer.cc
[rename] https://crrev.com/0827d0b947920ab29833389c2e5402f82a48bfec/net/tools/transport_security_state_generator/trie/trie_writer.h

Project Member

Comment 13 by bugdroid1@chromium.org, Feb 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af126ad510eb5f6ba94fa96ef44bb49a576eaff6

commit af126ad510eb5f6ba94fa96ef44bb49a576eaff6
Author: martijn <martijn@martijnc.be>
Date: Thu Feb 16 09:13:30 2017

Fix Huffman tree construction.

HuffmanBuilder::ToVector() requires that there are at least 2 values
in the tree to create the array representation. This CL updates
HuffmanBuilder::BuildTree() to ensure it always returns a tree containing
at least 2 values.

Also demotes 2 CHECKs to DCHECKs because failure to align with the style guide
as failure does not constitute a security issue and enforces the requirement that
characters should not be larger than 127.

BUG= 595493 

Review-Url: https://codereview.chromium.org/2694363003
Cr-Commit-Position: refs/heads/master@{#450910}

[modify] https://crrev.com/af126ad510eb5f6ba94fa96ef44bb49a576eaff6/net/tools/transport_security_state_generator/huffman/huffman_builder.cc
[modify] https://crrev.com/af126ad510eb5f6ba94fa96ef44bb49a576eaff6/net/tools/transport_security_state_generator/huffman/huffman_builder.h

Project Member

Comment 14 by bugdroid1@chromium.org, Feb 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/39a7d963f56666f34a337c87c4ddc8d432b1c39c

commit 39a7d963f56666f34a337c87c4ddc8d432b1c39c
Author: martijn <martijn@martijnc.be>
Date: Thu Feb 16 10:12:57 2017

Update BitWriter buffer position on flush.

When a BitWriter is flushed (through BitWriter::Flush()) the buffer
position is not updated even though additional bits are written. When the
BitWriter is used after the flush, BitWriter::position() would return
incorrect positions.

This CL fixes the behavior by updating |position_| in BitWriter::Flush()
to account for the padding bits (8 - |used_|).

Also removes BitWriter::BitLength() which is unused.

BUG= 595493 

Review-Url: https://codereview.chromium.org/2700433004
Cr-Commit-Position: refs/heads/master@{#450923}

[modify] https://crrev.com/39a7d963f56666f34a337c87c4ddc8d432b1c39c/net/tools/transport_security_state_generator/bit_writer.cc
[modify] https://crrev.com/39a7d963f56666f34a337c87c4ddc8d432b1c39c/net/tools/transport_security_state_generator/bit_writer.h

Project Member

Comment 15 by bugdroid1@chromium.org, Mar 1 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0a16d63e9fc212b9a4c2e3d01cc036745880f516

commit 0a16d63e9fc212b9a4c2e3d01cc036745880f516
Author: martijn <martijn@martijnc.be>
Date: Wed Mar 01 11:03:15 2017

Improve error handling of the transport security state generator.

Split off from https://codereview.chromium.org/2660793002.

This is the first part of a larger CL that improves the error handling of the
generator. The old code would often (D)CHECK on incorrect inputs which isn't
ideal. This CL replaces the CHECKs with boolean return values and outputs human
readable errors when something goes wrong.

Also fixes a small bug, incorrect comments, and removes unused code.

BUG= 595493 

Review-Url: https://codereview.chromium.org/2681733008
Cr-Commit-Position: refs/heads/master@{#453901}

[modify] https://crrev.com/0a16d63e9fc212b9a4c2e3d01cc036745880f516/net/tools/transport_security_state_generator/pinsets.h
[modify] https://crrev.com/0a16d63e9fc212b9a4c2e3d01cc036745880f516/net/tools/transport_security_state_generator/preloaded_state_generator.cc
[modify] https://crrev.com/0a16d63e9fc212b9a4c2e3d01cc036745880f516/net/tools/transport_security_state_generator/preloaded_state_generator.h
[modify] https://crrev.com/0a16d63e9fc212b9a4c2e3d01cc036745880f516/net/tools/transport_security_state_generator/transport_security_state_entry.cc
[modify] https://crrev.com/0a16d63e9fc212b9a4c2e3d01cc036745880f516/net/tools/transport_security_state_generator/transport_security_state_generator.cc
[modify] https://crrev.com/0a16d63e9fc212b9a4c2e3d01cc036745880f516/net/tools/transport_security_state_generator/trie/trie_bit_buffer.h
[modify] https://crrev.com/0a16d63e9fc212b9a4c2e3d01cc036745880f516/net/tools/transport_security_state_generator/trie/trie_writer.cc
[modify] https://crrev.com/0a16d63e9fc212b9a4c2e3d01cc036745880f516/net/tools/transport_security_state_generator/trie/trie_writer.h

Project Member

Comment 16 by bugdroid1@chromium.org, Mar 1 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/56daed9bb730e001dab5923e28fc83665e3e9a92

commit 56daed9bb730e001dab5923e28fc83665e3e9a92
Author: martijn <martijn@martijnc.be>
Date: Wed Mar 01 22:26:27 2017

Change transport security state generator logging destination.

Change the logging destination to logging::LOG_TO_SYSTEM_DEBUG_LOG for
all platforms. On windows the default is LOG_TO_FILE but that fails
here (program exits with error code 3).

This aligns the generator with the other net/tools tools.

BUG= 595493 

Review-Url: https://codereview.chromium.org/2728743002
Cr-Commit-Position: refs/heads/master@{#454070}

[modify] https://crrev.com/56daed9bb730e001dab5923e28fc83665e3e9a92/net/tools/transport_security_state_generator/transport_security_state_generator.cc

Project Member

Comment 18 by bugdroid1@chromium.org, Mar 18 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9b806ab221956979391d7d1974c6ea434c7f1752

commit 9b806ab221956979391d7d1974c6ea434c7f1752
Author: martijn <martijn@martijnc.be>
Date: Sat Mar 18 16:13:21 2017

Make transport security state data source configurable.

The static transport security state data is currently harcoded to the
data in transport_security_state_static.h. In order to test the whole
process end-to-end, this CL makes the data source configurable so that
unittests can specicfy their own data source.

These data sources are generated by the generator during the build from
several json and pin files. The actual tests will be landed in a follow up
CL but [1] gives a general overview of this approach (which is based on
the registry_controlled_domains DAFSA tests) and is split off from [2].

[1] https://codereview.chromium.org/2680933009
[2] https://codereview.chromium.org/2660793002

BUG= 595493 

Review-Url: https://codereview.chromium.org/2726873003
Cr-Commit-Position: refs/heads/master@{#457971}

[modify] https://crrev.com/9b806ab221956979391d7d1974c6ea434c7f1752/net/BUILD.gn
[modify] https://crrev.com/9b806ab221956979391d7d1974c6ea434c7f1752/net/http/transport_security_state.cc
[modify] https://crrev.com/9b806ab221956979391d7d1974c6ea434c7f1752/net/http/transport_security_state.h
[add] https://crrev.com/9b806ab221956979391d7d1974c6ea434c7f1752/net/http/transport_security_state_source.h
[modify] https://crrev.com/9b806ab221956979391d7d1974c6ea434c7f1752/net/http/transport_security_state_static.h
[modify] https://crrev.com/9b806ab221956979391d7d1974c6ea434c7f1752/net/tools/transport_security_state_generator/resources/transport_security_state_static.template

Project Member

Comment 20 by bugdroid1@chromium.org, Apr 4 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/304189c3d5089ead05a2dfb3360e141d2b92eda0

commit 304189c3d5089ead05a2dfb3360e141d2b92eda0
Author: martijn <martijn@martijnc.be>
Date: Tue Apr 04 23:44:00 2017

Add unittests for the certificate and file parsing logic in the transport
security state generator.

BUG= 595493 

Review-Url: https://codereview.chromium.org/2793823002
Cr-Commit-Position: refs/heads/master@{#461900}

[modify] https://crrev.com/304189c3d5089ead05a2dfb3360e141d2b92eda0/net/tools/transport_security_state_generator/BUILD.gn
[add] https://crrev.com/304189c3d5089ead05a2dfb3360e141d2b92eda0/net/tools/transport_security_state_generator/cert_util_unittest.cc
[add] https://crrev.com/304189c3d5089ead05a2dfb3360e141d2b92eda0/net/tools/transport_security_state_generator/input_file_parsers.cc
[add] https://crrev.com/304189c3d5089ead05a2dfb3360e141d2b92eda0/net/tools/transport_security_state_generator/input_file_parsers.h
[add] https://crrev.com/304189c3d5089ead05a2dfb3360e141d2b92eda0/net/tools/transport_security_state_generator/input_file_parsers_unittest.cc
[modify] https://crrev.com/304189c3d5089ead05a2dfb3360e141d2b92eda0/net/tools/transport_security_state_generator/spki_hash.cc
[modify] https://crrev.com/304189c3d5089ead05a2dfb3360e141d2b92eda0/net/tools/transport_security_state_generator/spki_hash.h
[modify] https://crrev.com/304189c3d5089ead05a2dfb3360e141d2b92eda0/net/tools/transport_security_state_generator/transport_security_state_generator.cc

Project Member

Comment 21 by bugdroid1@chromium.org, Apr 8 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6ee4f021659260c12c361bb78eb211c9ba69e8bf

commit 6ee4f021659260c12c361bb78eb211c9ba69e8bf
Author: Martijn Croonen <martijn@martijnc.be>
Date: Sat Apr 08 01:06:22 2017

Make transport security state generation part of the build.

This CL adds a build step to generate transport_security_state_static.h
when required.

Bug:595493

Change-Id: I478137a40d9107cbcc6470ee544bda66823ebbff
Reviewed-on: https://chromium-review.googlesource.com/471529
Reviewed-by: Lucas Garron <lgarron@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#463090}
[modify] https://crrev.com/6ee4f021659260c12c361bb78eb211c9ba69e8bf/net/BUILD.gn
[modify] https://crrev.com/6ee4f021659260c12c361bb78eb211c9ba69e8bf/net/http/BUILD.gn
[delete] https://crrev.com/3578d3111a37b2ee39f306bb285a5fdc6b3e23a0/net/http/transport_security_state_static.h
[rename] https://crrev.com/6ee4f021659260c12c361bb78eb211c9ba69e8bf/net/http/transport_security_state_static.template

Project Member

Comment 22 by bugdroid1@chromium.org, Apr 10 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5e671fffc45441c5dd3458871a8aa8f4a3f2e632

commit 5e671fffc45441c5dd3458871a8aa8f4a3f2e632
Author: Yury Khmel <khmel@google.com>
Date: Mon Apr 10 22:46:37 2017

Revert "Make transport security state generation part of the build."

This reverts commit 6ee4f021659260c12c361bb78eb211c9ba69e8bf.

Reason for revert: 
This breaks Chrome PFQ with error:
chromeos-chrome-59.0.3067.0_rc-r1: ../../../../../../../home/chrome-bot/chrome_root/src/third_party/binutils/Linux_x64/Release/bin/ld.gold: error: cannot find -latomic



Original change's description:
> Make transport security state generation part of the build.
> 
> This CL adds a build step to generate transport_security_state_static.h
> when required.
> 
> Bug:595493
> 
> Change-Id: I478137a40d9107cbcc6470ee544bda66823ebbff
> Reviewed-on: https://chromium-review.googlesource.com/471529
> Reviewed-by: Lucas Garron <lgarron@chromium.org>
> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#463090}

TBR=rsleevi@chromium.org,peter@chromium.org,lgarron@chromium.org,martijn@martijnc.be,cbentzel+watch@chromium.org,net-reviews@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.

Change-Id: I84536c89c093531f1cf60cbdd4a3cfb2efbe5d80
Reviewed-on: https://chromium-review.googlesource.com/474009
Reviewed-by: Yury Khmel <khmel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#463428}
[modify] https://crrev.com/5e671fffc45441c5dd3458871a8aa8f4a3f2e632/net/BUILD.gn
[modify] https://crrev.com/5e671fffc45441c5dd3458871a8aa8f4a3f2e632/net/http/BUILD.gn
[add] https://crrev.com/5e671fffc45441c5dd3458871a8aa8f4a3f2e632/net/http/transport_security_state_static.h
[rename] https://crrev.com/5e671fffc45441c5dd3458871a8aa8f4a3f2e632/net/tools/transport_security_state_generator/resources/transport_security_state_static.template

Project Member

Comment 23 by bugdroid1@chromium.org, Apr 11 2017

Labels: merge-merged-3067
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/efa139d3af68589d5b803a8a322f41d83e56af06

commit efa139d3af68589d5b803a8a322f41d83e56af06
Author: Alexander Alekseev <alemate@chromium.org>
Date: Tue Apr 11 00:02:51 2017

Revert "Make transport security state generation part of the build."

This reverts commit 6ee4f021659260c12c361bb78eb211c9ba69e8bf.

Reason for revert:
This breaks Chrome PFQ with error:
chromeos-chrome-59.0.3067.0_rc-r1: ../../../../../../../home/chrome-bot/chrome_root/src/third_party/binutils/Linux_x64/Release/bin/ld.gold: error: cannot find -latomic

Original change's description:
> Make transport security state generation part of the build.
>
> This CL adds a build step to generate transport_security_state_static.h
> when required.
>
> Bug:595493
>
> Change-Id: I478137a40d9107cbcc6470ee544bda66823ebbff
> Reviewed-on: https://chromium-review.googlesource.com/471529
> Reviewed-by: Lucas Garron <lgarron@chromium.org>
> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#463090}

TBR=rsleevi@chromium.org,peter@chromium.org,lgarron@chromium.org,martijn@martijnc.be,cbentzel+watch@chromium.org,net-reviews@chromium.org

BUG=

Change-Id: I84536c89c093531f1cf60cbdd4a3cfb2efbe5d80
Reviewed-on: https://chromium-review.googlesource.com/474009
Reviewed-by: Yury Khmel <khmel@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#463428}(cherry picked from commit 5e671fffc45441c5dd3458871a8aa8f4a3f2e632)
Review-Url: https://codereview.chromium.org/2811733003 .
Cr-Commit-Position: refs/branch-heads/3067@{#4}
Cr-Branched-From: e2ed4b4539b7a50d8be892e4437897b18c181c91-refs/heads/master@{#463157}

[modify] https://crrev.com/efa139d3af68589d5b803a8a322f41d83e56af06/net/BUILD.gn
[modify] https://crrev.com/efa139d3af68589d5b803a8a322f41d83e56af06/net/http/BUILD.gn
[add] https://crrev.com/efa139d3af68589d5b803a8a322f41d83e56af06/net/http/transport_security_state_static.h
[rename] https://crrev.com/efa139d3af68589d5b803a8a322f41d83e56af06/net/tools/transport_security_state_generator/resources/transport_security_state_static.template

Blockedon: 710841
Project Member

Comment 25 by bugdroid1@chromium.org, May 24 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/526c7ebbc8501df55df5ecb0ee90e08368ee6852

commit 526c7ebbc8501df55df5ecb0ee90e08368ee6852
Author: Martijn Croonen <martijn@martijnc.be>
Date: Wed May 24 19:02:21 2017

Make transport security state generator part of the build process.

Rebased reland of https://chromium-review.googlesource.com/c/471529/.

This CL adds a build step to generate transport_security_state_static.h
when required.

Bug:595493

Change-Id: I4ea60b4052700446c0286884566d509b25696ce3
Reviewed-on: https://chromium-review.googlesource.com/484301
Commit-Queue: Martijn Croonen <martijn@martijnc.be>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Lucas Garron <lgarron@chromium.org>
Cr-Commit-Position: refs/heads/master@{#474379}
[modify] https://crrev.com/526c7ebbc8501df55df5ecb0ee90e08368ee6852/net/BUILD.gn
[modify] https://crrev.com/526c7ebbc8501df55df5ecb0ee90e08368ee6852/net/http/BUILD.gn
[delete] https://crrev.com/baab05023fbea8af8e626c78899abd87834b70b3/net/http/transport_security_state_static.h
[rename] https://crrev.com/526c7ebbc8501df55df5ecb0ee90e08368ee6852/net/http/transport_security_state_static.template

Status: Fixed (was: Available)
Marking as fixed by request :).
> Marking as fixed by request :).

Sounds good. I'm told there might still be issues with building official builds on Windows locally, but that can be a separate bug.
Is that a public bug? I can't find a Windows related HSTS preload issue in the bugtracker.
Cc: iyengar@chromium.org
iyengar@ pinged me about it and was going to look into it, but I haven't seen a bug yet.
The Windows issue might be  issue 729553 .
Blocking: 736188

Sign in to add a comment