From 5b600a69b81fd271b6a3e6f615c2c4706745fbd7 Mon Sep 17 00:00:00 2001
From: Rob Wu <rob@robwu.nl>
Date: Thu, 3 Aug 2023 02:30:02 +0200
Subject: [PATCH] Correctly documentation of Firefox client behavior

References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1846866 ignores pref
- https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 ignores notAfter
- https://bugzilla.mozilla.org/show_bug.cgi?id=1713628 ignores notBefore

"Only end-entity certs can potentially end up here." (in
ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): verified
locally and also observed before in the armagadd-on-2.0 incident
(https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired
intermediates were accepted, then we would not have had the incident.
---
 autograph.yaml                       | 10 ++++++++++
 signer/contentsignature/README.md    |  5 +----
 signer/contentsignaturepki/README.md |  7 ++-----
 signer/xpi/README.md                 |  3 +++
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/autograph.yaml b/autograph.yaml
index cc9b707ac..ce91d3e40 100755
--- a/autograph.yaml
+++ b/autograph.yaml
@@ -78,6 +78,11 @@ signers:
     # with Firefox, set security.content.signature.root_hash to
     # 5E:36:F2:14:DE:82:3F:8B:29:96:89:23:5F:03:41:AC:AF:A0:75:AF:82:CB:4C:D4:30:7C:3D:B3:43:39:2A:FE
     #
+    # NOTE: The above comment is only valid for Firefox <= 102.
+    # In Firefox 103+ (bug 1769669), roots are hard-coded in Firefox and the
+    # chosen root is dependent on the app.normandy.api_url pref, see
+    # https://searchfox.org/mozilla-central/rev/2bf90dc51ce7e8274ce208fbb9d68b3ff535185e/toolkit/components/normandy/lib/NormandyApi.sys.mjs#15-30
+    #
     # Note the private key of the root was not saved. Use tools/genpki to
     # make a new config as needed.
     - id: normandy
@@ -130,6 +135,11 @@ signers:
     # with Firefox, set security.content.signature.root_hash to
     # 5E:36:F2:14:DE:82:3F:8B:29:96:89:23:5F:03:41:AC:AF:A0:75:AF:82:CB:4C:D4:30:7C:3D:B3:43:39:2A:FE
     #
+    # NOTE: The above comment is only valid for Firefox <= 102.
+    # In Firefox 103+ (bug 1769669), roots are hard-coded in Firefox and the
+    # chosen root is dependent on multiple conditions, see
+    # https://searchfox.org/mozilla-central/rev/2bf90dc51ce7e8274ce208fbb9d68b3ff535185e/services/settings/Utils.sys.mjs#53-76,97-101,110-124
+    #
     # Note the private key of the root was not saved. Use tools/genpki to
     # make a new config as needed.
     - id: remote-settings
diff --git a/signer/contentsignature/README.md b/signer/contentsignature/README.md
index 1494214d9..5e0b7da35 100644
--- a/signer/contentsignature/README.md
+++ b/signer/contentsignature/README.md
@@ -66,10 +66,7 @@ signature:
     PEM format, where the first certificate is the end-entity that
     issued the signature, and the last certificate is the root of the
     PKI. Firefox is configured to only accept signatures from the
-    internal PKI shared with AMO. This is controlled via the
-    `security.content.signature.root_hash` preference, where
-    the value is the hexadecimal of the sha256 of the DER of the root
-    certificate.
+    internal PKI shared with AMO.
 
 When Firefox verifies a content signature, it first retrieves the X5U
 and checks the signature validity using the end-entity certificate, the
diff --git a/signer/contentsignaturepki/README.md b/signer/contentsignaturepki/README.md
index eb9dfdf7d..84e26d2c7 100644
--- a/signer/contentsignaturepki/README.md
+++ b/signer/contentsignaturepki/README.md
@@ -64,11 +64,8 @@ signature:
     signature. In practice, this file usually contains three
     certificates: the end-entity that issues the content signature, the
     intermediate issuer and the root of the Firefox private PKI. Firefox
-    is configured to only accept signatures from the private PKI, as
-    controlled via the
-    `security.content.signature.root_hash` preference, where
-    the value is the hexadecimal of the sha256 of the DER of the root
-    certificate.
+    is configured to only accept signatures from the private PKI, which
+    is hard-coded in Firefox (https://bugzilla.mozilla.org/1846866).
 
 When Firefox verifies a content signature, it first retrieves the X5U
 and checks the signature validity using the end-entity certificate, the
diff --git a/signer/xpi/README.md b/signer/xpi/README.md
index cb1c4e3af..d26340eed 100644
--- a/signer/xpi/README.md
+++ b/signer/xpi/README.md
@@ -271,8 +271,11 @@ graph LR
   VerifyPK7Signature == Extract hash of SF signature file ==> VerifySignature
   VerifySignature == Extract Signing Certificate ==> VerifyCertificate
   VerifyCertificate == Get Trusted Root ==> BuildCertChain
+%% NOTE: Only end-entity certs can potentially end up here. Intermediates/root do not.
   BuildCertChain == ERROR_EXPIRED_CERTIFICATE ==> Success
+  BuildCertChain == ERROR_NOT_YET_VALID_CERTIFICATE ==> Success
   Success --> VerifyPK7Signature
+%% Expired intermediates/root will reach this state:
   BuildCertChain == else ==> Error
   Error --> VerifyPK7Signature
   end