Bug 59179

Summary: HTTP Public Key Pinning (HPKP) for Tomcat
Product: Tomcat 9 Reporter: Patrick Beckmann <tomcat>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED WONTFIX    
Severity: enhancement CC: hauser
Priority: P2    
Version: unspecified   
Target Milestone: -----   
Hardware: All   
OS: All   
Attachments: HTTP Public Key Pinning for Tomcat
Patch for what Mark recommended.

Description Patrick Beckmann 2016-03-14 13:54:39 UTC
Created attachment 33673 [details]
HTTP Public Key Pinning for Tomcat

I have added HTTP Public Key Pinning (RFC 7469) to Tomcat 9 and would like to share the patch with you.

For now I have tried to keep it in the same style as the HSTS part and as simple as possible. Do you consider input validation as necessary here? Does anything else need to be changed or added?
Comment 1 Mark Thomas 2016-05-23 15:36:54 UTC
I'd recommend merging hpkpEnabled and hpkpReportOnly into a single field (hpkpEnabled) with allowed values "true", "false", "reportOnly" (case insensitive).
Comment 2 Abdessamed MANSOURI 2016-05-25 18:02:21 UTC
Created attachment 33891 [details]
Patch for what Mark recommended.

This patch is based on OP's patch, i did what Mark recommended.
Comment 3 Christopher Schultz 2016-05-27 18:50:16 UTC
Nit:

HttpHeaderSecurityFilter:106 performs a StringBuilder.append("") which does nothing. I think that line can be removed.
Comment 4 Mark Thomas 2016-06-29 17:25:55 UTC
*** Bug 59754 has been marked as a duplicate of this bug. ***
Comment 6 Christopher Schultz 2017-12-05 21:42:56 UTC
Given that HPKP is effectively being killed by Google[1], should we close this as WONTFIX?

[1] https://www.theregister.co.uk/2017/10/30/google_hpkp/
Comment 7 Mark Thomas 2017-12-05 21:51:59 UTC
Agreed.