Bug 59179 - HTTP Public Key Pinning (HPKP) for Tomcat
Summary: HTTP Public Key Pinning (HPKP) for Tomcat
Status: RESOLVED WONTFIX
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: unspecified
Hardware: All All
: P2 enhancement (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
: 59754 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-03-14 13:54 UTC by Patrick Beckmann
Modified: 2017-12-05 21:51 UTC (History)
1 user (show)



Attachments
HTTP Public Key Pinning for Tomcat (9.84 KB, patch)
2016-03-14 13:54 UTC, Patrick Beckmann
Details | Diff
Patch for what Mark recommended. (10.95 KB, patch)
2016-05-25 18:02 UTC, Abdessamed MANSOURI
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Beckmann 2016-03-14 13:54:39 UTC
Created attachment 33673 [details]
HTTP Public Key Pinning for Tomcat

I have added HTTP Public Key Pinning (RFC 7469) to Tomcat 9 and would like to share the patch with you.

For now I have tried to keep it in the same style as the HSTS part and as simple as possible. Do you consider input validation as necessary here? Does anything else need to be changed or added?
Comment 1 Mark Thomas 2016-05-23 15:36:54 UTC
I'd recommend merging hpkpEnabled and hpkpReportOnly into a single field (hpkpEnabled) with allowed values "true", "false", "reportOnly" (case insensitive).
Comment 2 Abdessamed MANSOURI 2016-05-25 18:02:21 UTC
Created attachment 33891 [details]
Patch for what Mark recommended.

This patch is based on OP's patch, i did what Mark recommended.
Comment 3 Christopher Schultz 2016-05-27 18:50:16 UTC
Nit:

HttpHeaderSecurityFilter:106 performs a StringBuilder.append("") which does nothing. I think that line can be removed.
Comment 4 Mark Thomas 2016-06-29 17:25:55 UTC
*** Bug 59754 has been marked as a duplicate of this bug. ***
Comment 6 Christopher Schultz 2017-12-05 21:42:56 UTC
Given that HPKP is effectively being killed by Google[1], should we close this as WONTFIX?

[1] https://www.theregister.co.uk/2017/10/30/google_hpkp/
Comment 7 Mark Thomas 2017-12-05 21:51:59 UTC
Agreed.