• file
• revisions
• annotate
• diff
• comparison
• raw

security/manager/tools/PreloadedHPKPins.json@b8a032363ba2 (annotated)

security/manager/tools/PreloadedHPKPins.json

Thu, 22 Jan 2015 13:21:57 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Thu, 22 Jan 2015 13:21:57 +0100

branch

TOR_BUG_9701

changeset 15

b8a032363ba2

permissions

-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0	1	// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
michael@0	2	// This Source Code Form is subject to the terms of the Mozilla Public
michael@0	3	// License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	4	// file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0	5
michael@0	6	// The top-level element is a dictionary with two keys: "pinsets" maps details
michael@0	7	// of certificate pinning to a name and "entries" contains the HPKP details for
michael@0	8	// each host.
michael@0	9	//
michael@0	10	// "pinsets" is a list of objects. Each object has the following members:
michael@0	11	// name: (string) the name of the pinset
michael@0	12	// sha256_hashes: (list of strings) the set of allowed SPKIs hashes
michael@0	13	//
michael@0	14	// For a given pinset, a certificate is accepted if at least one of the
michael@0	15	// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified
michael@0	16	// as names, which must match up with the name given in the Mozilla root store.
michael@0	17	//
michael@0	18	// "entries" is a list of objects. Each object has the following members:
michael@0	19	// name: (string) the DNS name of the host in question
michael@0	20	// include_subdomains: (optional bool) whether subdomains of |name| are also covered
michael@0	21	// pins: (string) the |name| member of an object in |pinsets|
michael@0	22	//
michael@0	23	// "extra_certs" is a list of base64-encoded certificates. These are used in
michael@0	24	// pinsets that reference certificates not in our root program (for example,
michael@0	25	// Facebook).
michael@0	26
michael@0	27	// equifax -> aus3
michael@0	28	// Geotrust Primary -> www.mozilla.org
michael@0	29	// Geotrust Global -> *. addons.mozilla.org
michael@0	30	{
michael@0	31	"chromium_data" : {
michael@0	32	"cert_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs",
michael@0	33	"json_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json",
michael@0	34	"substitute_pinsets": {
michael@0	35	// Use the larger google_root_pems pinset instead of google
michael@0	36	"google": "google_root_pems"
michael@0	37	},
michael@0	38	"production_pinsets": [
michael@0	39	"google_root_pems"
michael@0	40	],
michael@0	41	"production_domains": [
michael@0	42	// Chrome's test domain.
michael@0	43	"pinningtest.appspot.com",
michael@0	44	// Dropbox
michael@0	45	"dropbox.com",
michael@0	46	"www.dropbox.com",
michael@0	47	// Twitter
michael@0	48	"api.twitter.com",
michael@0	49	"business.twitter.com",
michael@0	50	"dev.twitter.com",
michael@0	51	"mobile.twitter.com",
michael@0	52	"oauth.twitter.com",
michael@0	53	"platform.twitter.com",
michael@0	54	"twimg.com",
michael@0	55	"www.twitter.com",
michael@0	56	// Tor
michael@0	57	"torproject.org",
michael@0	58	"blog.torproject.org",
michael@0	59	"check.torproject.org",
michael@0	60	"dist.torproject.org",
michael@0	61	"www.torproject.org"
michael@0	62	],
michael@0	63	"exclude_domains" : [
michael@0	64	// Chrome's entry for twitter.com doesn't include subdomains, so replace
michael@0	65	// it with our own entry below which also uses an expanded pinset.
michael@0	66	"twitter.com"
michael@0	67	]
michael@0	68	},
michael@0	69	"pinsets": [
michael@0	70	{
michael@0	71	// From bug 772756, mozilla uses GeoTrust, Digicert and Thawte. Our
michael@0	72	// cdn sites use Verisign and Baltimore. We exclude 1024-bit root certs
michael@0	73	// from all providers. geotrust ca info:
michael@0	74	// http://www.geotrust.com/resources/root-certificates/index.html
michael@0	75	"name": "mozilla",
michael@0	76	"sha256_hashes": [
michael@0	77	"Baltimore CyberTrust Root",
michael@0	78	"DigiCert Assured ID Root CA",
michael@0	79	"DigiCert Global Root CA",
michael@0	80	"DigiCert High Assurance EV Root CA",
michael@0	81	"GeoTrust Global CA",
michael@0	82	"GeoTrust Global CA 2",
michael@0	83	"GeoTrust Primary Certification Authority",
michael@0	84	"GeoTrust Primary Certification Authority - G2",
michael@0	85	"GeoTrust Primary Certification Authority - G3",
michael@0	86	"GeoTrust Universal CA",
michael@0	87	"GeoTrust Universal CA 2",
michael@0	88	"thawte Primary Root CA",
michael@0	89	"thawte Primary Root CA - G2",
michael@0	90	"thawte Primary Root CA - G3",
michael@0	91	"Verisign Class 1 Public Primary Certification Authority - G3",
michael@0	92	"Verisign Class 2 Public Primary Certification Authority - G3",
michael@0	93	"Verisign Class 3 Public Primary Certification Authority - G3",
michael@0	94	"VeriSign Class 3 Public Primary Certification Authority - G4",
michael@0	95	"VeriSign Class 3 Public Primary Certification Authority - G5",
michael@0	96	"Verisign Class 4 Public Primary Certification Authority - G3",
michael@0	97	"VeriSign Universal Root Certification Authority"
michael@0	98	]
michael@0	99	},
michael@0	100	{
michael@0	101	"name": "mozilla_services",
michael@0	102	"sha256_hashes": [
michael@0	103	"DigiCert Global Root CA"
michael@0	104	]
michael@0	105	},
michael@0	106	// For pinning tests on pinning.example.com, the certificate must be 'End
michael@0	107	// Entity Test Cert'
michael@0	108	{
michael@0	109	"name": "mozilla_test",
michael@0	110	"sha256_hashes": [
michael@0	111	"End Entity Test Cert"
michael@0	112	]
michael@0	113	},
michael@0	114	// Google's root PEMs. Chrome pins only to their intermediate certs, but
michael@0	115	// they'd like us to be more liberal. For the initial list, we are using
michael@0	116	// the certs from http://pki.google.com/roots.pem.
michael@0	117	// We have no built-in for commented out CAs.
michael@0	118	{
michael@0	119	"name": "google_root_pems",
michael@0	120	"sha256_hashes": [
michael@0	121	"AddTrust External Root",
michael@0	122	"AddTrust Low-Value Services Root",
michael@0	123	"AddTrust Public Services Root",
michael@0	124	"AddTrust Qualified Certificates Root",
michael@0	125	"AffirmTrust Commercial",
michael@0	126	"AffirmTrust Networking",
michael@0	127	"AffirmTrust Premium",
michael@0	128	"AffirmTrust Premium ECC",
michael@0	129	"America Online Root Certification Authority 1",
michael@0	130	"America Online Root Certification Authority 2",
michael@0	131	"Baltimore CyberTrust Root",
michael@0	132	"Comodo AAA Services root",
michael@0	133	"COMODO Certification Authority",
michael@0	134	"COMODO ECC Certification Authority",
michael@0	135	"Comodo Secure Services root",
michael@0	136	"Comodo Trusted Services root",
michael@0	137	"Cybertrust Global Root",
michael@0	138	"DigiCert Assured ID Root CA",
michael@0	139	"DigiCert Global Root CA",
michael@0	140	"DigiCert High Assurance EV Root CA",
michael@0	141	"Entrust.net Premium 2048 Secure Server CA",
michael@0	142	// "Entrust.net Secure Server CA",
michael@0	143	"Entrust Root Certification Authority",
michael@0	144	"Equifax Secure CA",
michael@0	145	"Equifax Secure eBusiness CA 1",
michael@0	146	// "Equifax Secure eBusiness CA 2",
michael@0	147	"Equifax Secure Global eBusiness CA",
michael@0	148	"GeoTrust Global CA",
michael@0	149	"GeoTrust Global CA 2",
michael@0	150	"GeoTrust Primary Certification Authority",
michael@0	151	"GeoTrust Primary Certification Authority - G2",
michael@0	152	"GeoTrust Primary Certification Authority - G3",
michael@0	153	"GeoTrust Universal CA",
michael@0	154	"GeoTrust Universal CA 2",
michael@0	155	"GlobalSign Root CA",
michael@0	156	"GlobalSign Root CA - R2",
michael@0	157	"GlobalSign Root CA - R3",
michael@0	158	"Go Daddy Class 2 CA",
michael@0	159	"Go Daddy Root Certificate Authority - G2",
michael@0	160	// "GTE CyberTrust Global Root",
michael@0	161	"Network Solutions Certificate Authority",
michael@0	162	// "RSA Root Certificate 1",
michael@0	163	"Starfield Class 2 CA",
michael@0	164	"Starfield Root Certificate Authority - G2",
michael@0	165	"Starfield Services Root Certificate Authority - G2",
michael@0	166	"StartCom Certification Authority",
michael@0	167	"StartCom Certification Authority",
michael@0	168	"StartCom Certification Authority G2",
michael@0	169	"TC TrustCenter Class 2 CA II",
michael@0	170	"TC TrustCenter Class 3 CA II",
michael@0	171	"TC TrustCenter Universal CA I",
michael@0	172	"TC TrustCenter Universal CA III",
michael@0	173	"Thawte Premium Server CA",
michael@0	174	"thawte Primary Root CA",
michael@0	175	"thawte Primary Root CA - G2",
michael@0	176	"thawte Primary Root CA - G3",
michael@0	177	"Thawte Server CA",
michael@0	178	"UTN DATACorp SGC Root CA",
michael@0	179	"UTN USERFirst Hardware Root CA",
michael@0	180	// "ValiCert Class 1 VA",
michael@0	181	// "ValiCert Class 2 VA",
michael@0	182	"Verisign Class 3 Public Primary Certification Authority",
michael@0	183	"Verisign Class 3 Public Primary Certification Authority",
michael@0	184	"Verisign Class 3 Public Primary Certification Authority - G2",
michael@0	185	"Verisign Class 3 Public Primary Certification Authority - G3",
michael@0	186	"VeriSign Class 3 Public Primary Certification Authority - G4",
michael@0	187	"VeriSign Class 3 Public Primary Certification Authority - G5",
michael@0	188	"Verisign Class 4 Public Primary Certification Authority - G3",
michael@0	189	"VeriSign Universal Root Certification Authority",
michael@0	190	"XRamp Global CA Root"
michael@0	191	]
michael@0	192	},
michael@0	193	{
michael@0	194	"name": "facebook",
michael@0	195	"sha256_hashes": [
michael@0	196	"Verisign Class 3 Public Primary Certification Authority - G3",
michael@0	197	"DigiCert High Assurance EV Root CA",
michael@0	198	"DigiCert ECC Secure Server CA"
michael@0	199	]
michael@0	200	}
michael@0	201	],
michael@0	202
michael@0	203	"entries": [
michael@0	204	// Only domains that are operationally crucial to Firefox can have per-host
michael@0	205	// telemetry reporting (the "id") field
michael@0	206	{ "name": "addons.mozilla.org", "include_subdomains": true,
michael@0	207	"pins": "mozilla", "test_mode": false, "id": 1 },
michael@0	208	{ "name": "addons.mozilla.net", "include_subdomains": true,
michael@0	209	"pins": "mozilla", "test_mode": false, "id": 2 },
michael@0	210	{ "name": "aus4.mozilla.org", "include_subdomains": true,
michael@0	211	"pins": "mozilla", "test_mode": true, "id": 3 },
michael@0	212	{ "name": "accounts.firefox.com", "include_subdomains": true,
michael@0	213	"pins": "mozilla_services", "test_mode": false, "id": 4 },
michael@0	214	{ "name": "api.accounts.firefox.com", "include_subdomains": true,
michael@0	215	"pins": "mozilla_services", "test_mode": false, "id": 5 },
michael@0	216	{ "name": "cdn.mozilla.net", "include_subdomains": true,
michael@0	217	"pins": "mozilla", "test_mode": false },
michael@0	218	{ "name": "cdn.mozilla.org", "include_subdomains": true,
michael@0	219	"pins": "mozilla", "test_mode": false },
michael@0	220	{ "name": "media.mozilla.com", "include_subdomains": true,
michael@0	221	"pins": "mozilla", "test_mode": false },
michael@0	222	{ "name": "services.mozilla.com", "include_subdomains": true,
michael@0	223	"pins": "mozilla_services", "test_mode": true },
michael@0	224	{ "name": "include-subdomains.pinning.example.com",
michael@0	225	"include_subdomains": true, "pins": "mozilla_test",
michael@0	226	"test_mode": false },
michael@0	227	// Example domain to collect per-host stats for telemetry tests.
michael@0	228	{ "name": "exclude-subdomains.pinning.example.com",
michael@0	229	"include_subdomains": false, "pins": "mozilla_test",
michael@0	230	"test_mode": false, "id": 0 },
michael@0	231	{ "name": "test-mode.pinning.example.com", "include_subdomains": true,
michael@0	232	"pins": "mozilla_test", "test_mode": true },
michael@0	233	// Expand twitter's pinset to include all of *.twitter.com and use
michael@0	234	// twitterCDN. More specific rules take precedence because we search for
michael@0	235	// exact domain name first.
michael@0	236	{ "name": "twitter.com", "include_subdomains": true,
michael@0	237	"pins": "twitterCDN", "test_mode": false },
michael@0	238	// Facebook (not pinned by Chrome)
michael@0	239	{ "name": "facebook.com", "include_subdomains": true,
michael@0	240	"pins": "facebook", "test_mode": true }
michael@0	241	],
michael@0	242
michael@0	243	"extra_certificates": [
michael@0	244	// DigiCert ECC Secure Server CA (for Facebook)
michael@0	245	"MIIDrDCCApSgAwIBAgIQCssoukZe5TkIdnRw883GEjANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaMEwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJjAkBgNVBAMTHURpZ2lDZXJ0IEVDQyBTZWN1cmUgU2VydmVyIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ghC6nfYJN6gLGSkE85AnCNyqQIKDjc/ITa4jVMU9tWRlUvzlgKNcR7E2Munn17voOZ/WpIRllNv68DLP679Wz9HJOeaBy6Wvqgvu1cYr3GkvXg6HuhbPGtkESvMNCuMo4IBITCCAR0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUo53mH/naOU/AbuiRy5Wl2jHiCp8wHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEMBQADggEBAMeKoENL7HTJxavVHzA1Nm6YVntIrAVjrnuaVyRXzG/63qttnMe2uuzO58pzZNvfBDcKAEmzP58mrZGMIOgfiA4q+2Y3yDDo0sIkp0VILeoBUEoxlBPfjV/aKrtJPGHzecicZpIalir0ezZYoyxBEHQa0+1IttK7igZFcTMQMHp6mCHdJLnsnLWSB62DxsRq+HfmNb4TDydkskO/g+l3VtsIh5RHFPVfKK+jaEyDj2D3loB5hWp2Jp2VDCADjT7ueihlZGak2YPqmXTNbk19HOuNssWvFhtOyPNV6og4ETQdEa8/B6hPatJ0ES8q/HO3X8IVQwVs1n3aAr0im0/T+Xc="
michael@0	246	]
michael@0	247	}