1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/tools/PreloadedHPKPins.json Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,247 @@
1.4 +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
1.5 +// This Source Code Form is subject to the terms of the Mozilla Public
1.6 +// License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 +// file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.8 +
1.9 +// The top-level element is a dictionary with two keys: "pinsets" maps details
1.10 +// of certificate pinning to a name and "entries" contains the HPKP details for
1.11 +// each host.
1.12 +//
1.13 +// "pinsets" is a list of objects. Each object has the following members:
1.14 +// name: (string) the name of the pinset
1.15 +// sha256_hashes: (list of strings) the set of allowed SPKIs hashes
1.16 +//
1.17 +// For a given pinset, a certificate is accepted if at least one of the
1.18 +// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified
1.19 +// as names, which must match up with the name given in the Mozilla root store.
1.20 +//
1.21 +// "entries" is a list of objects. Each object has the following members:
1.22 +// name: (string) the DNS name of the host in question
1.23 +// include_subdomains: (optional bool) whether subdomains of |name| are also covered
1.24 +// pins: (string) the |name| member of an object in |pinsets|
1.25 +//
1.26 +// "extra_certs" is a list of base64-encoded certificates. These are used in
1.27 +// pinsets that reference certificates not in our root program (for example,
1.28 +// Facebook).
1.29 +
1.30 +// equifax -> aus3
1.31 +// Geotrust Primary -> www.mozilla.org
1.32 +// Geotrust Global -> *. addons.mozilla.org
1.33 +{
1.34 + "chromium_data" : {
1.35 + "cert_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs",
1.36 + "json_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json",
1.37 + "substitute_pinsets": {
1.38 + // Use the larger google_root_pems pinset instead of google
1.39 + "google": "google_root_pems"
1.40 + },
1.41 + "production_pinsets": [
1.42 + "google_root_pems"
1.43 + ],
1.44 + "production_domains": [
1.45 + // Chrome's test domain.
1.46 + "pinningtest.appspot.com",
1.47 + // Dropbox
1.48 + "dropbox.com",
1.49 + "www.dropbox.com",
1.50 + // Twitter
1.51 + "api.twitter.com",
1.52 + "business.twitter.com",
1.53 + "dev.twitter.com",
1.54 + "mobile.twitter.com",
1.55 + "oauth.twitter.com",
1.56 + "platform.twitter.com",
1.57 + "twimg.com",
1.58 + "www.twitter.com",
1.59 + // Tor
1.60 + "torproject.org",
1.61 + "blog.torproject.org",
1.62 + "check.torproject.org",
1.63 + "dist.torproject.org",
1.64 + "www.torproject.org"
1.65 + ],
1.66 + "exclude_domains" : [
1.67 + // Chrome's entry for twitter.com doesn't include subdomains, so replace
1.68 + // it with our own entry below which also uses an expanded pinset.
1.69 + "twitter.com"
1.70 + ]
1.71 + },
1.72 + "pinsets": [
1.73 + {
1.74 + // From bug 772756, mozilla uses GeoTrust, Digicert and Thawte. Our
1.75 + // cdn sites use Verisign and Baltimore. We exclude 1024-bit root certs
1.76 + // from all providers. geotrust ca info:
1.77 + // http://www.geotrust.com/resources/root-certificates/index.html
1.78 + "name": "mozilla",
1.79 + "sha256_hashes": [
1.80 + "Baltimore CyberTrust Root",
1.81 + "DigiCert Assured ID Root CA",
1.82 + "DigiCert Global Root CA",
1.83 + "DigiCert High Assurance EV Root CA",
1.84 + "GeoTrust Global CA",
1.85 + "GeoTrust Global CA 2",
1.86 + "GeoTrust Primary Certification Authority",
1.87 + "GeoTrust Primary Certification Authority - G2",
1.88 + "GeoTrust Primary Certification Authority - G3",
1.89 + "GeoTrust Universal CA",
1.90 + "GeoTrust Universal CA 2",
1.91 + "thawte Primary Root CA",
1.92 + "thawte Primary Root CA - G2",
1.93 + "thawte Primary Root CA - G3",
1.94 + "Verisign Class 1 Public Primary Certification Authority - G3",
1.95 + "Verisign Class 2 Public Primary Certification Authority - G3",
1.96 + "Verisign Class 3 Public Primary Certification Authority - G3",
1.97 + "VeriSign Class 3 Public Primary Certification Authority - G4",
1.98 + "VeriSign Class 3 Public Primary Certification Authority - G5",
1.99 + "Verisign Class 4 Public Primary Certification Authority - G3",
1.100 + "VeriSign Universal Root Certification Authority"
1.101 + ]
1.102 + },
1.103 + {
1.104 + "name": "mozilla_services",
1.105 + "sha256_hashes": [
1.106 + "DigiCert Global Root CA"
1.107 + ]
1.108 + },
1.109 + // For pinning tests on pinning.example.com, the certificate must be 'End
1.110 + // Entity Test Cert'
1.111 + {
1.112 + "name": "mozilla_test",
1.113 + "sha256_hashes": [
1.114 + "End Entity Test Cert"
1.115 + ]
1.116 + },
1.117 + // Google's root PEMs. Chrome pins only to their intermediate certs, but
1.118 + // they'd like us to be more liberal. For the initial list, we are using
1.119 + // the certs from http://pki.google.com/roots.pem.
1.120 + // We have no built-in for commented out CAs.
1.121 + {
1.122 + "name": "google_root_pems",
1.123 + "sha256_hashes": [
1.124 + "AddTrust External Root",
1.125 + "AddTrust Low-Value Services Root",
1.126 + "AddTrust Public Services Root",
1.127 + "AddTrust Qualified Certificates Root",
1.128 + "AffirmTrust Commercial",
1.129 + "AffirmTrust Networking",
1.130 + "AffirmTrust Premium",
1.131 + "AffirmTrust Premium ECC",
1.132 + "America Online Root Certification Authority 1",
1.133 + "America Online Root Certification Authority 2",
1.134 + "Baltimore CyberTrust Root",
1.135 + "Comodo AAA Services root",
1.136 + "COMODO Certification Authority",
1.137 + "COMODO ECC Certification Authority",
1.138 + "Comodo Secure Services root",
1.139 + "Comodo Trusted Services root",
1.140 + "Cybertrust Global Root",
1.141 + "DigiCert Assured ID Root CA",
1.142 + "DigiCert Global Root CA",
1.143 + "DigiCert High Assurance EV Root CA",
1.144 + "Entrust.net Premium 2048 Secure Server CA",
1.145 + // "Entrust.net Secure Server CA",
1.146 + "Entrust Root Certification Authority",
1.147 + "Equifax Secure CA",
1.148 + "Equifax Secure eBusiness CA 1",
1.149 + // "Equifax Secure eBusiness CA 2",
1.150 + "Equifax Secure Global eBusiness CA",
1.151 + "GeoTrust Global CA",
1.152 + "GeoTrust Global CA 2",
1.153 + "GeoTrust Primary Certification Authority",
1.154 + "GeoTrust Primary Certification Authority - G2",
1.155 + "GeoTrust Primary Certification Authority - G3",
1.156 + "GeoTrust Universal CA",
1.157 + "GeoTrust Universal CA 2",
1.158 + "GlobalSign Root CA",
1.159 + "GlobalSign Root CA - R2",
1.160 + "GlobalSign Root CA - R3",
1.161 + "Go Daddy Class 2 CA",
1.162 + "Go Daddy Root Certificate Authority - G2",
1.163 + // "GTE CyberTrust Global Root",
1.164 + "Network Solutions Certificate Authority",
1.165 + // "RSA Root Certificate 1",
1.166 + "Starfield Class 2 CA",
1.167 + "Starfield Root Certificate Authority - G2",
1.168 + "Starfield Services Root Certificate Authority - G2",
1.169 + "StartCom Certification Authority",
1.170 + "StartCom Certification Authority",
1.171 + "StartCom Certification Authority G2",
1.172 + "TC TrustCenter Class 2 CA II",
1.173 + "TC TrustCenter Class 3 CA II",
1.174 + "TC TrustCenter Universal CA I",
1.175 + "TC TrustCenter Universal CA III",
1.176 + "Thawte Premium Server CA",
1.177 + "thawte Primary Root CA",
1.178 + "thawte Primary Root CA - G2",
1.179 + "thawte Primary Root CA - G3",
1.180 + "Thawte Server CA",
1.181 + "UTN DATACorp SGC Root CA",
1.182 + "UTN USERFirst Hardware Root CA",
1.183 + // "ValiCert Class 1 VA",
1.184 + // "ValiCert Class 2 VA",
1.185 + "Verisign Class 3 Public Primary Certification Authority",
1.186 + "Verisign Class 3 Public Primary Certification Authority",
1.187 + "Verisign Class 3 Public Primary Certification Authority - G2",
1.188 + "Verisign Class 3 Public Primary Certification Authority - G3",
1.189 + "VeriSign Class 3 Public Primary Certification Authority - G4",
1.190 + "VeriSign Class 3 Public Primary Certification Authority - G5",
1.191 + "Verisign Class 4 Public Primary Certification Authority - G3",
1.192 + "VeriSign Universal Root Certification Authority",
1.193 + "XRamp Global CA Root"
1.194 + ]
1.195 + },
1.196 + {
1.197 + "name": "facebook",
1.198 + "sha256_hashes": [
1.199 + "Verisign Class 3 Public Primary Certification Authority - G3",
1.200 + "DigiCert High Assurance EV Root CA",
1.201 + "DigiCert ECC Secure Server CA"
1.202 + ]
1.203 + }
1.204 + ],
1.205 +
1.206 + "entries": [
1.207 + // Only domains that are operationally crucial to Firefox can have per-host
1.208 + // telemetry reporting (the "id") field
1.209 + { "name": "addons.mozilla.org", "include_subdomains": true,
1.210 + "pins": "mozilla", "test_mode": false, "id": 1 },
1.211 + { "name": "addons.mozilla.net", "include_subdomains": true,
1.212 + "pins": "mozilla", "test_mode": false, "id": 2 },
1.213 + { "name": "aus4.mozilla.org", "include_subdomains": true,
1.214 + "pins": "mozilla", "test_mode": true, "id": 3 },
1.215 + { "name": "accounts.firefox.com", "include_subdomains": true,
1.216 + "pins": "mozilla_services", "test_mode": false, "id": 4 },
1.217 + { "name": "api.accounts.firefox.com", "include_subdomains": true,
1.218 + "pins": "mozilla_services", "test_mode": false, "id": 5 },
1.219 + { "name": "cdn.mozilla.net", "include_subdomains": true,
1.220 + "pins": "mozilla", "test_mode": false },
1.221 + { "name": "cdn.mozilla.org", "include_subdomains": true,
1.222 + "pins": "mozilla", "test_mode": false },
1.223 + { "name": "media.mozilla.com", "include_subdomains": true,
1.224 + "pins": "mozilla", "test_mode": false },
1.225 + { "name": "services.mozilla.com", "include_subdomains": true,
1.226 + "pins": "mozilla_services", "test_mode": true },
1.227 + { "name": "include-subdomains.pinning.example.com",
1.228 + "include_subdomains": true, "pins": "mozilla_test",
1.229 + "test_mode": false },
1.230 + // Example domain to collect per-host stats for telemetry tests.
1.231 + { "name": "exclude-subdomains.pinning.example.com",
1.232 + "include_subdomains": false, "pins": "mozilla_test",
1.233 + "test_mode": false, "id": 0 },
1.234 + { "name": "test-mode.pinning.example.com", "include_subdomains": true,
1.235 + "pins": "mozilla_test", "test_mode": true },
1.236 + // Expand twitter's pinset to include all of *.twitter.com and use
1.237 + // twitterCDN. More specific rules take precedence because we search for
1.238 + // exact domain name first.
1.239 + { "name": "twitter.com", "include_subdomains": true,
1.240 + "pins": "twitterCDN", "test_mode": false },
1.241 + // Facebook (not pinned by Chrome)
1.242 + { "name": "facebook.com", "include_subdomains": true,
1.243 + "pins": "facebook", "test_mode": true }
1.244 + ],
1.245 +
1.246 + "extra_certificates": [
1.247 + // DigiCert ECC Secure Server CA (for Facebook)
1.248 + "MIIDrDCCApSgAwIBAgIQCssoukZe5TkIdnRw883GEjANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaMEwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJjAkBgNVBAMTHURpZ2lDZXJ0IEVDQyBTZWN1cmUgU2VydmVyIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ghC6nfYJN6gLGSkE85AnCNyqQIKDjc/ITa4jVMU9tWRlUvzlgKNcR7E2Munn17voOZ/WpIRllNv68DLP679Wz9HJOeaBy6Wvqgvu1cYr3GkvXg6HuhbPGtkESvMNCuMo4IBITCCAR0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUo53mH/naOU/AbuiRy5Wl2jHiCp8wHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEMBQADggEBAMeKoENL7HTJxavVHzA1Nm6YVntIrAVjrnuaVyRXzG/63qttnMe2uuzO58pzZNvfBDcKAEmzP58mrZGMIOgfiA4q+2Y3yDDo0sIkp0VILeoBUEoxlBPfjV/aKrtJPGHzecicZpIalir0ezZYoyxBEHQa0+1IttK7igZFcTMQMHp6mCHdJLnsnLWSB62DxsRq+HfmNb4TDydkskO/g+l3VtsIh5RHFPVfKK+jaEyDj2D3loB5hWp2Jp2VDCADjT7ueihlZGak2YPqmXTNbk19HOuNssWvFhtOyPNV6og4ETQdEa8/B6hPatJ0ES8q/HO3X8IVQwVs1n3aAr0im0/T+Xc="
1.249 + ]
1.250 +}
