security/manager/tools/PreloadedHPKPins.json@b8a032363ba2
security/manager/tools/PreloadedHPKPins.json
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 // The top-level element is a dictionary with two keys: "pinsets" maps details
7 // of certificate pinning to a name and "entries" contains the HPKP details for
8 // each host.
9 //
10 // "pinsets" is a list of objects. Each object has the following members:
11 // name: (string) the name of the pinset
12 // sha256_hashes: (list of strings) the set of allowed SPKIs hashes
13 //
14 // For a given pinset, a certificate is accepted if at least one of the
15 // Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified
16 // as names, which must match up with the name given in the Mozilla root store.
17 //
18 // "entries" is a list of objects. Each object has the following members:
19 // name: (string) the DNS name of the host in question
20 // include_subdomains: (optional bool) whether subdomains of |name| are also covered
21 // pins: (string) the |name| member of an object in |pinsets|
22 //
23 // "extra_certs" is a list of base64-encoded certificates. These are used in
24 // pinsets that reference certificates not in our root program (for example,
25 // Facebook).
27 // equifax -> aus3
28 // Geotrust Primary -> www.mozilla.org
29 // Geotrust Global -> *. addons.mozilla.org
30 {
31 "chromium_data" : {
32 "cert_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs",
33 "json_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json",
34 "substitute_pinsets": {
35 // Use the larger google_root_pems pinset instead of google
36 "google": "google_root_pems"
37 },
38 "production_pinsets": [
39 "google_root_pems"
40 ],
41 "production_domains": [
42 // Chrome's test domain.
43 "pinningtest.appspot.com",
44 // Dropbox
45 "dropbox.com",
46 "www.dropbox.com",
47 // Twitter
48 "api.twitter.com",
49 "business.twitter.com",
50 "dev.twitter.com",
51 "mobile.twitter.com",
52 "oauth.twitter.com",
53 "platform.twitter.com",
54 "twimg.com",
55 "www.twitter.com",
56 // Tor
57 "torproject.org",
58 "blog.torproject.org",
59 "check.torproject.org",
60 "dist.torproject.org",
61 "www.torproject.org"
62 ],
63 "exclude_domains" : [
64 // Chrome's entry for twitter.com doesn't include subdomains, so replace
65 // it with our own entry below which also uses an expanded pinset.
66 "twitter.com"
67 ]
68 },
69 "pinsets": [
70 {
71 // From bug 772756, mozilla uses GeoTrust, Digicert and Thawte. Our
72 // cdn sites use Verisign and Baltimore. We exclude 1024-bit root certs
73 // from all providers. geotrust ca info:
74 // http://www.geotrust.com/resources/root-certificates/index.html
75 "name": "mozilla",
76 "sha256_hashes": [
77 "Baltimore CyberTrust Root",
78 "DigiCert Assured ID Root CA",
79 "DigiCert Global Root CA",
80 "DigiCert High Assurance EV Root CA",
81 "GeoTrust Global CA",
82 "GeoTrust Global CA 2",
83 "GeoTrust Primary Certification Authority",
84 "GeoTrust Primary Certification Authority - G2",
85 "GeoTrust Primary Certification Authority - G3",
86 "GeoTrust Universal CA",
87 "GeoTrust Universal CA 2",
88 "thawte Primary Root CA",
89 "thawte Primary Root CA - G2",
90 "thawte Primary Root CA - G3",
91 "Verisign Class 1 Public Primary Certification Authority - G3",
92 "Verisign Class 2 Public Primary Certification Authority - G3",
93 "Verisign Class 3 Public Primary Certification Authority - G3",
94 "VeriSign Class 3 Public Primary Certification Authority - G4",
95 "VeriSign Class 3 Public Primary Certification Authority - G5",
96 "Verisign Class 4 Public Primary Certification Authority - G3",
97 "VeriSign Universal Root Certification Authority"
98 ]
99 },
100 {
101 "name": "mozilla_services",
102 "sha256_hashes": [
103 "DigiCert Global Root CA"
104 ]
105 },
106 // For pinning tests on pinning.example.com, the certificate must be 'End
107 // Entity Test Cert'
108 {
109 "name": "mozilla_test",
110 "sha256_hashes": [
111 "End Entity Test Cert"
112 ]
113 },
114 // Google's root PEMs. Chrome pins only to their intermediate certs, but
115 // they'd like us to be more liberal. For the initial list, we are using
116 // the certs from http://pki.google.com/roots.pem.
117 // We have no built-in for commented out CAs.
118 {
119 "name": "google_root_pems",
120 "sha256_hashes": [
121 "AddTrust External Root",
122 "AddTrust Low-Value Services Root",
123 "AddTrust Public Services Root",
124 "AddTrust Qualified Certificates Root",
125 "AffirmTrust Commercial",
126 "AffirmTrust Networking",
127 "AffirmTrust Premium",
128 "AffirmTrust Premium ECC",
129 "America Online Root Certification Authority 1",
130 "America Online Root Certification Authority 2",
131 "Baltimore CyberTrust Root",
132 "Comodo AAA Services root",
133 "COMODO Certification Authority",
134 "COMODO ECC Certification Authority",
135 "Comodo Secure Services root",
136 "Comodo Trusted Services root",
137 "Cybertrust Global Root",
138 "DigiCert Assured ID Root CA",
139 "DigiCert Global Root CA",
140 "DigiCert High Assurance EV Root CA",
141 "Entrust.net Premium 2048 Secure Server CA",
142 // "Entrust.net Secure Server CA",
143 "Entrust Root Certification Authority",
144 "Equifax Secure CA",
145 "Equifax Secure eBusiness CA 1",
146 // "Equifax Secure eBusiness CA 2",
147 "Equifax Secure Global eBusiness CA",
148 "GeoTrust Global CA",
149 "GeoTrust Global CA 2",
150 "GeoTrust Primary Certification Authority",
151 "GeoTrust Primary Certification Authority - G2",
152 "GeoTrust Primary Certification Authority - G3",
153 "GeoTrust Universal CA",
154 "GeoTrust Universal CA 2",
155 "GlobalSign Root CA",
156 "GlobalSign Root CA - R2",
157 "GlobalSign Root CA - R3",
158 "Go Daddy Class 2 CA",
159 "Go Daddy Root Certificate Authority - G2",
160 // "GTE CyberTrust Global Root",
161 "Network Solutions Certificate Authority",
162 // "RSA Root Certificate 1",
163 "Starfield Class 2 CA",
164 "Starfield Root Certificate Authority - G2",
165 "Starfield Services Root Certificate Authority - G2",
166 "StartCom Certification Authority",
167 "StartCom Certification Authority",
168 "StartCom Certification Authority G2",
169 "TC TrustCenter Class 2 CA II",
170 "TC TrustCenter Class 3 CA II",
171 "TC TrustCenter Universal CA I",
172 "TC TrustCenter Universal CA III",
173 "Thawte Premium Server CA",
174 "thawte Primary Root CA",
175 "thawte Primary Root CA - G2",
176 "thawte Primary Root CA - G3",
177 "Thawte Server CA",
178 "UTN DATACorp SGC Root CA",
179 "UTN USERFirst Hardware Root CA",
180 // "ValiCert Class 1 VA",
181 // "ValiCert Class 2 VA",
182 "Verisign Class 3 Public Primary Certification Authority",
183 "Verisign Class 3 Public Primary Certification Authority",
184 "Verisign Class 3 Public Primary Certification Authority - G2",
185 "Verisign Class 3 Public Primary Certification Authority - G3",
186 "VeriSign Class 3 Public Primary Certification Authority - G4",
187 "VeriSign Class 3 Public Primary Certification Authority - G5",
188 "Verisign Class 4 Public Primary Certification Authority - G3",
189 "VeriSign Universal Root Certification Authority",
190 "XRamp Global CA Root"
191 ]
192 },
193 {
194 "name": "facebook",
195 "sha256_hashes": [
196 "Verisign Class 3 Public Primary Certification Authority - G3",
197 "DigiCert High Assurance EV Root CA",
198 "DigiCert ECC Secure Server CA"
199 ]
200 }
201 ],
203 "entries": [
204 // Only domains that are operationally crucial to Firefox can have per-host
205 // telemetry reporting (the "id") field
206 { "name": "addons.mozilla.org", "include_subdomains": true,
207 "pins": "mozilla", "test_mode": false, "id": 1 },
208 { "name": "addons.mozilla.net", "include_subdomains": true,
209 "pins": "mozilla", "test_mode": false, "id": 2 },
210 { "name": "aus4.mozilla.org", "include_subdomains": true,
211 "pins": "mozilla", "test_mode": true, "id": 3 },
212 { "name": "accounts.firefox.com", "include_subdomains": true,
213 "pins": "mozilla_services", "test_mode": false, "id": 4 },
214 { "name": "api.accounts.firefox.com", "include_subdomains": true,
215 "pins": "mozilla_services", "test_mode": false, "id": 5 },
216 { "name": "cdn.mozilla.net", "include_subdomains": true,
217 "pins": "mozilla", "test_mode": false },
218 { "name": "cdn.mozilla.org", "include_subdomains": true,
219 "pins": "mozilla", "test_mode": false },
220 { "name": "media.mozilla.com", "include_subdomains": true,
221 "pins": "mozilla", "test_mode": false },
222 { "name": "services.mozilla.com", "include_subdomains": true,
223 "pins": "mozilla_services", "test_mode": true },
224 { "name": "include-subdomains.pinning.example.com",
225 "include_subdomains": true, "pins": "mozilla_test",
226 "test_mode": false },
227 // Example domain to collect per-host stats for telemetry tests.
228 { "name": "exclude-subdomains.pinning.example.com",
229 "include_subdomains": false, "pins": "mozilla_test",
230 "test_mode": false, "id": 0 },
231 { "name": "test-mode.pinning.example.com", "include_subdomains": true,
232 "pins": "mozilla_test", "test_mode": true },
233 // Expand twitter's pinset to include all of *.twitter.com and use
234 // twitterCDN. More specific rules take precedence because we search for
235 // exact domain name first.
236 { "name": "twitter.com", "include_subdomains": true,
237 "pins": "twitterCDN", "test_mode": false },
238 // Facebook (not pinned by Chrome)
239 { "name": "facebook.com", "include_subdomains": true,
240 "pins": "facebook", "test_mode": true }
241 ],
243 "extra_certificates": [
244 // DigiCert ECC Secure Server CA (for Facebook)
245 "MIIDrDCCApSgAwIBAgIQCssoukZe5TkIdnRw883GEjANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaMEwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJjAkBgNVBAMTHURpZ2lDZXJ0IEVDQyBTZWN1cmUgU2VydmVyIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ghC6nfYJN6gLGSkE85AnCNyqQIKDjc/ITa4jVMU9tWRlUvzlgKNcR7E2Munn17voOZ/WpIRllNv68DLP679Wz9HJOeaBy6Wvqgvu1cYr3GkvXg6HuhbPGtkESvMNCuMo4IBITCCAR0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUo53mH/naOU/AbuiRy5Wl2jHiCp8wHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEMBQADggEBAMeKoENL7HTJxavVHzA1Nm6YVntIrAVjrnuaVyRXzG/63qttnMe2uuzO58pzZNvfBDcKAEmzP58mrZGMIOgfiA4q+2Y3yDDo0sIkp0VILeoBUEoxlBPfjV/aKrtJPGHzecicZpIalir0ezZYoyxBEHQa0+1IttK7igZFcTMQMHp6mCHdJLnsnLWSB62DxsRq+HfmNb4TDydkskO/g+l3VtsIh5RHFPVfKK+jaEyDj2D3loB5hWp2Jp2VDCADjT7ueihlZGak2YPqmXTNbk19HOuNssWvFhtOyPNV6og4ETQdEa8/B6hPatJ0ES8q/HO3X8IVQwVs1n3aAr0im0/T+Xc="
246 ]
247 }
