michael@0: // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: // This Source Code Form is subject to the terms of the Mozilla Public michael@0: // License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: // file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: // The top-level element is a dictionary with two keys: "pinsets" maps details michael@0: // of certificate pinning to a name and "entries" contains the HPKP details for michael@0: // each host. michael@0: // michael@0: // "pinsets" is a list of objects. Each object has the following members: michael@0: // name: (string) the name of the pinset michael@0: // sha256_hashes: (list of strings) the set of allowed SPKIs hashes michael@0: // michael@0: // For a given pinset, a certificate is accepted if at least one of the michael@0: // Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified michael@0: // as names, which must match up with the name given in the Mozilla root store. michael@0: // michael@0: // "entries" is a list of objects. Each object has the following members: michael@0: // name: (string) the DNS name of the host in question michael@0: // include_subdomains: (optional bool) whether subdomains of |name| are also covered michael@0: // pins: (string) the |name| member of an object in |pinsets| michael@0: // michael@0: // "extra_certs" is a list of base64-encoded certificates. These are used in michael@0: // pinsets that reference certificates not in our root program (for example, michael@0: // Facebook). michael@0: michael@0: // equifax -> aus3 michael@0: // Geotrust Primary -> www.mozilla.org michael@0: // Geotrust Global -> *. addons.mozilla.org michael@0: { michael@0: "chromium_data" : { michael@0: "cert_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs", michael@0: "json_file_url": "https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json", michael@0: "substitute_pinsets": { michael@0: // Use the larger google_root_pems pinset instead of google michael@0: "google": "google_root_pems" michael@0: }, michael@0: "production_pinsets": [ michael@0: "google_root_pems" michael@0: ], michael@0: "production_domains": [ michael@0: // Chrome's test domain. michael@0: "pinningtest.appspot.com", michael@0: // Dropbox michael@0: "dropbox.com", michael@0: "www.dropbox.com", michael@0: // Twitter michael@0: "api.twitter.com", michael@0: "business.twitter.com", michael@0: "dev.twitter.com", michael@0: "mobile.twitter.com", michael@0: "oauth.twitter.com", michael@0: "platform.twitter.com", michael@0: "twimg.com", michael@0: "www.twitter.com", michael@0: // Tor michael@0: "torproject.org", michael@0: "blog.torproject.org", michael@0: "check.torproject.org", michael@0: "dist.torproject.org", michael@0: "www.torproject.org" michael@0: ], michael@0: "exclude_domains" : [ michael@0: // Chrome's entry for twitter.com doesn't include subdomains, so replace michael@0: // it with our own entry below which also uses an expanded pinset. michael@0: "twitter.com" michael@0: ] michael@0: }, michael@0: "pinsets": [ michael@0: { michael@0: // From bug 772756, mozilla uses GeoTrust, Digicert and Thawte. Our michael@0: // cdn sites use Verisign and Baltimore. We exclude 1024-bit root certs michael@0: // from all providers. geotrust ca info: michael@0: // http://www.geotrust.com/resources/root-certificates/index.html michael@0: "name": "mozilla", michael@0: "sha256_hashes": [ michael@0: "Baltimore CyberTrust Root", michael@0: "DigiCert Assured ID Root CA", michael@0: "DigiCert Global Root CA", michael@0: "DigiCert High Assurance EV Root CA", michael@0: "GeoTrust Global CA", michael@0: "GeoTrust Global CA 2", michael@0: "GeoTrust Primary Certification Authority", michael@0: "GeoTrust Primary Certification Authority - G2", michael@0: "GeoTrust Primary Certification Authority - G3", michael@0: "GeoTrust Universal CA", michael@0: "GeoTrust Universal CA 2", michael@0: "thawte Primary Root CA", michael@0: "thawte Primary Root CA - G2", michael@0: "thawte Primary Root CA - G3", michael@0: "Verisign Class 1 Public Primary Certification Authority - G3", michael@0: "Verisign Class 2 Public Primary Certification Authority - G3", michael@0: "Verisign Class 3 Public Primary Certification Authority - G3", michael@0: "VeriSign Class 3 Public Primary Certification Authority - G4", michael@0: "VeriSign Class 3 Public Primary Certification Authority - G5", michael@0: "Verisign Class 4 Public Primary Certification Authority - G3", michael@0: "VeriSign Universal Root Certification Authority" michael@0: ] michael@0: }, michael@0: { michael@0: "name": "mozilla_services", michael@0: "sha256_hashes": [ michael@0: "DigiCert Global Root CA" michael@0: ] michael@0: }, michael@0: // For pinning tests on pinning.example.com, the certificate must be 'End michael@0: // Entity Test Cert' michael@0: { michael@0: "name": "mozilla_test", michael@0: "sha256_hashes": [ michael@0: "End Entity Test Cert" michael@0: ] michael@0: }, michael@0: // Google's root PEMs. Chrome pins only to their intermediate certs, but michael@0: // they'd like us to be more liberal. For the initial list, we are using michael@0: // the certs from http://pki.google.com/roots.pem. michael@0: // We have no built-in for commented out CAs. michael@0: { michael@0: "name": "google_root_pems", michael@0: "sha256_hashes": [ michael@0: "AddTrust External Root", michael@0: "AddTrust Low-Value Services Root", michael@0: "AddTrust Public Services Root", michael@0: "AddTrust Qualified Certificates Root", michael@0: "AffirmTrust Commercial", michael@0: "AffirmTrust Networking", michael@0: "AffirmTrust Premium", michael@0: "AffirmTrust Premium ECC", michael@0: "America Online Root Certification Authority 1", michael@0: "America Online Root Certification Authority 2", michael@0: "Baltimore CyberTrust Root", michael@0: "Comodo AAA Services root", michael@0: "COMODO Certification Authority", michael@0: "COMODO ECC Certification Authority", michael@0: "Comodo Secure Services root", michael@0: "Comodo Trusted Services root", michael@0: "Cybertrust Global Root", michael@0: "DigiCert Assured ID Root CA", michael@0: "DigiCert Global Root CA", michael@0: "DigiCert High Assurance EV Root CA", michael@0: "Entrust.net Premium 2048 Secure Server CA", michael@0: // "Entrust.net Secure Server CA", michael@0: "Entrust Root Certification Authority", michael@0: "Equifax Secure CA", michael@0: "Equifax Secure eBusiness CA 1", michael@0: // "Equifax Secure eBusiness CA 2", michael@0: "Equifax Secure Global eBusiness CA", michael@0: "GeoTrust Global CA", michael@0: "GeoTrust Global CA 2", michael@0: "GeoTrust Primary Certification Authority", michael@0: "GeoTrust Primary Certification Authority - G2", michael@0: "GeoTrust Primary Certification Authority - G3", michael@0: "GeoTrust Universal CA", michael@0: "GeoTrust Universal CA 2", michael@0: "GlobalSign Root CA", michael@0: "GlobalSign Root CA - R2", michael@0: "GlobalSign Root CA - R3", michael@0: "Go Daddy Class 2 CA", michael@0: "Go Daddy Root Certificate Authority - G2", michael@0: // "GTE CyberTrust Global Root", michael@0: "Network Solutions Certificate Authority", michael@0: // "RSA Root Certificate 1", michael@0: "Starfield Class 2 CA", michael@0: "Starfield Root Certificate Authority - G2", michael@0: "Starfield Services Root Certificate Authority - G2", michael@0: "StartCom Certification Authority", michael@0: "StartCom Certification Authority", michael@0: "StartCom Certification Authority G2", michael@0: "TC TrustCenter Class 2 CA II", michael@0: "TC TrustCenter Class 3 CA II", michael@0: "TC TrustCenter Universal CA I", michael@0: "TC TrustCenter Universal CA III", michael@0: "Thawte Premium Server CA", michael@0: "thawte Primary Root CA", michael@0: "thawte Primary Root CA - G2", michael@0: "thawte Primary Root CA - G3", michael@0: "Thawte Server CA", michael@0: "UTN DATACorp SGC Root CA", michael@0: "UTN USERFirst Hardware Root CA", michael@0: // "ValiCert Class 1 VA", michael@0: // "ValiCert Class 2 VA", michael@0: "Verisign Class 3 Public Primary Certification Authority", michael@0: "Verisign Class 3 Public Primary Certification Authority", michael@0: "Verisign Class 3 Public Primary Certification Authority - G2", michael@0: "Verisign Class 3 Public Primary Certification Authority - G3", michael@0: "VeriSign Class 3 Public Primary Certification Authority - G4", michael@0: "VeriSign Class 3 Public Primary Certification Authority - G5", michael@0: "Verisign Class 4 Public Primary Certification Authority - G3", michael@0: "VeriSign Universal Root Certification Authority", michael@0: "XRamp Global CA Root" michael@0: ] michael@0: }, michael@0: { michael@0: "name": "facebook", michael@0: "sha256_hashes": [ michael@0: "Verisign Class 3 Public Primary Certification Authority - G3", michael@0: "DigiCert High Assurance EV Root CA", michael@0: "DigiCert ECC Secure Server CA" michael@0: ] michael@0: } michael@0: ], michael@0: michael@0: "entries": [ michael@0: // Only domains that are operationally crucial to Firefox can have per-host michael@0: // telemetry reporting (the "id") field michael@0: { "name": "addons.mozilla.org", "include_subdomains": true, michael@0: "pins": "mozilla", "test_mode": false, "id": 1 }, michael@0: { "name": "addons.mozilla.net", "include_subdomains": true, michael@0: "pins": "mozilla", "test_mode": false, "id": 2 }, michael@0: { "name": "aus4.mozilla.org", "include_subdomains": true, michael@0: "pins": "mozilla", "test_mode": true, "id": 3 }, michael@0: { "name": "accounts.firefox.com", "include_subdomains": true, michael@0: "pins": "mozilla_services", "test_mode": false, "id": 4 }, michael@0: { "name": "api.accounts.firefox.com", "include_subdomains": true, michael@0: "pins": "mozilla_services", "test_mode": false, "id": 5 }, michael@0: { "name": "cdn.mozilla.net", "include_subdomains": true, michael@0: "pins": "mozilla", "test_mode": false }, michael@0: { "name": "cdn.mozilla.org", "include_subdomains": true, michael@0: "pins": "mozilla", "test_mode": false }, michael@0: { "name": "media.mozilla.com", "include_subdomains": true, michael@0: "pins": "mozilla", "test_mode": false }, michael@0: { "name": "services.mozilla.com", "include_subdomains": true, michael@0: "pins": "mozilla_services", "test_mode": true }, michael@0: { "name": "include-subdomains.pinning.example.com", michael@0: "include_subdomains": true, "pins": "mozilla_test", michael@0: "test_mode": false }, michael@0: // Example domain to collect per-host stats for telemetry tests. michael@0: { "name": "exclude-subdomains.pinning.example.com", michael@0: "include_subdomains": false, "pins": "mozilla_test", michael@0: "test_mode": false, "id": 0 }, michael@0: { "name": "test-mode.pinning.example.com", "include_subdomains": true, michael@0: "pins": "mozilla_test", "test_mode": true }, michael@0: // Expand twitter's pinset to include all of *.twitter.com and use michael@0: // twitterCDN. More specific rules take precedence because we search for michael@0: // exact domain name first. michael@0: { "name": "twitter.com", "include_subdomains": true, michael@0: "pins": "twitterCDN", "test_mode": false }, michael@0: // Facebook (not pinned by Chrome) michael@0: { "name": "facebook.com", "include_subdomains": true, michael@0: "pins": "facebook", "test_mode": true } michael@0: ], michael@0: michael@0: "extra_certificates": [ michael@0: // DigiCert ECC Secure Server CA (for Facebook) michael@0: "MIIDrDCCApSgAwIBAgIQCssoukZe5TkIdnRw883GEjANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaMEwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJjAkBgNVBAMTHURpZ2lDZXJ0IEVDQyBTZWN1cmUgU2VydmVyIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ghC6nfYJN6gLGSkE85AnCNyqQIKDjc/ITa4jVMU9tWRlUvzlgKNcR7E2Munn17voOZ/WpIRllNv68DLP679Wz9HJOeaBy6Wvqgvu1cYr3GkvXg6HuhbPGtkESvMNCuMo4IBITCCAR0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUo53mH/naOU/AbuiRy5Wl2jHiCp8wHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEMBQADggEBAMeKoENL7HTJxavVHzA1Nm6YVntIrAVjrnuaVyRXzG/63qttnMe2uuzO58pzZNvfBDcKAEmzP58mrZGMIOgfiA4q+2Y3yDDo0sIkp0VILeoBUEoxlBPfjV/aKrtJPGHzecicZpIalir0ezZYoyxBEHQa0+1IttK7igZFcTMQMHp6mCHdJLnsnLWSB62DxsRq+HfmNb4TDydkskO/g+l3VtsIh5RHFPVfKK+jaEyDj2D3loB5hWp2Jp2VDCADjT7ueihlZGak2YPqmXTNbk19HOuNssWvFhtOyPNV6og4ETQdEa8/B6hPatJ0ES8q/HO3X8IVQwVs1n3aAr0im0/T+Xc=" michael@0: ] michael@0: }