2013-06-20 21:35:43 +04:00
|
|
|
// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
|
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
|
|
|
|
// The top-level element is a dictionary with two keys: "pinsets" maps details
|
|
|
|
// of certificate pinning to a name and "entries" contains the HPKP details for
|
|
|
|
// each host.
|
|
|
|
//
|
|
|
|
// "pinsets" is a list of objects. Each object has the following members:
|
|
|
|
// name: (string) the name of the pinset
|
2014-06-07 00:44:59 +04:00
|
|
|
// sha256_hashes: (list of strings) the set of allowed SPKIs hashes
|
2013-06-20 21:35:43 +04:00
|
|
|
//
|
2014-05-01 02:30:44 +04:00
|
|
|
// For a given pinset, a certificate is accepted if at least one of the
|
2014-06-07 00:44:59 +04:00
|
|
|
// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified
|
|
|
|
// as names, which must match up with the name given in the Mozilla root store.
|
2013-06-20 21:35:43 +04:00
|
|
|
//
|
|
|
|
// "entries" is a list of objects. Each object has the following members:
|
|
|
|
// name: (string) the DNS name of the host in question
|
|
|
|
// include_subdomains: (optional bool) whether subdomains of |name| are also covered
|
|
|
|
// pins: (string) the |name| member of an object in |pinsets|
|
2014-09-08 20:33:03 +04:00
|
|
|
//
|
|
|
|
// "extra_certs" is a list of base64-encoded certificates. These are used in
|
|
|
|
// pinsets that reference certificates not in our root program (for example,
|
|
|
|
// Facebook).
|
2013-06-20 21:35:43 +04:00
|
|
|
|
|
|
|
// equifax -> aus3
|
|
|
|
// Geotrust Primary -> www.mozilla.org
|
|
|
|
// Geotrust Global -> *. addons.mozilla.org
|
|
|
|
{
|
2014-05-15 19:04:54 +04:00
|
|
|
"chromium_data" : {
|
2014-10-22 02:20:02 +04:00
|
|
|
"cert_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.certs?format=TEXT",
|
|
|
|
"json_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT",
|
2014-05-23 02:09:45 +04:00
|
|
|
"substitute_pinsets": {
|
|
|
|
// Use the larger google_root_pems pinset instead of google
|
|
|
|
"google": "google_root_pems"
|
|
|
|
},
|
2014-06-12 02:32:37 +04:00
|
|
|
"production_pinsets": [
|
|
|
|
"google_root_pems"
|
|
|
|
],
|
2014-05-15 19:04:54 +04:00
|
|
|
"production_domains": [
|
2014-05-23 02:11:07 +04:00
|
|
|
// Chrome's test domain.
|
|
|
|
"pinningtest.appspot.com",
|
2014-08-02 00:12:38 +04:00
|
|
|
// Dropbox
|
|
|
|
"dropbox.com",
|
|
|
|
"www.dropbox.com",
|
2014-05-23 02:11:07 +04:00
|
|
|
// Twitter
|
|
|
|
"api.twitter.com",
|
|
|
|
"business.twitter.com",
|
|
|
|
"dev.twitter.com",
|
|
|
|
"mobile.twitter.com",
|
|
|
|
"oauth.twitter.com",
|
|
|
|
"platform.twitter.com",
|
|
|
|
"twimg.com",
|
2014-07-23 01:28:52 +04:00
|
|
|
"www.twitter.com",
|
|
|
|
// Tor
|
|
|
|
"torproject.org",
|
|
|
|
"blog.torproject.org",
|
|
|
|
"check.torproject.org",
|
|
|
|
"dist.torproject.org",
|
|
|
|
"www.torproject.org"
|
2014-06-19 00:23:13 +04:00
|
|
|
],
|
|
|
|
"exclude_domains" : [
|
|
|
|
// Chrome's entry for twitter.com doesn't include subdomains, so replace
|
|
|
|
// it with our own entry below which also uses an expanded pinset.
|
|
|
|
"twitter.com"
|
2014-05-15 19:04:54 +04:00
|
|
|
]
|
|
|
|
},
|
2013-06-20 21:35:43 +04:00
|
|
|
"pinsets": [
|
|
|
|
{
|
2014-05-09 04:18:50 +04:00
|
|
|
// From bug 772756, mozilla uses GeoTrust, Digicert and Thawte. Our
|
|
|
|
// cdn sites use Verisign and Baltimore. We exclude 1024-bit root certs
|
|
|
|
// from all providers. geotrust ca info:
|
|
|
|
// http://www.geotrust.com/resources/root-certificates/index.html
|
2013-06-20 21:35:43 +04:00
|
|
|
"name": "mozilla",
|
2014-05-09 04:18:50 +04:00
|
|
|
"sha256_hashes": [
|
|
|
|
"Baltimore CyberTrust Root",
|
|
|
|
"DigiCert Assured ID Root CA",
|
|
|
|
"DigiCert Global Root CA",
|
|
|
|
"DigiCert High Assurance EV Root CA",
|
2013-06-20 21:35:43 +04:00
|
|
|
"GeoTrust Global CA",
|
|
|
|
"GeoTrust Global CA 2",
|
2014-05-09 04:18:50 +04:00
|
|
|
"GeoTrust Primary Certification Authority",
|
2013-06-20 21:35:43 +04:00
|
|
|
"GeoTrust Primary Certification Authority - G2",
|
|
|
|
"GeoTrust Primary Certification Authority - G3",
|
2014-05-09 04:18:50 +04:00
|
|
|
"GeoTrust Universal CA",
|
|
|
|
"GeoTrust Universal CA 2",
|
2013-06-20 21:35:43 +04:00
|
|
|
"thawte Primary Root CA",
|
|
|
|
"thawte Primary Root CA - G2",
|
|
|
|
"thawte Primary Root CA - G3",
|
2014-05-09 04:18:50 +04:00
|
|
|
"Verisign Class 1 Public Primary Certification Authority - G3",
|
|
|
|
"Verisign Class 2 Public Primary Certification Authority - G3",
|
|
|
|
"Verisign Class 3 Public Primary Certification Authority - G3",
|
|
|
|
"VeriSign Class 3 Public Primary Certification Authority - G4",
|
|
|
|
"VeriSign Class 3 Public Primary Certification Authority - G5",
|
|
|
|
"Verisign Class 4 Public Primary Certification Authority - G3",
|
|
|
|
"VeriSign Universal Root Certification Authority"
|
2013-06-20 21:35:43 +04:00
|
|
|
]
|
2014-05-01 02:30:44 +04:00
|
|
|
},
|
2014-06-07 00:44:59 +04:00
|
|
|
{
|
2014-09-05 23:04:26 +04:00
|
|
|
"name": "mozilla_services",
|
2014-06-07 00:44:59 +04:00
|
|
|
"sha256_hashes": [
|
|
|
|
"DigiCert Global Root CA"
|
|
|
|
]
|
|
|
|
},
|
2014-05-01 07:11:35 +04:00
|
|
|
// For pinning tests on pinning.example.com, the certificate must be 'End
|
|
|
|
// Entity Test Cert'
|
2014-05-01 02:30:44 +04:00
|
|
|
{
|
|
|
|
"name": "mozilla_test",
|
2014-05-09 04:18:50 +04:00
|
|
|
"sha256_hashes": [
|
2014-05-01 02:30:44 +04:00
|
|
|
"End Entity Test Cert"
|
|
|
|
]
|
2014-05-23 02:09:45 +04:00
|
|
|
},
|
|
|
|
// Google's root PEMs. Chrome pins only to their intermediate certs, but
|
|
|
|
// they'd like us to be more liberal. For the initial list, we are using
|
|
|
|
// the certs from http://pki.google.com/roots.pem.
|
2014-07-09 03:01:29 +04:00
|
|
|
// We have no built-in for commented out CAs.
|
2014-05-23 02:09:45 +04:00
|
|
|
{
|
|
|
|
"name": "google_root_pems",
|
|
|
|
"sha256_hashes": [
|
|
|
|
"AddTrust External Root",
|
|
|
|
"AddTrust Low-Value Services Root",
|
|
|
|
"AddTrust Public Services Root",
|
|
|
|
"AddTrust Qualified Certificates Root",
|
|
|
|
"AffirmTrust Commercial",
|
|
|
|
"AffirmTrust Networking",
|
|
|
|
"AffirmTrust Premium",
|
|
|
|
"AffirmTrust Premium ECC",
|
|
|
|
"America Online Root Certification Authority 1",
|
|
|
|
"America Online Root Certification Authority 2",
|
|
|
|
"Baltimore CyberTrust Root",
|
|
|
|
"Comodo AAA Services root",
|
|
|
|
"COMODO Certification Authority",
|
|
|
|
"COMODO ECC Certification Authority",
|
|
|
|
"Comodo Secure Services root",
|
|
|
|
"Comodo Trusted Services root",
|
|
|
|
"Cybertrust Global Root",
|
|
|
|
"DigiCert Assured ID Root CA",
|
|
|
|
"DigiCert Global Root CA",
|
|
|
|
"DigiCert High Assurance EV Root CA",
|
|
|
|
"Entrust.net Premium 2048 Secure Server CA",
|
2014-07-09 03:01:29 +04:00
|
|
|
// "Entrust.net Secure Server CA",
|
2014-05-23 02:09:45 +04:00
|
|
|
"Entrust Root Certification Authority",
|
|
|
|
"Equifax Secure CA",
|
|
|
|
"Equifax Secure eBusiness CA 1",
|
|
|
|
// "Equifax Secure eBusiness CA 2",
|
|
|
|
"Equifax Secure Global eBusiness CA",
|
|
|
|
"GeoTrust Global CA",
|
|
|
|
"GeoTrust Global CA 2",
|
|
|
|
"GeoTrust Primary Certification Authority",
|
|
|
|
"GeoTrust Primary Certification Authority - G2",
|
|
|
|
"GeoTrust Primary Certification Authority - G3",
|
|
|
|
"GeoTrust Universal CA",
|
|
|
|
"GeoTrust Universal CA 2",
|
|
|
|
"GlobalSign Root CA",
|
|
|
|
"GlobalSign Root CA - R2",
|
|
|
|
"GlobalSign Root CA - R3",
|
|
|
|
"Go Daddy Class 2 CA",
|
|
|
|
"Go Daddy Root Certificate Authority - G2",
|
2014-07-09 03:01:29 +04:00
|
|
|
// "GTE CyberTrust Global Root",
|
2014-05-23 02:09:45 +04:00
|
|
|
"Network Solutions Certificate Authority",
|
2014-07-09 03:01:29 +04:00
|
|
|
// "RSA Root Certificate 1",
|
2014-05-23 02:09:45 +04:00
|
|
|
"Starfield Class 2 CA",
|
|
|
|
"Starfield Root Certificate Authority - G2",
|
|
|
|
"Starfield Services Root Certificate Authority - G2",
|
|
|
|
"StartCom Certification Authority",
|
|
|
|
"StartCom Certification Authority",
|
|
|
|
"StartCom Certification Authority G2",
|
|
|
|
"TC TrustCenter Class 2 CA II",
|
|
|
|
"TC TrustCenter Class 3 CA II",
|
|
|
|
"TC TrustCenter Universal CA I",
|
|
|
|
"TC TrustCenter Universal CA III",
|
|
|
|
"Thawte Premium Server CA",
|
|
|
|
"thawte Primary Root CA",
|
|
|
|
"thawte Primary Root CA - G2",
|
|
|
|
"thawte Primary Root CA - G3",
|
|
|
|
"Thawte Server CA",
|
|
|
|
"UTN DATACorp SGC Root CA",
|
|
|
|
"UTN USERFirst Hardware Root CA",
|
2014-07-09 03:01:29 +04:00
|
|
|
// "ValiCert Class 1 VA",
|
|
|
|
// "ValiCert Class 2 VA",
|
2014-05-23 02:09:45 +04:00
|
|
|
"Verisign Class 3 Public Primary Certification Authority",
|
|
|
|
"Verisign Class 3 Public Primary Certification Authority",
|
|
|
|
"Verisign Class 3 Public Primary Certification Authority - G2",
|
|
|
|
"Verisign Class 3 Public Primary Certification Authority - G3",
|
|
|
|
"VeriSign Class 3 Public Primary Certification Authority - G4",
|
|
|
|
"VeriSign Class 3 Public Primary Certification Authority - G5",
|
|
|
|
"Verisign Class 4 Public Primary Certification Authority - G3",
|
|
|
|
"VeriSign Universal Root Certification Authority",
|
|
|
|
"XRamp Global CA Root"
|
|
|
|
]
|
2014-05-01 07:11:35 +04:00
|
|
|
}
|
|
|
|
],
|
2013-06-20 21:35:43 +04:00
|
|
|
|
|
|
|
"entries": [
|
2014-05-16 03:56:51 +04:00
|
|
|
// Only domains that are operationally crucial to Firefox can have per-host
|
|
|
|
// telemetry reporting (the "id") field
|
2014-05-09 04:18:50 +04:00
|
|
|
{ "name": "addons.mozilla.org", "include_subdomains": true,
|
2014-06-03 22:00:39 +04:00
|
|
|
"pins": "mozilla", "test_mode": false, "id": 1 },
|
2014-05-09 04:18:50 +04:00
|
|
|
{ "name": "addons.mozilla.net", "include_subdomains": true,
|
2014-06-03 22:00:39 +04:00
|
|
|
"pins": "mozilla", "test_mode": false, "id": 2 },
|
2014-05-16 03:56:51 +04:00
|
|
|
{ "name": "aus4.mozilla.org", "include_subdomains": true,
|
|
|
|
"pins": "mozilla", "test_mode": true, "id": 3 },
|
2014-06-07 00:44:59 +04:00
|
|
|
{ "name": "accounts.firefox.com", "include_subdomains": true,
|
2014-09-05 23:04:26 +04:00
|
|
|
"pins": "mozilla_services", "test_mode": false, "id": 4 },
|
2014-07-04 03:41:57 +04:00
|
|
|
{ "name": "api.accounts.firefox.com", "include_subdomains": true,
|
2014-09-05 23:04:26 +04:00
|
|
|
"pins": "mozilla_services", "test_mode": false, "id": 5 },
|
2014-05-09 04:18:50 +04:00
|
|
|
{ "name": "cdn.mozilla.net", "include_subdomains": true,
|
2014-05-27 21:53:40 +04:00
|
|
|
"pins": "mozilla", "test_mode": false },
|
2014-05-09 04:18:50 +04:00
|
|
|
{ "name": "cdn.mozilla.org", "include_subdomains": true,
|
2014-05-27 21:53:40 +04:00
|
|
|
"pins": "mozilla", "test_mode": false },
|
2014-05-09 04:18:50 +04:00
|
|
|
{ "name": "media.mozilla.com", "include_subdomains": true,
|
2014-05-27 21:53:40 +04:00
|
|
|
"pins": "mozilla", "test_mode": false },
|
2014-09-05 23:04:26 +04:00
|
|
|
{ "name": "services.mozilla.com", "include_subdomains": true,
|
2014-10-03 03:45:13 +04:00
|
|
|
"pins": "mozilla_services", "test_mode": true, "id": 6 },
|
2014-05-09 04:18:50 +04:00
|
|
|
{ "name": "include-subdomains.pinning.example.com",
|
|
|
|
"include_subdomains": true, "pins": "mozilla_test",
|
|
|
|
"test_mode": false },
|
2014-05-16 03:56:51 +04:00
|
|
|
// Example domain to collect per-host stats for telemetry tests.
|
2014-05-09 04:18:50 +04:00
|
|
|
{ "name": "exclude-subdomains.pinning.example.com",
|
|
|
|
"include_subdomains": false, "pins": "mozilla_test",
|
2014-05-16 03:56:51 +04:00
|
|
|
"test_mode": false, "id": 0 },
|
2014-05-09 04:18:50 +04:00
|
|
|
{ "name": "test-mode.pinning.example.com", "include_subdomains": true,
|
2014-06-19 00:23:13 +04:00
|
|
|
"pins": "mozilla_test", "test_mode": true },
|
|
|
|
// Expand twitter's pinset to include all of *.twitter.com and use
|
|
|
|
// twitterCDN. More specific rules take precedence because we search for
|
|
|
|
// exact domain name first.
|
|
|
|
{ "name": "twitter.com", "include_subdomains": true,
|
2014-10-31 02:21:09 +03:00
|
|
|
"pins": "twitterCDN", "test_mode": false }
|
2014-09-08 20:33:03 +04:00
|
|
|
],
|
|
|
|
|
|
|
|
"extra_certificates": [
|
|
|
|
// DigiCert ECC Secure Server CA (for Facebook)
|
|
|
|
"MIIDrDCCApSgAwIBAgIQCssoukZe5TkIdnRw883GEjANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaMEwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJjAkBgNVBAMTHURpZ2lDZXJ0IEVDQyBTZWN1cmUgU2VydmVyIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ghC6nfYJN6gLGSkE85AnCNyqQIKDjc/ITa4jVMU9tWRlUvzlgKNcR7E2Munn17voOZ/WpIRllNv68DLP679Wz9HJOeaBy6Wvqgvu1cYr3GkvXg6HuhbPGtkESvMNCuMo4IBITCCAR0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUo53mH/naOU/AbuiRy5Wl2jHiCp8wHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEMBQADggEBAMeKoENL7HTJxavVHzA1Nm6YVntIrAVjrnuaVyRXzG/63qttnMe2uuzO58pzZNvfBDcKAEmzP58mrZGMIOgfiA4q+2Y3yDDo0sIkp0VILeoBUEoxlBPfjV/aKrtJPGHzecicZpIalir0ezZYoyxBEHQa0+1IttK7igZFcTMQMHp6mCHdJLnsnLWSB62DxsRq+HfmNb4TDydkskO/g+l3VtsIh5RHFPVfKK+jaEyDj2D3loB5hWp2Jp2VDCADjT7ueihlZGak2YPqmXTNbk19HOuNssWvFhtOyPNV6og4ETQdEa8/B6hPatJ0ES8q/HO3X8IVQwVs1n3aAr0im0/T+Xc="
|
2013-06-20 21:35:43 +04:00
|
|
|
]
|
|
|
|
}
|