diff --git a/security/manager/ssl/StaticHPKPins.errors b/security/manager/ssl/StaticHPKPins.errors index 0399f97ad38d..c2f08ccfbbc2 100644 --- a/security/manager/ssl/StaticHPKPins.errors +++ b/security/manager/ssl/StaticHPKPins.errors @@ -9,8 +9,9 @@ Can't find hash in builtin certs for Chrome nickname GoDaddySecure, inserting GO Can't find hash in builtin certs for Chrome nickname ThawtePremiumServer, inserting GOOGLE_PIN_ThawtePremiumServer Can't find hash in builtin certs for Chrome nickname SymantecClass3EVG3, inserting GOOGLE_PIN_SymantecClass3EVG3 Can't find hash in builtin certs for Chrome nickname DigiCertECCSecureServerCA, inserting GOOGLE_PIN_DigiCertECCSecureServerCA -Can't find hash in builtin certs for Chrome nickname LetsEncryptAuthorityX1, inserting GOOGLE_PIN_LetsEncryptAuthorityX1 -Can't find hash in builtin certs for Chrome nickname LetsEncryptAuthorityX2, inserting GOOGLE_PIN_LetsEncryptAuthorityX2 +Can't find hash in builtin certs for Chrome nickname LetsEncryptAuthorityPrimary_X1_X3, inserting GOOGLE_PIN_LetsEncryptAuthorityPrimary_X1_X3 +Can't find hash in builtin certs for Chrome nickname LetsEncryptAuthorityBackup_X2_X4, inserting GOOGLE_PIN_LetsEncryptAuthorityBackup_X2_X4 +Can't find hash in builtin certs for Chrome nickname COMODORSADomainValidationSecureServerCA, inserting GOOGLE_PIN_COMODORSADomainValidationSecureServerCA Writing pinset test Writing pinset google Writing pinset tor @@ -20,3 +21,5 @@ Writing pinset dropbox Writing pinset facebook Writing pinset spideroak Writing pinset yahoo +Writing pinset swehackCom +Writing pinset nightx diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h index d6c15662eba5..85a991d554b7 100644 --- a/security/manager/ssl/StaticHPKPins.h +++ b/security/manager/ssl/StaticHPKPins.h @@ -71,6 +71,10 @@ static const char kComodo_Trusted_Services_rootFingerprint[] = static const char kCybertrust_Global_RootFingerprint[] = "foeCwVDOOVL4AuY2AjpdPpW7XWjjPoWtsroXgSXOvxU="; +/* DST Root CA X3 */ +static const char kDST_Root_CA_X3Fingerprint[] = + "Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; + /* DigiCert Assured ID Root CA */ static const char kDigiCert_Assured_ID_Root_CAFingerprint[] = "I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o="; @@ -131,6 +135,10 @@ static const char kEquifax_Secure_CAFingerprint[] = static const char kFacebookBackupFingerprint[] = "q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; +/* GOOGLE_PIN_COMODORSADomainValidationSecureServerCA */ +static const char kGOOGLE_PIN_COMODORSADomainValidationSecureServerCAFingerprint[] = + "klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; + /* GOOGLE_PIN_DigiCertECCSecureServerCA */ static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] = "PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw="; @@ -151,14 +159,14 @@ static const char kGOOGLE_PIN_GoDaddySecureFingerprint[] = static const char kGOOGLE_PIN_GoogleG2Fingerprint[] = "7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y="; -/* GOOGLE_PIN_LetsEncryptAuthorityX1 */ -static const char kGOOGLE_PIN_LetsEncryptAuthorityX1Fingerprint[] = - "YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; - -/* GOOGLE_PIN_LetsEncryptAuthorityX2 */ -static const char kGOOGLE_PIN_LetsEncryptAuthorityX2Fingerprint[] = +/* GOOGLE_PIN_LetsEncryptAuthorityBackup_X2_X4 */ +static const char kGOOGLE_PIN_LetsEncryptAuthorityBackup_X2_X4Fingerprint[] = "sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; +/* GOOGLE_PIN_LetsEncryptAuthorityPrimary_X1_X3 */ +static const char kGOOGLE_PIN_LetsEncryptAuthorityPrimary_X1_X3Fingerprint[] = + "YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; + /* GOOGLE_PIN_RapidSSL */ static const char kGOOGLE_PIN_RapidSSLFingerprint[] = "lT09gPUeQfbYrlxRtpsHrjDblj9Rpz+u7ajfCrg4qDM="; @@ -259,6 +267,14 @@ static const char kStarfield_Class_2_CAFingerprint[] = static const char kStarfield_Root_Certificate_Authority___G2Fingerprint[] = "gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ="; +/* Swehack */ +static const char kSwehackFingerprint[] = + "FdaffE799rVb3oyAuhJ2mBW/XJwD07Uajb2G6YwSAEw="; + +/* SwehackBackup */ +static const char kSwehackBackupFingerprint[] = + "z6cuswA6E1vgFkCjUsbEYo0Lf3aP8M8YOvwkoiGzDCo="; + /* TestSPKI */ static const char kTestSPKIFingerprint[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; @@ -485,10 +501,10 @@ static const StaticFingerprints kPinset_google = { static const char* const kPinset_tor_Data[] = { kTor3Fingerprint, kDigiCert_High_Assurance_EV_Root_CAFingerprint, - kGOOGLE_PIN_LetsEncryptAuthorityX1Fingerprint, + kGOOGLE_PIN_LetsEncryptAuthorityPrimary_X1_X3Fingerprint, kTor1Fingerprint, kGOOGLE_PIN_RapidSSLFingerprint, - kGOOGLE_PIN_LetsEncryptAuthorityX2Fingerprint, + kGOOGLE_PIN_LetsEncryptAuthorityBackup_X2_X4Fingerprint, kTor2Fingerprint, }; static const StaticFingerprints kPinset_tor = { @@ -642,6 +658,36 @@ static const StaticFingerprints kPinset_yahoo = { kPinset_yahoo_Data }; +static const char* const kPinset_swehackCom_Data[] = { + kSwehackFingerprint, + kDST_Root_CA_X3Fingerprint, + kGOOGLE_PIN_LetsEncryptAuthorityPrimary_X1_X3Fingerprint, + kGOOGLE_PIN_COMODORSADomainValidationSecureServerCAFingerprint, + kGOOGLE_PIN_LetsEncryptAuthorityBackup_X2_X4Fingerprint, + kSwehackBackupFingerprint, +}; +static const StaticFingerprints kPinset_swehackCom = { + sizeof(kPinset_swehackCom_Data) / sizeof(const char*), + kPinset_swehackCom_Data +}; + +static const char* const kPinset_nightx_Data[] = { + kCOMODO_Certification_AuthorityFingerprint, + kDigiCert_Assured_ID_Root_CAFingerprint, + kVeriSign_Class_3_Public_Primary_Certification_Authority___G5Fingerprint, + kVeriSign_Class_3_Public_Primary_Certification_Authority___G4Fingerprint, + kDigiCert_High_Assurance_EV_Root_CAFingerprint, + kGOOGLE_PIN_LetsEncryptAuthorityPrimary_X1_X3Fingerprint, + kAddTrust_External_RootFingerprint, + kVeriSign_Universal_Root_Certification_AuthorityFingerprint, + kDigiCert_Global_Root_CAFingerprint, + kGOOGLE_PIN_LetsEncryptAuthorityBackup_X2_X4Fingerprint, +}; +static const StaticFingerprints kPinset_nightx = { + sizeof(kPinset_nightx_Data) / sizeof(const char*), + kPinset_nightx_Data +}; + /* Domainlist */ struct TransportSecurityPreload { const char* mHost; @@ -696,6 +742,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "chrome-devtools-frontend.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, { "chrome.com", true, false, false, -1, &kPinset_google_root_pems }, { "chrome.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "chromiumbugs.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, { "chromiumcodereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, { "cl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, { "cloud.google.com", true, false, false, -1, &kPinset_google_root_pems }, @@ -968,6 +1015,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "googlegroups.com", true, false, false, -1, &kPinset_google_root_pems }, { "googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, { "googleplex.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googlesource.com", true, false, false, -1, &kPinset_google_root_pems }, { "googlesyndication.com", true, false, false, -1, &kPinset_google_root_pems }, { "googletagmanager.com", true, false, false, -1, &kPinset_google_root_pems }, { "googletagservices.com", true, false, false, -1, &kPinset_google_root_pems }, @@ -1016,6 +1064,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems }, { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "nightx.uk", true, true, false, -1, &kPinset_nightx }, { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, @@ -1023,6 +1072,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom }, { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems }, { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test }, @@ -1053,9 +1103,10 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "sites.google.com", true, false, false, -1, &kPinset_google_root_pems }, { "spideroak.com", true, false, false, -1, &kPinset_spideroak }, { "spreadsheets.google.com", true, false, false, -1, &kPinset_google_root_pems }, - { "ssl.google-analytics.com", true, false, false, -1, &kPinset_google_root_pems }, { "static.googleadsserving.cn", true, false, false, -1, &kPinset_google_root_pems }, + { "stats.g.doubleclick.net", true, false, false, -1, &kPinset_google_root_pems }, { "sv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "swehack.org", true, true, false, -1, &kPinset_swehackCom }, { "t.facebook.com", true, false, false, -1, &kPinset_facebook }, { "tablet.facebook.com", true, false, false, -1, &kPinset_facebook }, { "talk.google.com", true, false, false, -1, &kPinset_google_root_pems }, @@ -1095,6 +1146,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "wf-trial-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, { "withgoogle.com", true, false, false, -1, &kPinset_google_root_pems }, { "withyoutube.com", true, false, false, -1, &kPinset_google_root_pems }, + { "www.dropbox.com", true, false, false, -1, &kPinset_dropbox }, { "www.facebook.com", true, false, false, -1, &kPinset_facebook }, { "www.gmail.com", false, false, false, -1, &kPinset_google_root_pems }, { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, @@ -1111,8 +1163,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "zh.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, }; -// Pinning Preload List Length = 455; +// Pinning Preload List Length = 461; static const int32_t kUnknownId = -1; -static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1473508744829000); +static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1480769185296000);