Mypal/security/manager/tools/PreloadedHPKPins.json

// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

// The top-level element is a dictionary with two keys: "pinsets" maps details
// of certificate pinning to a name and "entries" contains the HPKP details for
// each host.
//
// "pinsets" is a list of objects. Each object has the following members:
//   name: (string) the name of the pinset
//   sha256_hashes: (list of strings) the set of allowed SPKIs hashes
//
// For a given pinset, a certificate is accepted if at least one of the
// Subject Public Key Infos (SPKIs) is found in the chain.  SPKIs are specified
// as names, which must match up with the name given in the Mozilla root store.
//
// "entries" is a list of objects. Each object has the following members:
//   name: (string) the DNS name of the host in question
//   include_subdomains: (optional bool) whether subdomains of |name| are also covered
//   pins: (string) the |name| member of an object in |pinsets|
//
// "extra_certs" is a list of base64-encoded certificates. These are used in
// pinsets that reference certificates not in our root program (for example,
// Facebook).

// equifax -> aus3
// Geotrust Primary -> www.mozilla.org
// Geotrust Global -> *. addons.mozilla.org
{
  "chromium_data" : {
    "cert_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.pins?format=TEXT",
    "json_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT",
    "substitute_pinsets": {
      // Use the larger google_root_pems pinset instead of google
      "google": "google_root_pems"
    },
    "production_pinsets": [
      "google_root_pems",
      "facebook"
    ],
    "production_domains": [
      // Chrome's test domains.
      "pinningtest.appspot.com",
      "pinning-test.badssl.com",
      // Dropbox
      "dropbox.com",
      "www.dropbox.com",
      // Twitter
      "api.twitter.com",
      "business.twitter.com",
      "dev.twitter.com",
      "mobile.twitter.com",
      "oauth.twitter.com",
      "platform.twitter.com",
      "twimg.com",
      "www.twitter.com",
      // Tor
      "torproject.org",
      "blog.torproject.org",
      "check.torproject.org",
      "dist.torproject.org",
      "www.torproject.org",
      // SpiderOak
      "spideroak.com"
    ],
    "exclude_domains" : [
      // Chrome's entry for twitter.com doesn't include subdomains, so replace
      // it with our own entry below which also uses an expanded pinset.
      "twitter.com"
    ]
   },
  "pinsets": [
    {
      // From bug 772756, mozilla uses GeoTrust, Digicert and Thawte.  Our
      // cdn sites use Verisign and Baltimore. We exclude 1024-bit root certs
      // from all providers. geotrust ca info:
      // http://www.geotrust.com/resources/root-certificates/index.html
      "name": "mozilla",
      "sha256_hashes": [
        "Baltimore CyberTrust Root",
        "DigiCert Assured ID Root CA",
        "DigiCert Global Root CA",
        "DigiCert High Assurance EV Root CA",
        "GeoTrust Global CA",
        "GeoTrust Global CA 2",
        "GeoTrust Primary Certification Authority",
        "GeoTrust Primary Certification Authority - G2",
        "GeoTrust Primary Certification Authority - G3",
        "GeoTrust Universal CA",
        "GeoTrust Universal CA 2",
        "thawte Primary Root CA",
        "thawte Primary Root CA - G2",
        "thawte Primary Root CA - G3",
        "Verisign Class 1 Public Primary Certification Authority - G3",
        "Verisign Class 2 Public Primary Certification Authority - G3",
        "Verisign Class 3 Public Primary Certification Authority - G3",
        "VeriSign Class 3 Public Primary Certification Authority - G4",
        "VeriSign Class 3 Public Primary Certification Authority - G5",
        // "Verisign Class 4 Public Primary Certification Authority - G3",
        "VeriSign Universal Root Certification Authority"
      ]
    },
    {
      "name": "mozilla_services",
      "sha256_hashes": [
        "DigiCert Global Root CA"
      ]
    },
    // For pinning tests on pinning.example.com, the certificate must be 'End
    // Entity Test Cert'
    {
      "name": "mozilla_test",
      "sha256_hashes": [
        "End Entity Test Cert"
      ]
    },
    // Google's root PEMs. Chrome pins only to their intermediate certs, but
    // they'd like us to be more liberal. For the initial list, we are using
    // the certs from http://pki.google.com/roots.pem.
    // We have no built-in for commented out CAs.
    {
      "name": "google_root_pems",
      "sha256_hashes": [
        "AddTrust External Root",
        "AddTrust Low-Value Services Root",
        "AddTrust Public Services Root",
        "AddTrust Qualified Certificates Root",
        "AffirmTrust Commercial",
        "AffirmTrust Networking",
        "AffirmTrust Premium",
        "AffirmTrust Premium ECC",
        "Baltimore CyberTrust Root",
        "Comodo AAA Services root",
        "COMODO Certification Authority",
        "COMODO ECC Certification Authority",
        "COMODO RSA Certification Authority",
        "Comodo Secure Services root",
        "Comodo Trusted Services root",
        "Cybertrust Global Root",
        "DigiCert Assured ID Root CA",
        "DigiCert Assured ID Root G2",
        "DigiCert Assured ID Root G3",
        "DigiCert Global Root CA",
        "DigiCert Global Root G2",
        "DigiCert Global Root G3",
        "DigiCert High Assurance EV Root CA",
        "DigiCert Trusted Root G4",
        "Entrust Root Certification Authority",
        "Entrust Root Certification Authority - EC1",
        "Entrust Root Certification Authority - G2",
        "Entrust.net Premium 2048 Secure Server CA",
        // "Equifax Secure Certificate Authority",
        "GeoTrust Global CA",
        "GeoTrust Global CA 2",
        "GeoTrust Primary Certification Authority",
        "GeoTrust Primary Certification Authority - G2",
        "GeoTrust Primary Certification Authority - G3",
        "GeoTrust Universal CA",
        "GeoTrust Universal CA 2",
        "GlobalSign ECC Root CA - R4",
        "GlobalSign ECC Root CA - R5",
        "GlobalSign Root CA",
        "GlobalSign Root CA - R2",
        "GlobalSign Root CA - R3",
        "Go Daddy Class 2 CA",
        "Go Daddy Root Certificate Authority - G2",
        "Starfield Class 2 CA",
        "Starfield Root Certificate Authority - G2",
        "thawte Primary Root CA",
        "thawte Primary Root CA - G2",
        "thawte Primary Root CA - G3",
        "USERTrust ECC Certification Authority",
        "USERTrust RSA Certification Authority",
        "UTN USERFirst Hardware Root CA",
        "Verisign Class 3 Public Primary Certification Authority - G3",
        "VeriSign Class 3 Public Primary Certification Authority - G4",
        "VeriSign Class 3 Public Primary Certification Authority - G5",
        "VeriSign Universal Root Certification Authority"
      ]
    }
  ],

  "entries": [
    // Only domains that are operationally crucial to Firefox can have per-host
    // telemetry reporting (the "id") field
    { "name": "addons.mozilla.org", "include_subdomains": true,
      "pins": "mozilla", "test_mode": false, "id": 1 },
    { "name": "addons.mozilla.net", "include_subdomains": true,
      "pins": "mozilla", "test_mode": false, "id": 2 },
    { "name": "aus4.mozilla.org", "include_subdomains": true,
      "pins": "mozilla", "test_mode": true, "id": 3 },
    { "name": "accounts.firefox.com", "include_subdomains": true,
      "pins": "mozilla_services", "test_mode": false, "id": 4 },
    { "name": "api.accounts.firefox.com", "include_subdomains": true,
      "pins": "mozilla_services", "test_mode": false, "id": 5 },
    { "name": "cdn.mozilla.net", "include_subdomains": true,
      "pins": "mozilla", "test_mode": false },
    { "name": "cdn.mozilla.org", "include_subdomains": true,
      "pins": "mozilla", "test_mode": false },
    { "name": "services.mozilla.com", "include_subdomains": true,
      "pins": "mozilla_services", "test_mode": false, "id": 6 },
    { "name": "include-subdomains.pinning.example.com",
      "include_subdomains": true, "pins": "mozilla_test",
      "test_mode": false },
    // Example domain to collect per-host stats for telemetry tests.
    { "name": "exclude-subdomains.pinning.example.com",
      "include_subdomains": false, "pins": "mozilla_test",
      "test_mode": false, "id": 0 },
    { "name": "test-mode.pinning.example.com", "include_subdomains": true,
      "pins": "mozilla_test", "test_mode": true },
    // Expand twitter's pinset to include all of *.twitter.com and use
    // twitterCDN. More specific rules take precedence because we search for
    // exact domain name first.
    { "name": "twitter.com", "include_subdomains": true,
      "pins": "twitterCDN", "test_mode": false },
    { "name": "aus5.mozilla.org", "include_subdomains": true,
      "pins": "mozilla", "test_mode": true, "id": 7 }
  ],

  "extra_certificates": []
}