tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

PreloadedHPKPins.json (12904B)

      1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 // The top-level element is a dictionary with two keys: "pinsets" maps details
      7 // of certificate pinning to a name and "entries" contains the HPKP details for
      8 // each host.
      9 //
     10 // "pinsets" is a list of objects. Each object has the following members:
     11 //   name: (string) the name of the pinset
     12 //   sha256_hashes: (list of strings) the set of allowed SPKIs hashes
     13 //
     14 // For a given pinset, a certificate is accepted if at least one of the
     15 // Subject Public Key Infos (SPKIs) is found in the chain.  SPKIs are specified
     16 // as names, which must match up with the name given in the Mozilla root store.
     17 //
     18 // "entries" is a list of objects. Each object has the following members:
     19 //   name: (string) the DNS name of the host in question
     20 //   include_subdomains: (optional bool) whether subdomains of |name| are also covered
     21 //   pins: (string) the |name| member of an object in |pinsets|
     22 //
     23 // "extra_certificates" is a list of base64-encoded certificates. These are used in
     24 // pinsets that reference certificates not in our root program (for example,
     25 // Facebook or intermediate CA certs).
     26 
     27 {
     28  "chromium_data" : {
     29    "cert_file_url": "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static.pins?format=TEXT",
     30    "json_file_url": "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static_pins.json?format=TEXT",
     31    "substitute_pinsets": {
     32      // Use the larger google_root_pems pinset instead of google
     33      "google": "google_root_pems"
     34    },
     35    "production_pinsets": [
     36      "google_root_pems",
     37      "facebook",
     38      "ncsccs"
     39    ],
     40    "production_domains": [
     41      // Chrome's test domains.
     42      "pinningtest.appspot.com",
     43      "pinning-test.badssl.com",
     44      // SpiderOak
     45      "spideroak.com"
     46    ],
     47    "exclude_domains" : []
     48   },
     49  "pinsets": [
     50    {
     51      "name": "mozilla_services",
     52      "sha256_hashes": [
     53        // Current Digicert root hierarchy (G1)
     54        // Digicert is migrating users off this root hierarchy
     55        // https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html
     56        "DigiCert Global Root CA",
     57        "DigiCert High Assurance EV Root CA",
     58        // New Digicert root hierarchy (G2)
     59        // Digicert is migrating users to this root hierarchy
     60        // https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html
     61        "DigiCert Global Root G2",
     62        // Future Digicert root hierarchy (G5)
     63        // Digicert will be switching to this root hierarchy in the future
     64        // https://knowledge.digicert.com/generalinformation/digicert-g5-root-and-intermediate-ca-certificate-migration.html
     65        "DigiCert TLS ECC P384 Root G5",
     66        "DigiCert TLS RSA4096 Root G5",
     67        // Current Let’s Encrypt root hierachy
     68        // https://letsencrypt.org/certificates/
     69        "ISRG Root X1"
     70      ]
     71    },
     72    // For pinning tests on pinning.example.com, the certificate must be 'End
     73    // Entity Test Cert'
     74    {
     75      "name": "mozilla_test",
     76      "sha256_hashes": [
     77        "End Entity Test Cert"
     78      ]
     79    },
     80    // Google's root PEMs. Chrome pins only to their intermediate certs, but
     81    // they'd like us to be more liberal. For the initial list, we are using
     82    // the certs from https://pki.google.com/roots.pem.
     83    // We have no built-in for commented out CAs.
     84    // This list should be updated via the dumpGoogleRoots.js script.
     85    {
     86      "name": "google_root_pems",
     87      "sha256_hashes": [
     88        "Comodo AAA Services root",
     89        "COMODO Certification Authority",
     90        "COMODO ECC Certification Authority",
     91        "COMODO RSA Certification Authority",
     92        "DigiCert Assured ID Root CA",
     93        "DigiCert Assured ID Root G2",
     94        "DigiCert Assured ID Root G3",
     95        "DigiCert Global Root CA",
     96        "DigiCert Global Root G2",
     97        "DigiCert Global Root G3",
     98        "DigiCert High Assurance EV Root CA",
     99        "DigiCert Trusted Root G4",
    100        "GlobalSign ECC Root CA - R4",
    101        "GlobalSign ECC Root CA - R5",
    102        "GlobalSign Root CA",
    103        "GlobalSign Root CA - R3",
    104        "GlobalSign Root CA - R6",
    105        "Go Daddy Class 2 CA",
    106        "Go Daddy Root Certificate Authority - G2",
    107        "GTS Root R1",
    108        "GTS Root R2",
    109        "GTS Root R3",
    110        "GTS Root R4",
    111        "Starfield Class 2 CA",
    112        "Starfield Root Certificate Authority - G2",
    113        "USERTrust ECC Certification Authority",
    114        "USERTrust RSA Certification Authority"
    115      ]
    116    }
    117    // The list above should be updated via the dumpGoogleRoots.js script.
    118  ],
    119 
    120  "entries": [
    121    // Only domains that are operationally crucial to Firefox can have per-host
    122    // telemetry reporting (the "id") field
    123    { "name": "addons.mozilla.org", "include_subdomains": true,
    124      "pins": "mozilla_services", "test_mode": false, "id": 1 },
    125    { "name": "addons.mozilla.net", "include_subdomains": true,
    126      "pins": "mozilla_services", "test_mode": false, "id": 2 },
    127    // AUS servers MUST remain in test mode
    128    // see: https://bugzilla.mozilla.org/show_bug.cgi?id=1301956#c23
    129    { "name": "aus4.mozilla.org", "include_subdomains": true,
    130      "pins": "mozilla_services", "test_mode": true, "id": 3 },
    131    { "name": "aus5.mozilla.org", "include_subdomains": true,
    132      "pins": "mozilla_services", "test_mode": true, "id": 7 },
    133    // Catchall for applications hosted under firefox.com
    134    // see https://bugzilla.mozilla.org/show_bug.cgi?id=1494431
    135    { "name": "firefox.com", "include_subdomains": true,
    136      "pins": "mozilla_services", "test_mode": true, "id": 15 },
    137    // Firefox Accounts & sync
    138    // superseded by catchall for firefox.com, but leaving for tracking
    139    { "name": "accounts.firefox.com", "include_subdomains": true,
    140      "pins": "mozilla_services", "test_mode": false, "id": 4 },
    141    { "name": "api.accounts.firefox.com", "include_subdomains": true,
    142      "pins": "mozilla_services", "test_mode": false, "id": 5 },
    143    { "name": "sync.services.mozilla.com", "include_subdomains": true,
    144      "pins": "mozilla_services", "test_mode": false, "id": 13 },
    145    // Catch-all for all CDN resources, including product delivery
    146    // Telemetry IDs added in bug 1521983.
    147    { "name": "cdn.mozilla.net", "include_subdomains": true,
    148      "pins": "mozilla_services", "test_mode": false, "id": 16 },
    149    { "name": "cdn.mozilla.org", "include_subdomains": true,
    150      "pins": "mozilla_services", "test_mode": false, "id": 17 },
    151    { "name": "download.mozilla.org", "include_subdomains": false,
    152      "pins": "mozilla_services", "test_mode": false, "id": 14 },
    153    // Catch-all for everything hosted under services.mozilla.com
    154    { "name": "services.mozilla.com", "include_subdomains": true,
    155      "pins": "mozilla_services", "test_mode": false, "id": 6 },
    156    // Catch-all for everything hosted under telemetry.mozilla.org
    157    // MUST remain in test mode in order to receive telemetry on broken pins
    158    { "name": "telemetry.mozilla.org", "include_subdomains": true,
    159      "pins": "mozilla_services", "test_mode": true, "id": 8 },
    160    // Test Pilot
    161    // superseded by catchall for firefox.com, but leaving for tracking
    162    { "name": "testpilot.firefox.com", "include_subdomains": false,
    163      "pins": "mozilla_services", "test_mode": false, "id": 9 },
    164    // Crash report sites
    165    { "name": "crash-reports.mozilla.com", "include_subdomains": false,
    166      "pins": "mozilla_services", "test_mode": false, "id": 10 },
    167    { "name": "crash-reports-xpsp2.mozilla.com", "include_subdomains": false,
    168      "pins": "mozilla_services", "test_mode": false, "id": 11 },
    169    { "name": "crash-stats.mozilla.org", "include_subdomains": false,
    170      "pins": "mozilla_services", "test_mode": false, "id": 12 },
    171    { "name": "include-subdomains.pinning.example.com",
    172      "include_subdomains": true, "pins": "mozilla_test",
    173      "test_mode": false },
    174    // Example domain to collect per-host stats for telemetry tests.
    175    { "name": "exclude-subdomains.pinning.example.com",
    176      "include_subdomains": false, "pins": "mozilla_test",
    177      "test_mode": false },
    178    { "name": "test-mode.pinning.example.com", "include_subdomains": true,
    179      "pins": "mozilla_test", "test_mode": true }
    180  ],
    181  // When pinning to non-root certs, like intermediates,
    182  // place the PEM of the pinned certificate in this array
    183  // so Firefox can find the subject DN and public key
    184  "extra_certificates": [
    185    // Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    186    // Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
    187    "MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrXNSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHlNpi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7DcGu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgzuEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGxA/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRMUM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOuOsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vwp7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKRPB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5brUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt",
    188    // Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4
    189    // Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
    190    "MIIFjTCCA3WgAwIBAgIRAJObmZ6kjhYNW0JZtD0gE9owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0NDM0WhcNMjExMDA2MTU0NDM0WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhJHRCe7eRMdlz/ziq2M5EXLc5CtxErg29RbmXN2evvVBPX9MQVGv3QdqOY+ZtW8DoQKmMQfzRA4n/YmEJYNYHBXiakL0aZD5P3M93L4lry2evQU3FjQDAa/6NhNy18pUxqOj2kKBDSpN0XLM+Q2lLiSJHdFE+mWTDzSQB+YQvKHcXIqfdw2wITGYvN3TFb5OOsEY3FmHRUJjIsA9PWFN8rPbaLZZhUK1D3AqmT561Urmcju9O30azMdwg/GnCoyB1Puw4GzZOZmbS3/VmpJMve6YOlD5gPUpLHG+6tE0cPJFYbi9NxNpw2+0BOXbASefpNbUUBpDB5ZLiEP1rubSFAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBTFsatOTLHNZDCTfsGEmQWr5gPiJTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBAF4tI1yGjZgld9lP01+zftU3aSV0un0d2GKUMO7GxvwTLWAKQz/eT+u3J4+GvpD+BMfopIxkJcDCzMChjjZtZZwJpIY7BatVrO6OkEmaRNITtbZ/hCwNkUnbk3C7EG3OGJZlo9b2wzA8v9WBsPzHpTvLfOr+dS57LLPZBhp3ArHaLbdk33lIONRPt9sseDEkmdHnVmGmBRf4+J0Wy67mddOvz5rHH8uzY94raOayf20gzzcmqmot4hPXtDG4Y49MoFMMT2kcWck3EOTAH6QiGWkGJ7cxMfSL3S0niA6wgFJtfETETOZu8AVDgENgCJ3DS0bz/dhVKvs3WRkaKuuR/W0nnC2VDdaFj4+CRF8LGtn/8ERaH48TktH5BDyDVcF9zfJ75Scxcy23jAL2N6w3n/t3nnqoXt9Im4FprDr+mP1g2Z6Lf2YA0jE3kZalgZ6lNHu4CmvJYoOTSJw9X2qlGl1K+B4U327rG1tRxgjM76pN6lIS02PMECoyKJigpOSBu4V8+LVaUMezCJH9Qf4EKeZTHddQ1t96zvNd2s9ewSKx/DblXbKsBDzIdHJ+qi6+F9DIVM5/ICdtDdulOO+dr/BXB+pBZ3uVxjRANvJKKpdxkePyluITSNZHbanWRN07gMvwBWOL060i4VrL9er1sBQrRjU9iNpZQGTnLVAxQVFu"
    191  ]
    192 }