summaryrefslogtreecommitdiff
path: root/security/manager/tools
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /security/manager/tools
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloaduxp-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/manager/tools')
-rw-r--r--security/manager/tools/.eslintrc.js9
-rw-r--r--security/manager/tools/KnownRootHashes.json949
-rw-r--r--security/manager/tools/PreloadedHPKPins.json222
-rw-r--r--security/manager/tools/dumpGoogleRoots.js106
-rw-r--r--security/manager/tools/genHPKPStaticPins.js630
-rw-r--r--security/manager/tools/genRootCAHashes.js255
-rw-r--r--security/manager/tools/getHSTSPreloadList.js497
-rw-r--r--security/manager/tools/makeCNNICHashes.js282
8 files changed, 2950 insertions, 0 deletions
diff --git a/security/manager/tools/.eslintrc.js b/security/manager/tools/.eslintrc.js
new file mode 100644
index 0000000000..49de9eadd1
--- /dev/null
+++ b/security/manager/tools/.eslintrc.js
@@ -0,0 +1,9 @@
+"use strict";
+
+module.exports = { // eslint-disable-line no-undef
+ "globals": {
+ // JS files in this folder are commonly xpcshell scripts where |arguments|
+ // is defined in the global scope.
+ "arguments": false
+ }
+};
diff --git a/security/manager/tools/KnownRootHashes.json b/security/manager/tools/KnownRootHashes.json
new file mode 100644
index 0000000000..81adeb653f
--- /dev/null
+++ b/security/manager/tools/KnownRootHashes.json
@@ -0,0 +1,949 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+//
+//***************************************************************************
+// This is an automatically generated file. It's used to maintain state for
+// runs of genRootCAHashes.js; you should never need to manually edit it
+//***************************************************************************
+
+{
+ "roots": [
+ {
+ "label": "GTE_CyberTrust_Global_Root",
+ "binNumber": 1,
+ "sha256Fingerprint": "pTElGI0hEKqWSwLHt8baMgMXCJTl+3H/+2Zn1eaBCjY="
+ },
+ {
+ "label": "Thawte_Server_CA",
+ "binNumber": 2,
+ "sha256Fingerprint": "tEELc+Lm6spH+8Qvj6QBivQ4HcVM+qhEUEYe7QlFTek="
+ },
+ {
+ "label": "Thawte_Premium_Server_CA",
+ "binNumber": 3,
+ "sha256Fingerprint": "q3A2NlxxVKopwsKfXUGRFjsWKiIlARNX1W0H/6e8H3I="
+ },
+ {
+ "label": "OU_Equifax_Secure_Certificate_Authority_O_Equifax_C_US",
+ "binNumber": 4,
+ "sha256Fingerprint": "CCl6QEfbojaAxzHbbjF2U8p4SOG+vToLAXmnB/ks8Xg="
+ },
+ {
+ "label": "OU_VeriSign_Trust_Network_OU___c__1998_VeriSign__Inc____For_authorized_use_only__OU_Class_3_Public_Primary_Certification_Authority___G2_O__VeriSign__Inc___C_US",
+ "binNumber": 5,
+ "sha256Fingerprint": "g848Eiloilk9SF+BlzwPkZVDHto3zF42Qw55x6iIY4s="
+ },
+ {
+ "label": "GlobalSign_Root_CA",
+ "binNumber": 6,
+ "sha256Fingerprint": "69QQQOS7PsdCyeOB0x7ypBpItmhclufO88HfbNQzHJk="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 7,
+ "sha256Fingerprint": "ykLdQXRf0LgeuQI2LPnYv3Gdob0bHvyUb1tMmfQsG54="
+ },
+ {
+ "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G3",
+ "binNumber": 8,
+ "sha256Fingerprint": "6wTPXrHzmvp2LyuxIPKWy6Ugwbl9sViVZbgcuaF7ckQ="
+ },
+ {
+ "label": "VeriSign_Class_4_Public_Primary_Certification_Authority___G3",
+ "binNumber": 9,
+ "sha256Fingerprint": "44k2DQ/brrPSUFhLRzAxTiIvOcFWoCAUTo2WBWF5FQY="
+ },
+ {
+ "label": "Entrust_net_Certification_Authority__2048_",
+ "binNumber": 10,
+ "sha256Fingerprint": "bcRxcuAcvLC/YlgNiV/iuKya1PhzgB4MELnIN9IesXc="
+ },
+ {
+ "label": "Baltimore_CyberTrust_Root",
+ "binNumber": 11,
+ "sha256Fingerprint": "Fq9XqfZ2sKsSYJWqXrre8iqzERnWRKyVzUuT2/Pyaus="
+ },
+ {
+ "label": "Equifax_Secure_Global_eBusiness_CA_1",
+ "binNumber": 12,
+ "sha256Fingerprint": "Xwti6rXjU+plIWUWWPu2U1n0QygKSvvRBNd9EPnwTAc="
+ },
+ {
+ "label": "Equifax_Secure_eBusiness_CA_1",
+ "binNumber": 13,
+ "sha256Fingerprint": "z1b/RqShhhCd2WWEte61ilEMQnWw5flPQLuuhl4Z9nM="
+ },
+ {
+ "label": "AddTrust_Class_1_CA_Root",
+ "binNumber": 14,
+ "sha256Fingerprint": "jHIJJ5rATideFtB/07d16AFUtZaARuMfUt0ldmMk6ac="
+ },
+ {
+ "label": "AddTrust_External_CA_Root",
+ "binNumber": 15,
+ "sha256Fingerprint": "aH+kUTgieP/wyLEfjUPVdmccbrK86rQT+4PZZdBtL/I="
+ },
+ {
+ "label": "AddTrust_Public_CA_Root",
+ "binNumber": 16,
+ "sha256Fingerprint": "B5HKB0myB4Kq08fXvQzfyUhYNYQ+steZYAnOQ6tsaSc="
+ },
+ {
+ "label": "AddTrust_Qualified_CA_Root",
+ "binNumber": 17,
+ "sha256Fingerprint": "gJUhCAXbS7w1XkQo2P1uws3jq1+5eplCmI649NzQYBY="
+ },
+ {
+ "label": "Entrust_Root_Certification_Authority",
+ "binNumber": 18,
+ "sha256Fingerprint": "c8F2Q08bxtWt9FsOducnKHyN5XYWwebmFBorLLx9jkw="
+ },
+ {
+ "label": "OU_RSA_Security_2048_V3_O_RSA_Security_Inc",
+ "binNumber": 19,
+ "sha256Fingerprint": "r4tnYqHlKCKBYaldXFWe4mYnj3XXnoMBiaUDUGq9a0w="
+ },
+ {
+ "label": "GeoTrust_Global_CA",
+ "binNumber": 20,
+ "sha256Fingerprint": "/4VqLSUdzYjTZlb0UBJnmM+rqt5AeZxyLeTStds2pzo="
+ },
+ {
+ "label": "GeoTrust_Global_CA_2",
+ "binNumber": 21,
+ "sha256Fingerprint": "yi2CoIZ3By+KtnZP8DVnbP4+XjJeASFy3z+SCW23m4U="
+ },
+ {
+ "label": "GeoTrust_Universal_CA",
+ "binNumber": 22,
+ "sha256Fingerprint": "oEWbn2OyJVn1+l1MbbP59y/xk0IDNXjwc78dG0bLuRI="
+ },
+ {
+ "label": "GeoTrust_Universal_CA_2",
+ "binNumber": 23,
+ "sha256Fingerprint": "oCNPO8hSfKVijuyBrV1piV2laA3JHRy4R38z+Hi5Wws="
+ },
+ {
+ "label": "America_Online_Root_Certification_Authority_1",
+ "binNumber": 24,
+ "sha256Fingerprint": "d0BzEsY6FT1bwAtOUXWc39rCN9wqM7Z5RumOm/poCuM="
+ },
+ {
+ "label": "America_Online_Root_Certification_Authority_2",
+ "binNumber": 25,
+ "sha256Fingerprint": "fTtGWmAU5SbAr/zuISfSMRcnrYEcJoQtAGrzcwbMgL0="
+ },
+ {
+ "label": "Visa_eCommerce_Root",
+ "binNumber": 26,
+ "sha256Fingerprint": "afrJvVX7CseNU7vuXPHVl5if0KqrIKJRUb3xcz7n0SI="
+ },
+ {
+ "label": "Certum_CA",
+ "binNumber": 27,
+ "sha256Fingerprint": "2OD+vB2y440AlA830n1BNE2ZPnNLmdVlbZd41NgUNiQ="
+ },
+ {
+ "label": "AAA_Certificate_Services",
+ "binNumber": 28,
+ "sha256Fingerprint": "16eg+11+JzHXcelITrze9x1fDD4KKUh4K8g+4OppnvQ="
+ },
+ {
+ "label": "Secure_Certificate_Services",
+ "binNumber": 29,
+ "sha256Fingerprint": "vYHOO09lkdEaZ7X8ekf97yVSG/mqThi5498uNKeAO+g="
+ },
+ {
+ "label": "Trusted_Certificate_Services",
+ "binNumber": 30,
+ "sha256Fingerprint": "PwblVoHUlvW+Fp61OJ+fK4/2HhcI32iBckhJzV0ny2k="
+ },
+ {
+ "label": "QuoVadis_Root_Certification_Authority",
+ "binNumber": 31,
+ "sha256Fingerprint": "pF7eO7vwnIrhXHLvwHJo1pOiHJlv1R5nygeUYP1tiHM="
+ },
+ {
+ "label": "QuoVadis_Root_CA_2",
+ "binNumber": 32,
+ "sha256Fingerprint": "haDdfdcgrbf/Bfg9VCsgncf/RSj31nexg4n+peXEnoY="
+ },
+ {
+ "label": "QuoVadis_Root_CA_3",
+ "binNumber": 33,
+ "sha256Fingerprint": "GPH8fyBd+K3d63/gB91X4683WpxNjXNUa/Tx/tHhjTU="
+ },
+ {
+ "label": "OU_Security_Communication_RootCA1_O_SECOM_Trust_net_C_JP",
+ "binNumber": 34,
+ "sha256Fingerprint": "515y7Z9WDuxutIAAc6Q/w60ZGVo5IoIBeJWXSpkCa2w="
+ },
+ {
+ "label": "Sonera_Class2_CA",
+ "binNumber": 35,
+ "sha256Fingerprint": "eQi0AxTBOBALUY0HNYB/+/z4UYoAlTNxBbo4axU92Sc="
+ },
+ {
+ "label": "Staat_der_Nederlanden_Root_CA",
+ "binNumber": 36,
+ "sha256Fingerprint": "1B2CnowWWYIq+T/OYr/83iZPyE6LlQxf8nXQUjVGlaM="
+ },
+ {
+ "label": "UTN___DATACorp_SGC",
+ "binNumber": 37,
+ "sha256Fingerprint": "hfsvkd0SJ1oBRbY2U0+EAkrWi2m47ohoT/cRN1gFs0g="
+ },
+ {
+ "label": "UTN_USERFirst_Hardware",
+ "binNumber": 38,
+ "sha256Fingerprint": "bqVHQdAEZn7tG0gWY0qjp55uS5aVD4J52vyNm9iBITc="
+ },
+ {
+ "label": "Chambers_of_Commerce_Root",
+ "binNumber": 39,
+ "sha256Fingerprint": "DCWKEqVnSu8l8oun3Prs7qNI5UHm9cxO5jtxs2FgasM="
+ },
+ {
+ "label": "Global_Chambersign_Root",
+ "binNumber": 40,
+ "sha256Fingerprint": "7zy0F/yOv2+Xh2yeTs453h6l/mSRQdECi30RwLIpjO0="
+ },
+ {
+ "label": "NetLock_Kozjegyzoi__Class_A__Tanusitvanykiado",
+ "binNumber": 41,
+ "sha256Fingerprint": "fxLNX35eKQ7H2FF51bcsIKW+dQj/21v4GrloSn/J9mc="
+ },
+ {
+ "label": "XRamp_Global_Certification_Authority",
+ "binNumber": 42,
+ "sha256Fingerprint": "zs3ckFCZ2NrfxbHSCbc3y+LBjPssEMD/C88NMob8GqI="
+ },
+ {
+ "label": "OU_Go_Daddy_Class_2_Certification_Authority_O__The_Go_Daddy_Group__Inc___C_US",
+ "binNumber": 43,
+ "sha256Fingerprint": "w4Rr8kuek8pkJ0wOxnwezF4CT/ys0tdAGTUOgf5UauQ="
+ },
+ {
+ "label": "OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US",
+ "binNumber": 44,
+ "sha256Fingerprint": "FGX6IFOXuHb6pvCplY5VkOQPzH+qT7fCyGd1Iftftlg="
+ },
+ {
+ "label": "StartCom_Certification_Authority",
+ "binNumber": 45,
+ "sha256Fingerprint": "x2apvvLUBxyGOjGqSSDoE7LRmGCMt7fP4hFDuDbfCeo="
+ },
+ {
+ "label": "O_Government_Root_Certification_Authority_C_TW",
+ "binNumber": 46,
+ "sha256Fingerprint": "dgApXu/oW54f1iTbdgYqqq5ZgYpU0ndM1MCywBEx4bM="
+ },
+ {
+ "label": "Swisscom_Root_CA_1",
+ "binNumber": 47,
+ "sha256Fingerprint": "IdsgEjZguy7UGCBdoR7nqFpl4rxuVbWvfniZyKJm2S4="
+ },
+ {
+ "label": "DigiCert_Assured_ID_Root_CA",
+ "binNumber": 48,
+ "sha256Fingerprint": "PpCZtQFej0hsALzqnREe5yH6ujVaibzx32lWHj3GMlw="
+ },
+ {
+ "label": "DigiCert_Global_Root_CA",
+ "binNumber": 49,
+ "sha256Fingerprint": "Q0ig6URMeMsmXgWNXolEtNhPlmK9Jtslf4k0pEPHAWE="
+ },
+ {
+ "label": "DigiCert_High_Assurance_EV_Root_CA",
+ "binNumber": 50,
+ "sha256Fingerprint": "dDHl9MPBzkaQd08LYeBUQIg7qaAe0Aumq9eAbtOxGM8="
+ },
+ {
+ "label": "Class_2_Primary_CA",
+ "binNumber": 51,
+ "sha256Fingerprint": "D5k8iu+Xuq9WhxQO1ZrRghu0r6zwqppYtdV6M4o6+8s="
+ },
+ {
+ "label": "DST_Root_CA_X3",
+ "binNumber": 52,
+ "sha256Fingerprint": "BocmAzGnJAPZCfEF5pvPDTLhvSST/8bZIG0RvNZ3Bzk="
+ },
+ {
+ "label": "DST_ACES_CA_X6",
+ "binNumber": 53,
+ "sha256Fingerprint": "dnyVWnZBLImvaI6QoccPVWz9a2Al2+oQQW1+toMfjEA="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+ "binNumber": 54,
+ "sha256Fingerprint": "RATjO14UDc+ZgFH9/IAox8gWFcXuc3sRG1iCM6m1NaA="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+ "binNumber": 55,
+ "sha256Fingerprint": "xHDPVH4jArl3+yndcaiae2wfYHd7Ayn1YBfzKL9Pa+Y="
+ },
+ {
+ "label": "SwissSign_Gold_CA___G2",
+ "binNumber": 56,
+ "sha256Fingerprint": "Yt0L6bn1ChY+oPjnXAU7HspX6lXIaI9kfGiB8sg1e5U="
+ },
+ {
+ "label": "SwissSign_Silver_CA___G2",
+ "binNumber": 57,
+ "sha256Fingerprint": "vmxNoru5ulm285OXaDdCRsPABZk/qY8CDR3tvtSKgdU="
+ },
+ {
+ "label": "GeoTrust_Primary_Certification_Authority",
+ "binNumber": 58,
+ "sha256Fingerprint": "N9UQBsUS6qtiZCHx7IySAT/F+CrpjuUz60YZuN600Gw="
+ },
+ {
+ "label": "thawte_Primary_Root_CA",
+ "binNumber": 59,
+ "sha256Fingerprint": "jXIvganBE8B5HfE2opZtsmyVCpcdtGtBmfTqVLeL+58="
+ },
+ {
+ "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G5",
+ "binNumber": 60,
+ "sha256Fingerprint": "ms+rfkPI2IDQayYqlN7u5LRlmYnD0Mrxm69kBeQat98="
+ },
+ {
+ "label": "SecureTrust_CA",
+ "binNumber": 61,
+ "sha256Fingerprint": "8cG1CuWiDdgDDsn2vCSCPdNntSVXWbTnG2H86fc3XXM="
+ },
+ {
+ "label": "Secure_Global_CA",
+ "binNumber": 62,
+ "sha256Fingerprint": "QgD1BDrIWQ67Un0gntFQMCn7y9QcobUG7CfxWt59rGk="
+ },
+ {
+ "label": "COMODO_Certification_Authority",
+ "binNumber": 63,
+ "sha256Fingerprint": "DCzWPfeAb6OZ7egJEWtXW/h5ifBlGPmAjIYFAxeLr2Y="
+ },
+ {
+ "label": "Network_Solutions_Certificate_Authority",
+ "binNumber": 64,
+ "sha256Fingerprint": "FfC6AKOsevOsiEwHKxARoHe9d8CX9AFksvhZir2Dhgw="
+ },
+ {
+ "label": "WellsSecure_Public_Root_Certificate_Authority",
+ "binNumber": 65,
+ "sha256Fingerprint": "pxJyrqqjz+hyf3+znw+z0eVCbpBgsG7m8T6aPFgzzUM="
+ },
+ {
+ "label": "COMODO_ECC_Certification_Authority",
+ "binNumber": 66,
+ "sha256Fingerprint": "F5OSegYUVJeJrc4vjzT38LZtDzrjo7hNIewV27pPrcc="
+ },
+ {
+ "label": "IGC_A",
+ "binNumber": 67,
+ "sha256Fingerprint": "ub6nhgqWLqNhHauXq22j4hwQaLl9VVde0OESecEciTI="
+ },
+ {
+ "label": "OU_Security_Communication_EV_RootCA1_O__SECOM_Trust_Systems_CO__LTD___C_JP",
+ "binNumber": 68,
+ "sha256Fingerprint": "oi26aB6XN24tOX1yiq46m2KWuf26YLwuEfZH8sZ1+zc="
+ },
+ {
+ "label": "OISTE_WISeKey_Global_Root_GA_CA",
+ "binNumber": 69,
+ "sha256Fingerprint": "Qckjhmq0yta3rVeAgVguAgeXpsvfT/94zoOWs4k31/U="
+ },
+ {
+ "label": "Microsec_e_Szigno_Root_CA",
+ "binNumber": 70,
+ "sha256Fingerprint": "Mno9dhq63qA065mEBidcsaR3bv2uL99tAWjqHE9VZ9A="
+ },
+ {
+ "label": "Certigna",
+ "binNumber": 71,
+ "sha256Fingerprint": "47ai2y7XzkiEL3rFMkHHtx1UFEv7QMEfPx0LQvXuoS0="
+ },
+ {
+ "label": "TC_TrustCenter_Class_2_CA_II",
+ "binNumber": 72,
+ "sha256Fingerprint": "5rj4dmSF+Aeuf42sFnBGHwfAoT7vOh/3F1ONerrTkbQ="
+ },
+ {
+ "label": "TC_TrustCenter_Class_3_CA_II",
+ "binNumber": 73,
+ "sha256Fingerprint": "jaCE/Pmc4Hci+JsyBZOYBvpcuBHhyBP2oQjH0zazQI4="
+ },
+ {
+ "label": "TC_TrustCenter_Universal_CA_I",
+ "binNumber": 74,
+ "sha256Fingerprint": "6/PAKoeJsft9URmV1mO3KQbZE84NXhBWiop34lhhZ+c="
+ },
+ {
+ "label": "Deutsche_Telekom_Root_CA_2",
+ "binNumber": 75,
+ "sha256Fingerprint": "thkaUNDDl399qZvNqshqIn2uuWeexwujsMnZInHBcNM="
+ },
+ {
+ "label": "ComSign_Secured_CA",
+ "binNumber": 76,
+ "sha256Fingerprint": "UHlBx0RgoLRwhiINTpkyVyq10bW7y4mAqxyxdlGoRNI="
+ },
+ {
+ "label": "Cybertrust_Global_Root",
+ "binNumber": 77,
+ "sha256Fingerprint": "lgrfAGPpY1Z1DCll3QoIZ9oLnL1ud3FK6vsjSas5PaM="
+ },
+ {
+ "label": "OU_ePKI_Root_Certification_Authority_O__Chunghwa_Telecom_Co___Ltd___C_TW",
+ "binNumber": 78,
+ "sha256Fingerprint": "wKb03GOiS/3PVO8qaggqCnLeNYA+L/X/Unrl2HIG39U="
+ },
+ {
+ "label": "T_B_TAK_UEKAE_K_k_Sertifika_Hizmet_Sa_lay_c_s____S_r_m_3",
+ "binNumber": 79,
+ "sha256Fingerprint": "5Mc0MNeltQkl30M3Cg0hbpp5udbbg3Ogxp6xzDHHxSo="
+ },
+ {
+ "label": "Buypass_Class_2_CA_1",
+ "binNumber": 80,
+ "sha256Fingerprint": "D06c3SZLAlVQ0XCAY0AhT+lENMmwL2l+xxD8X+r7Xjg="
+ },
+ {
+ "label": "Buypass_Class_3_CA_1",
+ "binNumber": 81,
+ "sha256Fingerprint": "t7ErFx+CHaqZDND+UIexKESLqOUYT4TFHgK1yPuWKyQ="
+ },
+ {
+ "label": "EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+ "binNumber": 82,
+ "sha256Fingerprint": "Na5b3dj3rmNc/7pWgqjwC5X0hGLHEI7poOUpKwdKr7I="
+ },
+ {
+ "label": "OU_certSIGN_ROOT_CA_O_certSIGN_C_RO",
+ "binNumber": 83,
+ "sha256Fingerprint": "6qlixPpKa6/r5BUZbTUczYiNT1Pz+orm18RmqU5gQrs="
+ },
+ {
+ "label": "CNNIC_ROOT",
+ "binNumber": 84,
+ "sha256Fingerprint": "4oOTdz2oRaZ58ggMx/tEo7ehw3kst+t3Kf3Lao2Zrqc="
+ },
+ {
+ "label": "OU_ApplicationCA_O_Japanese_Government_C_JP",
+ "binNumber": 85,
+ "sha256Fingerprint": "LUdDfeF5USFaEvPFjlHHKaWAJu8fzApfs9ncAS9gDRk="
+ },
+ {
+ "label": "GeoTrust_Primary_Certification_Authority___G3",
+ "binNumber": 86,
+ "sha256Fingerprint": "tHi4EiUN+HhjXCqn7H0VXqpiXugpFuLNKUNhiGzR+9Q="
+ },
+ {
+ "label": "thawte_Primary_Root_CA___G2",
+ "binNumber": 87,
+ "sha256Fingerprint": "pDENUK8YpkRxkDcqhq+vi5Uf+0Mdg38eVoi0WXHtFVc="
+ },
+ {
+ "label": "thawte_Primary_Root_CA___G3",
+ "binNumber": 88,
+ "sha256Fingerprint": "SwP0WAetcPIb/Cyuccn95GBMBkz1/7aGuuXbqtf900w="
+ },
+ {
+ "label": "GeoTrust_Primary_Certification_Authority___G2",
+ "binNumber": 89,
+ "sha256Fingerprint": "Xtt6xDuCoGqHYejXvkl56/JhH33Xm/kcHGtWaiGe12Y="
+ },
+ {
+ "label": "VeriSign_Universal_Root_Certification_Authority",
+ "binNumber": 90,
+ "sha256Fingerprint": "I5lWESelcSXejO/qYQ3fL6B4tcgGf06CgpC/uGDoSzw="
+ },
+ {
+ "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G4",
+ "binNumber": 91,
+ "sha256Fingerprint": "ad3X6pC7V8k+E13IXqb81UgLYDI5vcRU/HWLKibPf3k="
+ },
+ {
+ "label": "NetLock_Arany__Class_Gold__F_tan_s_tv_ny",
+ "binNumber": 92,
+ "sha256Fingerprint": "bGHaw6Le8DFQa+A20qb+QBmU+9E9+cjUZlmSdMRG7Jg="
+ },
+ {
+ "label": "Staat_der_Nederlanden_Root_CA___G2",
+ "binNumber": 93,
+ "sha256Fingerprint": "ZoyDlH2mO3JL7OF0PDGg5q7Q247Fsxvjd7t4T5G2cW8="
+ },
+ {
+ "label": "CA_Disig",
+ "binNumber": 94,
+ "sha256Fingerprint": "kr9RGavsytCxMy3E4dBfunW1Z5BE7gyibpMfdE8vM88="
+ },
+ {
+ "label": "Juur_SK",
+ "binNumber": 95,
+ "sha256Fingerprint": "7MPpw0B1A77gkaqVL0E0j/iLqoY7ImS++sgHkBV06Tk="
+ },
+ {
+ "label": "Hongkong_Post_Root_CA_1",
+ "binNumber": 96,
+ "sha256Fingerprint": "+eZ9M2xRACrAVMYyAi1m3aLn4//xCtBh7THYu7QQz7I="
+ },
+ {
+ "label": "SecureSign_RootCA11",
+ "binNumber": 97,
+ "sha256Fingerprint": "vw/u+546WBrV+enbdYmYV0PSYQhcTTFPb11yWapCFhI="
+ },
+ {
+ "label": "ACEDICOM_Root",
+ "binNumber": 98,
+ "sha256Fingerprint": "A5UPtJpTHz4ZkZQjmN+p4Ooy17oc3ZvIXbV+2UALQ0o="
+ },
+ {
+ "label": "Microsec_e_Szigno_Root_CA_2009",
+ "binNumber": 99,
+ "sha256Fingerprint": "PF+B/qX6uCxkv6Lq7K/N6OB3/IYgp8rlNxY9827b83g="
+ },
+ {
+ "label": "e_Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi",
+ "binNumber": 100,
+ "sha256Fingerprint": "5gkHhGWkGXgMtqxMHAv7RlPZ2cxus5Rut/PWmZe61Zg="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 101,
+ "sha256Fingerprint": "y7Ui17fxJ61qAROGW98c1BAufQdZr2NafPRyDcljxTs="
+ },
+ {
+ "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068",
+ "binNumber": 102,
+ "sha256Fingerprint": "BASAKL8fKGTUj5rU2DKUNmqCiFZVPzsUMD+QFH9dQO8="
+ },
+ {
+ "label": "Izenpe_com",
+ "binNumber": 103,
+ "sha256Fingerprint": "JTDMjpgyFQK62W+bH7obCZ4tKZ4PRUi7kU82O8DUUx8="
+ },
+ {
+ "label": "Chambers_of_Commerce_Root___2008",
+ "binNumber": 104,
+ "sha256Fingerprint": "Bj5K+sSR39My8wibhULpRhfYk9f+lE4Qp5N+4p2Wk8A="
+ },
+ {
+ "label": "Global_Chambersign_Root___2008",
+ "binNumber": 105,
+ "sha256Fingerprint": "E2M1Q5M0p2mAFqDTJN5yKE4HnXtSILuPvXR4Fu6+uso="
+ },
+ {
+ "label": "Go_Daddy_Root_Certificate_Authority___G2",
+ "binNumber": 106,
+ "sha256Fingerprint": "RRQLMkfrnMjFtPDXtTCR9zKSCJ5uWmPidJ3TrKkZjto="
+ },
+ {
+ "label": "Starfield_Root_Certificate_Authority___G2",
+ "binNumber": 107,
+ "sha256Fingerprint": "LOHLC/nS+eECmT++IVFSw7LdDKveHGjlMZuDkVTbt/U="
+ },
+ {
+ "label": "Starfield_Services_Root_Certificate_Authority___G2",
+ "binNumber": 108,
+ "sha256Fingerprint": "Vo1pBaLIhwikswJRkO3P7bGXSmBqE8blKQ/LKuY+2rU="
+ },
+ {
+ "label": "AffirmTrust_Commercial",
+ "binNumber": 109,
+ "sha256Fingerprint": "A3arHVTF+YA85LLiAaDufu97V7Y26Kk8m41IYMlvX6c="
+ },
+ {
+ "label": "AffirmTrust_Networking",
+ "binNumber": 110,
+ "sha256Fingerprint": "CoHsWpKXd/FFkErzjV1Qn2a14sWPzbUxBYsOF/PwtBs="
+ },
+ {
+ "label": "AffirmTrust_Premium",
+ "binNumber": 111,
+ "sha256Fingerprint": "cKc/fzdrYAdCSJBFNLEUgtW/DmmOzEmN9SV36/LpO5o="
+ },
+ {
+ "label": "AffirmTrust_Premium_ECC",
+ "binNumber": 112,
+ "sha256Fingerprint": "vXH99tqX5M9i0WR63SWBsH15rfg5frTsupxehIiCFCM="
+ },
+ {
+ "label": "Certum_Trusted_Network_CA",
+ "binNumber": 113,
+ "sha256Fingerprint": "XFhGjVX1jkl+dDmC0rUAELbRZTdKz4On1KMtt2jEQI4="
+ },
+ {
+ "label": "Certinomis___Autorit__Racine",
+ "binNumber": 114,
+ "sha256Fingerprint": "/L/iiGIG9ysnWTyLBwKX4S12ntEO15MHBagJjv/BTRc="
+ },
+ {
+ "label": "Root_CA_Generalitat_Valenciana",
+ "binNumber": 115,
+ "sha256Fingerprint": "jE7f0ENI8yKWnn4ppM1NygBGVQYcFuGwdkIu80KtYw4="
+ },
+ {
+ "label": "A_Trust_nQual_03",
+ "binNumber": 116,
+ "sha256Fingerprint": "eTy/RVm5/eOKsi3xaGn2mIGuFMSwE5rHiKeKGvzKAvs="
+ },
+ {
+ "label": "TWCA_Root_Certification_Authority",
+ "binNumber": 117,
+ "sha256Fingerprint": "v9iP4RAcQa4+gBv4vlY1Dum60aa5vVFe3FxtW4cRrEQ="
+ },
+ {
+ "label": "OU_Security_Communication_RootCA2_O__SECOM_Trust_Systems_CO__LTD___C_JP",
+ "binNumber": 118,
+ "sha256Fingerprint": "UTss7LgQ1M3l3YU5Gt/Gwt1g2Hu3NtK1IUhKpHoOvvY="
+ },
+ {
+ "label": "EC_ACC",
+ "binNumber": 119,
+ "sha256Fingerprint": "iEl/AWAvMVQkauKMTVrvEPHYfrt2Ym9K4Lf5W6eWh5k="
+ },
+ {
+ "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2011",
+ "binNumber": 120,
+ "sha256Fingerprint": "vBBPFaSL5wncpUKn4dS5328FRSfoAuqpLVlURCWK/nE="
+ },
+ {
+ "label": "Actalis_Authentication_Root_CA",
+ "binNumber": 121,
+ "sha256Fingerprint": "VZJghOyWOmS5biq+Ac4LqGpk+/68x6q1r8FVs3/XYGY="
+ },
+ {
+ "label": "OU_Trustis_FPS_Root_CA_O_Trustis_Limited_C_GB",
+ "binNumber": 122,
+ "sha256Fingerprint": "wbSCmaulII/pYwrOVcpooD7aWlGciAKg06Zzvo+OVX0="
+ },
+ {
+ "label": "StartCom_Certification_Authority",
+ "binNumber": 123,
+ "sha256Fingerprint": "4XiQ7gmj+/T0i5xBShfWN7elBkfpvHUjInJ/zBdCqRE="
+ },
+ {
+ "label": "StartCom_Certification_Authority_G2",
+ "binNumber": 124,
+ "sha256Fingerprint": "x7plZ96Tp5iuH6p5HnEtN4+uH5PEOX/qRBu3y+b9WZU="
+ },
+ {
+ "label": "Buypass_Class_2_Root_CA",
+ "binNumber": 125,
+ "sha256Fingerprint": "mhFAJRl8W7ldlOY9Vc1DeQhHtkayPN8RraSgDv8V+0g="
+ },
+ {
+ "label": "Buypass_Class_3_Root_CA",
+ "binNumber": 126,
+ "sha256Fingerprint": "7ffrvKJ6KjhNOHt9QBDGZuLttIQ+TCm0rh1bkzLmsk0="
+ },
+ {
+ "label": "T_TeleSec_GlobalRoot_Class_3",
+ "binNumber": 127,
+ "sha256Fingerprint": "/XPa0xxkT/G0O+8MzdqWcQuc2Ydeyn4xcHrz6W1SK70="
+ },
+ {
+ "label": "EE_Certification_Centre_Root_CA",
+ "binNumber": 128,
+ "sha256Fingerprint": "PoS6Q0KQhRbndXPAmS8JecoITkaFaB/xlcy6iiKbinY="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+ "binNumber": 129,
+ "sha256Fingerprint": "l4zZZvL6oHunqpUA2cAunXfyza2mrWunSvS5HGZZPFA="
+ },
+ {
+ "label": "D_TRUST_Root_Class_3_CA_2_2009",
+ "binNumber": 130,
+ "sha256Fingerprint": "SeekQqzw6mKHBQBUtSVktlDk9J5C40jWqjjgOelXscE="
+ },
+ {
+ "label": "D_TRUST_Root_Class_3_CA_2_EV_2009",
+ "binNumber": 131,
+ "sha256Fingerprint": "7sVJa5iM6YYluTQJLuwpCL7QsPMWwtRzDITq8fPTSIE="
+ },
+ {
+ "label": "PSCProcert",
+ "binNumber": 132,
+ "sha256Fingerprint": "PPw8FNH2hP8X44xDykQMALln7JM+i/4GTKHXLJDyrbA="
+ },
+ {
+ "label": "China_Internet_Network_Information_Center_EV_Certificates_Root",
+ "binNumber": 133,
+ "sha256Fingerprint": "HAHG9Nuy/vwiVYsryjJWP0mESs/DK3vksP9Zn56Mevc="
+ },
+ {
+ "label": "Swisscom_Root_CA_2",
+ "binNumber": 134,
+ "sha256Fingerprint": "8JsSLHEU9KCb1OpPSpnVWLRuTCXNgRQNKcBWE5FMOEE="
+ },
+ {
+ "label": "Swisscom_Root_EV_CA_2",
+ "binNumber": 135,
+ "sha256Fingerprint": "2V/qPKTu3OdM1251/G0f9ixEHw+ovHfwNLGeXbJYAV0="
+ },
+ {
+ "label": "CA_Disig_Root_R1",
+ "binNumber": 136,
+ "sha256Fingerprint": "+W8j9MPnnAd6RpiNWvWQBnag8DnLZF3RdUmyFsgkQM4="
+ },
+ {
+ "label": "CA_Disig_Root_R2",
+ "binNumber": 137,
+ "sha256Fingerprint": "4j1KA217cOn1lbFCIHnSuR7fux+2UaBjPqqKncX4BwM="
+ },
+ {
+ "label": "ACCVRAIZ1",
+ "binNumber": 138,
+ "sha256Fingerprint": "mm7AEuGn2p2+NBlNR4rXwNsYIvsHHfEpgUlu0QQ4QRM="
+ },
+ {
+ "label": "TWCA_Global_Root_CA",
+ "binNumber": 139,
+ "sha256Fingerprint": "WXaQB/doXQ/NUIcvn5XVdVpbK0V9gfNpK2EKmGcvDhs="
+ },
+ {
+ "label": "TeliaSonera_Root_CA_v1",
+ "binNumber": 140,
+ "sha256Fingerprint": "3Wk2/iH48HfBI6GlIcEiJPciVbc+A6cmBpPooksPo4k="
+ },
+ {
+ "label": "E_Tugra_Certification_Authority",
+ "binNumber": 141,
+ "sha256Fingerprint": "sL/VK7DX2b2Sv11NwT2iVcAsVC83g2XqiTkR9V5V8jw="
+ },
+ {
+ "label": "T_TeleSec_GlobalRoot_Class_2",
+ "binNumber": 142,
+ "sha256Fingerprint": "keL1eI1YEOunulhzfeFUio7KzQFFmLwLFD4EGxcFJVI="
+ },
+ {
+ "label": "Atos_TrustedRoot_2011",
+ "binNumber": 143,
+ "sha256Fingerprint": "81a+okS3qR6zXVPKmteGSs4Bji011fj5bd9opvQapHQ="
+ },
+ {
+ "label": "QuoVadis_Root_CA_1_G3",
+ "binNumber": 144,
+ "sha256Fingerprint": "ioZv0bJ2tX5XjpIcZYKKK+1Y6fLyiAVBNLfx9L/JzHQ="
+ },
+ {
+ "label": "QuoVadis_Root_CA_2_G3",
+ "binNumber": 145,
+ "sha256Fingerprint": "j+T7Cvk6TQ1n2wvrsj43xxvzJdy83SQOoE2vWLR+GEA="
+ },
+ {
+ "label": "QuoVadis_Root_CA_3_G3",
+ "binNumber": 146,
+ "sha256Fingerprint": "iO+B3iAusBhFLkP4ZHJc6l+9H8LZ0gVzBwnF2LhpD0Y="
+ },
+ {
+ "label": "DigiCert_Assured_ID_Root_G2",
+ "binNumber": 147,
+ "sha256Fingerprint": "fQXrtoIzn4yUUe4JTuv++nlToRTtsvRJSUUvq30vwYU="
+ },
+ {
+ "label": "DigiCert_Assured_ID_Root_G3",
+ "binNumber": 148,
+ "sha256Fingerprint": "fjfLi0xHCQyrNlUbpvRduEBoD7oWapUtsQBxf0MFP8I="
+ },
+ {
+ "label": "DigiCert_Global_Root_G2",
+ "binNumber": 149,
+ "sha256Fingerprint": "yzzLt2Ax5eATj43TmiP53kf/w15DwRRM6ifUalqxy18="
+ },
+ {
+ "label": "DigiCert_Global_Root_G3",
+ "binNumber": 150,
+ "sha256Fingerprint": "Ma1mSPgQQTjHOPOepDIBMzk+OhjMAilu+Xwqye9nMdA="
+ },
+ {
+ "label": "DigiCert_Trusted_Root_G4",
+ "binNumber": 151,
+ "sha256Fingerprint": "VS973PGnr55s5nIBf08Sq/dyQMeOdhrCA9HZ0grImYg="
+ },
+ {
+ "label": "Certification_Authority_of_WoSign",
+ "binNumber": 152,
+ "sha256Fingerprint": "SyLVpq7JnzzbeapewGg4R5zV7LpxZPfyLcHWX2PYVwg="
+ },
+ {
+ "label": "CA______",
+ "binNumber": 153,
+ "sha256Fingerprint": "1vA0vZSqIz8Cl+ykJFsoOXPkR6pZDzEMd/SP34MRIlQ="
+ },
+ {
+ "label": "COMODO_RSA_Certification_Authority",
+ "binNumber": 154,
+ "sha256Fingerprint": "UvDhxOWOxikpG2AxfwdGcbhdfqgNWwcnNGNTSzK0AjQ="
+ },
+ {
+ "label": "USERTrust_RSA_Certification_Authority",
+ "binNumber": 155,
+ "sha256Fingerprint": "55PJsC/YqhPiHDEiisywgRlkO3SciYlksXRtRsPUy9I="
+ },
+ {
+ "label": "USERTrust_ECC_Certification_Authority",
+ "binNumber": 156,
+ "sha256Fingerprint": "T/Rg1Uuchtq/vPxXEuBADSvtP7xNT72qhuBq3NKprXo="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 157,
+ "sha256Fingerprint": "vslJEcKVVnbbbApVCYbXbjugBWZ8RCyXYrT7t3PeIow="
+ },
+ {
+ "label": "GlobalSign",
+ "binNumber": 158,
+ "sha256Fingerprint": "F5+8FIo90A/STqE0WMxDv6f1nIGC14OlE/br7BAMiSQ="
+ },
+ {
+ "label": "Staat_der_Nederlanden_Root_CA___G3",
+ "binNumber": 159,
+ "sha256Fingerprint": "PE+wuVq4swAy9DK4b1Nf4XLBhdD9OYZYN882GH+m9Cg="
+ },
+ {
+ "label": "Staat_der_Nederlanden_EV_Root_CA",
+ "binNumber": 160,
+ "sha256Fingerprint": "TSSRQUz+lWdG7Ezvps9vcuKKEylDL52KkHrEy12twVo="
+ },
+ {
+ "label": "IdenTrust_Commercial_Root_CA_1",
+ "binNumber": 161,
+ "sha256Fingerprint": "XVZJm+TS4IvPytCKPjhyPVBQO95waUjkL1VgMBnlKK4="
+ },
+ {
+ "label": "IdenTrust_Public_Sector_Root_CA_1",
+ "binNumber": 162,
+ "sha256Fingerprint": "MNCJWppEiiYgkWNVItH1IBC1hnrK4Sx475WP1PQ4ny8="
+ },
+ {
+ "label": "Entrust_Root_Certification_Authority___G2",
+ "binNumber": 163,
+ "sha256Fingerprint": "Q99XdLA+f+9f5A2TGnvt8bsua0JzjE5tOEEQPTqn8zk="
+ },
+ {
+ "label": "Entrust_Root_Certification_Authority___EC1",
+ "binNumber": 164,
+ "sha256Fingerprint": "Au0OsowU2kUWXFZnkXANZFHX+1bwsqsdO46wcOVu3/U="
+ },
+ {
+ "label": "CFCA_EV_ROOT",
+ "binNumber": 165,
+ "sha256Fingerprint": "XMPXjk4dXkVUegTmhz5k+Qz5U20czC74APNVxMX9cP0="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H5",
+ "binNumber": 166,
+ "sha256Fingerprint": "STUbkDREwYXM3FxpPSTYVVyyCNaoFBMHaZ9K8GMZnXg="
+ },
+ {
+ "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H6",
+ "binNumber": 167,
+ "sha256Fingerprint": "jeeGVeG+f3hHgAuT9pTSHTaMwG4DPn+rBLteuZ2mtwA="
+ },
+ {
+ "label": "Certinomis___Root_CA",
+ "binNumber": 168,
+ "sha256Fingerprint": "Kpn1vBF0tzy7HWIIhOAcNOUcyzl42hJfDjMmiIO/QVg="
+ },
+ {
+ "label": "OISTE_WISeKey_Global_Root_GB_CA",
+ "binNumber": 169,
+ "sha256Fingerprint": "a5wI6G6w92fPrWXNmLYhSeVJSmf1hF570e0Bnye4a9Y="
+ },
+ {
+ "label": "Certification_Authority_of_WoSign_G2",
+ "binNumber": 170,
+ "sha256Fingerprint": "1Ielb4OwdILoXpYzlMHswsnlHQkD7pRrAsMBWB7ZnhY="
+ },
+ {
+ "label": "CA_WoSign_ECC_Root",
+ "binNumber": 171,
+ "sha256Fingerprint": "i0XaHAb3kesMq/Jr5Yj1+yMWXC5hS/iFVi0NzlCymwI="
+ },
+ {
+ "label": "SZAFIR_ROOT_CA2",
+ "binNumber": 172,
+ "sha256Fingerprint": "oTOdMygaC1blV9PTKxzn+TZ+sJS9X6cqflAEyN7Xyv4="
+ },
+ {
+ "label": "Certum_Trusted_Network_CA_2",
+ "binNumber": 173,
+ "sha256Fingerprint": "tnby7drod1zTbLD2PNHUYDlh9J5iZboBOi8DB7bQuAQ="
+ },
+ {
+ "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2015",
+ "binNumber": 174,
+ "sha256Fingerprint": "oECSmgLOU7Ss9PL/xpgc5ElvdV5tRf4LKmkrzVJSPzY="
+ },
+ {
+ "label": "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015",
+ "binNumber": 175,
+ "sha256Fingerprint": "RLVFqool5lpzyhXcJ/w20kwcuZU6BmU5sRWC3Eh7SDM="
+ },
+ {
+ "label": "Certplus_Root_CA_G1",
+ "binNumber": 176,
+ "sha256Fingerprint": "FSpAK/zfLNVIBU0idbOcf8o+wJeAeLDw6nblYabHQz4="
+ },
+ {
+ "label": "Certplus_Root_CA_G2",
+ "binNumber": 177,
+ "sha256Fingerprint": "bMBQQeZEXnRpbEz7yfgPVDt+q7tEtM5veHxqmXHELxc="
+ },
+ {
+ "label": "OpenTrust_Root_CA_G1",
+ "binNumber": 178,
+ "sha256Fingerprint": "VsdxKNmMGNkbTP3/vCXukQPUdY6iq62CapDzRX1GDrQ="
+ },
+ {
+ "label": "OpenTrust_Root_CA_G2",
+ "binNumber": 179,
+ "sha256Fingerprint": "J5lYKf5qdRXBv+hI+cR2HbFsIlkpJXv0DQiU8p6ouvI="
+ },
+ {
+ "label": "OpenTrust_Root_CA_G3",
+ "binNumber": 180,
+ "sha256Fingerprint": "t8NiMXBugQeMNny4lhmPHjII3ZJpSd2PVwmkEPdbYpI="
+ },
+ {
+ "label": "ISRG_Root_X1",
+ "binNumber": 181,
+ "sha256Fingerprint": "lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY="
+ },
+ {
+ "label": "OU_AC_RAIZ_FNMT_RCM_O_FNMT_RCM_C_ES",
+ "binNumber": 182,
+ "sha256Fingerprint": "68VXDCkBjE1nsaoSe68S9wO0YR68F7fatVc4lBebk/o="
+ },
+ {
+ "label": "Amazon_Root_CA_1",
+ "binNumber": 183,
+ "sha256Fingerprint": "js3miE89h7ESW6Maw/yxPXAW3n9XzJBP4cuXxq6YGW4="
+ },
+ {
+ "label": "Amazon_Root_CA_2",
+ "binNumber": 184,
+ "sha256Fingerprint": "G6WyqoxlQBqClgEY+AvsT2IwTYPOxHE6GcOcAR6kbbQ="
+ },
+ {
+ "label": "Amazon_Root_CA_3",
+ "binNumber": 185,
+ "sha256Fingerprint": "GM5s/nvxTmCy40e43+hoyzHQLrs62icVafUDQ7Rts6Q="
+ },
+ {
+ "label": "Amazon_Root_CA_4",
+ "binNumber": 186,
+ "sha256Fingerprint": "410oQZ7QICXPppA4zWI5YkWNpcaV+96jwisL+yWJcJI="
+ },
+ {
+ "label": "LuxTrust_Global_Root_2",
+ "binNumber": 187,
+ "sha256Fingerprint": "VEVfcSnCCxRHxBj5lxaPJMWPxQI79dpb4utuHdiQLtU="
+ }
+ ],
+ "maxBin": 187
+} \ No newline at end of file
diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json
new file mode 100644
index 0000000000..d9c394a1df
--- /dev/null
+++ b/security/manager/tools/PreloadedHPKPins.json
@@ -0,0 +1,222 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// The top-level element is a dictionary with two keys: "pinsets" maps details
+// of certificate pinning to a name and "entries" contains the HPKP details for
+// each host.
+//
+// "pinsets" is a list of objects. Each object has the following members:
+// name: (string) the name of the pinset
+// sha256_hashes: (list of strings) the set of allowed SPKIs hashes
+//
+// For a given pinset, a certificate is accepted if at least one of the
+// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified
+// as names, which must match up with the name given in the Mozilla root store.
+//
+// "entries" is a list of objects. Each object has the following members:
+// name: (string) the DNS name of the host in question
+// include_subdomains: (optional bool) whether subdomains of |name| are also covered
+// pins: (string) the |name| member of an object in |pinsets|
+//
+// "extra_certs" is a list of base64-encoded certificates. These are used in
+// pinsets that reference certificates not in our root program (for example,
+// Facebook).
+
+// equifax -> aus3
+// Geotrust Primary -> www.mozilla.org
+// Geotrust Global -> *. addons.mozilla.org
+{
+ "chromium_data" : {
+ "cert_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.pins?format=TEXT",
+ "json_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT",
+ "substitute_pinsets": {
+ // Use the larger google_root_pems pinset instead of google
+ "google": "google_root_pems"
+ },
+ "production_pinsets": [
+ "google_root_pems",
+ "facebook"
+ ],
+ "production_domains": [
+ // Chrome's test domains.
+ "pinningtest.appspot.com",
+ "pinning-test.badssl.com",
+ // Dropbox
+ "dropbox.com",
+ "www.dropbox.com",
+ // Twitter
+ "api.twitter.com",
+ "business.twitter.com",
+ "dev.twitter.com",
+ "mobile.twitter.com",
+ "oauth.twitter.com",
+ "platform.twitter.com",
+ "twimg.com",
+ "www.twitter.com",
+ // Tor
+ "torproject.org",
+ "blog.torproject.org",
+ "check.torproject.org",
+ "dist.torproject.org",
+ "www.torproject.org",
+ // SpiderOak
+ "spideroak.com"
+ ],
+ "exclude_domains" : [
+ // Chrome's entry for twitter.com doesn't include subdomains, so replace
+ // it with our own entry below which also uses an expanded pinset.
+ "twitter.com"
+ ]
+ },
+ "pinsets": [
+ {
+ // From bug 772756, mozilla uses GeoTrust, Digicert and Thawte. Our
+ // cdn sites use Verisign and Baltimore. We exclude 1024-bit root certs
+ // from all providers. geotrust ca info:
+ // http://www.geotrust.com/resources/root-certificates/index.html
+ "name": "mozilla",
+ "sha256_hashes": [
+ "Baltimore CyberTrust Root",
+ "DigiCert Assured ID Root CA",
+ "DigiCert Global Root CA",
+ "DigiCert High Assurance EV Root CA",
+ "GeoTrust Global CA",
+ "GeoTrust Global CA 2",
+ "GeoTrust Primary Certification Authority",
+ "GeoTrust Primary Certification Authority - G2",
+ "GeoTrust Primary Certification Authority - G3",
+ "GeoTrust Universal CA",
+ "GeoTrust Universal CA 2",
+ "thawte Primary Root CA",
+ "thawte Primary Root CA - G2",
+ "thawte Primary Root CA - G3",
+ "Verisign Class 1 Public Primary Certification Authority - G3",
+ "Verisign Class 2 Public Primary Certification Authority - G3",
+ "Verisign Class 3 Public Primary Certification Authority - G3",
+ "VeriSign Class 3 Public Primary Certification Authority - G4",
+ "VeriSign Class 3 Public Primary Certification Authority - G5",
+ // "Verisign Class 4 Public Primary Certification Authority - G3",
+ "VeriSign Universal Root Certification Authority"
+ ]
+ },
+ {
+ "name": "mozilla_services",
+ "sha256_hashes": [
+ "DigiCert Global Root CA"
+ ]
+ },
+ // For pinning tests on pinning.example.com, the certificate must be 'End
+ // Entity Test Cert'
+ {
+ "name": "mozilla_test",
+ "sha256_hashes": [
+ "End Entity Test Cert"
+ ]
+ },
+ // Google's root PEMs. Chrome pins only to their intermediate certs, but
+ // they'd like us to be more liberal. For the initial list, we are using
+ // the certs from http://pki.google.com/roots.pem.
+ // We have no built-in for commented out CAs.
+ {
+ "name": "google_root_pems",
+ "sha256_hashes": [
+ "AddTrust External Root",
+ "AddTrust Low-Value Services Root",
+ "AddTrust Public Services Root",
+ "AddTrust Qualified Certificates Root",
+ "AffirmTrust Commercial",
+ "AffirmTrust Networking",
+ "AffirmTrust Premium",
+ "AffirmTrust Premium ECC",
+ "Baltimore CyberTrust Root",
+ "Comodo AAA Services root",
+ "COMODO Certification Authority",
+ "COMODO ECC Certification Authority",
+ "COMODO RSA Certification Authority",
+ "Comodo Secure Services root",
+ "Comodo Trusted Services root",
+ "Cybertrust Global Root",
+ "DigiCert Assured ID Root CA",
+ "DigiCert Assured ID Root G2",
+ "DigiCert Assured ID Root G3",
+ "DigiCert Global Root CA",
+ "DigiCert Global Root G2",
+ "DigiCert Global Root G3",
+ "DigiCert High Assurance EV Root CA",
+ "DigiCert Trusted Root G4",
+ "Entrust Root Certification Authority",
+ "Entrust Root Certification Authority - EC1",
+ "Entrust Root Certification Authority - G2",
+ "Entrust.net Premium 2048 Secure Server CA",
+ // "Equifax Secure Certificate Authority",
+ "GeoTrust Global CA",
+ "GeoTrust Global CA 2",
+ "GeoTrust Primary Certification Authority",
+ "GeoTrust Primary Certification Authority - G2",
+ "GeoTrust Primary Certification Authority - G3",
+ "GeoTrust Universal CA",
+ "GeoTrust Universal CA 2",
+ "GlobalSign ECC Root CA - R4",
+ "GlobalSign ECC Root CA - R5",
+ "GlobalSign Root CA",
+ "GlobalSign Root CA - R2",
+ "GlobalSign Root CA - R3",
+ "Go Daddy Class 2 CA",
+ "Go Daddy Root Certificate Authority - G2",
+ "Starfield Class 2 CA",
+ "Starfield Root Certificate Authority - G2",
+ "thawte Primary Root CA",
+ "thawte Primary Root CA - G2",
+ "thawte Primary Root CA - G3",
+ "USERTrust ECC Certification Authority",
+ "USERTrust RSA Certification Authority",
+ "UTN USERFirst Hardware Root CA",
+ "Verisign Class 3 Public Primary Certification Authority - G3",
+ "VeriSign Class 3 Public Primary Certification Authority - G4",
+ "VeriSign Class 3 Public Primary Certification Authority - G5",
+ "VeriSign Universal Root Certification Authority"
+ ]
+ }
+ ],
+
+ "entries": [
+ // Only domains that are operationally crucial to Firefox can have per-host
+ // telemetry reporting (the "id") field
+ { "name": "addons.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla", "test_mode": false, "id": 1 },
+ { "name": "addons.mozilla.net", "include_subdomains": true,
+ "pins": "mozilla", "test_mode": false, "id": 2 },
+ { "name": "aus4.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla", "test_mode": true, "id": 3 },
+ { "name": "accounts.firefox.com", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 4 },
+ { "name": "api.accounts.firefox.com", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 5 },
+ { "name": "cdn.mozilla.net", "include_subdomains": true,
+ "pins": "mozilla", "test_mode": false },
+ { "name": "cdn.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla", "test_mode": false },
+ { "name": "services.mozilla.com", "include_subdomains": true,
+ "pins": "mozilla_services", "test_mode": false, "id": 6 },
+ { "name": "include-subdomains.pinning.example.com",
+ "include_subdomains": true, "pins": "mozilla_test",
+ "test_mode": false },
+ // Example domain to collect per-host stats for telemetry tests.
+ { "name": "exclude-subdomains.pinning.example.com",
+ "include_subdomains": false, "pins": "mozilla_test",
+ "test_mode": false, "id": 0 },
+ { "name": "test-mode.pinning.example.com", "include_subdomains": true,
+ "pins": "mozilla_test", "test_mode": true },
+ // Expand twitter's pinset to include all of *.twitter.com and use
+ // twitterCDN. More specific rules take precedence because we search for
+ // exact domain name first.
+ { "name": "twitter.com", "include_subdomains": true,
+ "pins": "twitterCDN", "test_mode": false },
+ { "name": "aus5.mozilla.org", "include_subdomains": true,
+ "pins": "mozilla", "test_mode": true, "id": 7 }
+ ],
+
+ "extra_certificates": []
+}
diff --git a/security/manager/tools/dumpGoogleRoots.js b/security/manager/tools/dumpGoogleRoots.js
new file mode 100644
index 0000000000..2daa204345
--- /dev/null
+++ b/security/manager/tools/dumpGoogleRoots.js
@@ -0,0 +1,106 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file is a helper script that generates the list of certificates that
+// make up the preloaded pinset for Google properties.
+//
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell dumpGoogleRoots.js'
+// 4. [paste the output into the appropriate section in
+// security/manager/tools/PreloadedHPKPins.json]
+
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+
+function downloadRoots() {
+ let req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+ .createInstance(Ci.nsIXMLHttpRequest);
+ req.open("GET", "https://pki.google.com/roots.pem", false);
+ try {
+ req.send();
+ }
+ catch (e) {
+ throw new Error("ERROR: problem downloading Google Root PEMs: " + e);
+ }
+
+ if (req.status != 200) {
+ throw new Error("ERROR: problem downloading Google Root PEMs. Status: " +
+ req.status);
+ }
+
+ let pem = req.responseText;
+ let roots = [];
+ let currentPEM = "";
+ let readingRoot = false;
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"]
+ .getService(Ci.nsIX509CertDB);
+ for (let line of pem.split(/[\r\n]/)) {
+ if (line == "-----END CERTIFICATE-----") {
+ if (currentPEM) {
+ roots.push(certDB.constructX509FromBase64(currentPEM));
+ }
+ currentPEM = "";
+ readingRoot = false;
+ continue;
+ }
+ if (readingRoot) {
+ currentPEM += line;
+ }
+ if (line == "-----BEGIN CERTIFICATE-----") {
+ readingRoot = true;
+ }
+ }
+ return roots;
+}
+
+function makeFormattedNickname(cert) {
+ if (cert.nickname.startsWith("Builtin Object Token:")) {
+ return `"${cert.nickname.substring("Builtin Object Token:".length)}"`;
+ }
+ // Otherwise, this isn't a built-in and we have to comment it out.
+ if (cert.commonName) {
+ return `// "${cert.commonName}"`;
+ }
+ if (cert.organizationalUnit) {
+ return `// "${cert.organizationalUnit}"`;
+ }
+ if (cert.organization) {
+ return `// "${cert.organization}"`;
+ }
+ throw new Error(`couldn't make nickname for ${cert.subjectName}`);
+}
+
+var roots = downloadRoots();
+var rootNicknames = [];
+for (var root of roots) {
+ rootNicknames.push(makeFormattedNickname(root));
+}
+rootNicknames.sort(function(rootA, rootB) {
+ let rootALowercase = rootA.toLowerCase().replace(/(^[^"]*")|"/g, "");
+ let rootBLowercase = rootB.toLowerCase().replace(/(^[^"]*")|"/g, "");
+ if (rootALowercase < rootBLowercase) {
+ return -1;
+ }
+ if (rootALowercase > rootBLowercase) {
+ return 1;
+ }
+ return 0;
+});
+dump(" {\n");
+dump(" \"name\": \"google_root_pems\",\n");
+dump(" \"sha256_hashes\": [\n");
+var first = true;
+for (var nickname of rootNicknames) {
+ if (!first) {
+ dump(",\n");
+ }
+ first = false;
+ dump(" " + nickname);
+}
+dump("\n");
+dump(" ]\n");
+dump(" }\n");
diff --git a/security/manager/tools/genHPKPStaticPins.js b/security/manager/tools/genHPKPStaticPins.js
new file mode 100644
index 0000000000..f2b9dbddae
--- /dev/null
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -0,0 +1,630 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell \
+// [path to]/genHPKPStaticpins.js \
+// [absolute path to]/PreloadedHPKPins.json \
+// [an unused argument - see bug 1205406] \
+// [absolute path to]/StaticHPKPins.h
+"use strict";
+
+if (arguments.length != 3) {
+ throw new Error("Usage: genHPKPStaticPins.js " +
+ "<absolute path to PreloadedHPKPins.json> " +
+ "<an unused argument - see bug 1205406> " +
+ "<absolute path to StaticHPKPins.h>");
+}
+
+var { 'classes': Cc, 'interfaces': Ci, 'utils': Cu, 'results': Cr } = Components;
+
+var { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
+var { FileUtils } = Cu.import("resource://gre/modules/FileUtils.jsm", {});
+var { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
+ .getService(Ci.nsIX509CertDB);
+
+const BUILT_IN_NICK_PREFIX = "Builtin Object Token:";
+const SHA256_PREFIX = "sha256/";
+const GOOGLE_PIN_PREFIX = "GOOGLE_PIN_";
+
+// Pins expire in 14 weeks (6 weeks on Beta + 8 weeks on stable)
+const PINNING_MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 14;
+
+const FILE_HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
+" * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+" * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+"\n" +
+"/*****************************************************************************/\n" +
+"/* This is an automatically generated file. If you're not */\n" +
+"/* PublicKeyPinningService.cpp, you shouldn't be #including it. */\n" +
+"/*****************************************************************************/\n" +
+"#include <stdint.h>" +
+"\n";
+
+const DOMAINHEADER = "/* Domainlist */\n" +
+ "struct TransportSecurityPreload {\n" +
+ " const char* mHost;\n" +
+ " const bool mIncludeSubdomains;\n" +
+ " const bool mTestMode;\n" +
+ " const bool mIsMoz;\n" +
+ " const int32_t mId;\n" +
+ " const StaticFingerprints* pinset;\n" +
+ "};\n\n";
+
+const PINSETDEF = "/* Pinsets are each an ordered list by the actual value of the fingerprint */\n" +
+ "struct StaticFingerprints {\n" +
+ " const size_t size;\n" +
+ " const char* const* data;\n" +
+ "};\n\n";
+
+// Command-line arguments
+var gStaticPins = parseJson(arguments[0]);
+
+// arguments[1] is ignored for now. See bug 1205406.
+
+// Open the output file.
+var file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+file.initWithPath(arguments[2]);
+var gFileOutputStream = FileUtils.openSafeFileOutputStream(file);
+
+function writeString(string) {
+ gFileOutputStream.write(string, string.length);
+}
+
+function readFileToString(filename) {
+ let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+ file.initWithPath(filename);
+ let stream = Cc["@mozilla.org/network/file-input-stream;1"]
+ .createInstance(Ci.nsIFileInputStream);
+ stream.init(file, -1, 0, 0);
+ let buf = NetUtil.readInputStreamToString(stream, stream.available());
+ return buf;
+}
+
+function stripComments(buf) {
+ let lines = buf.split("\n");
+ let entryRegex = /^\s*\/\//;
+ let data = "";
+ for (let i = 0; i < lines.length; ++i) {
+ let match = entryRegex.exec(lines[i]);
+ if (!match) {
+ data = data + lines[i];
+ }
+ }
+ return data;
+}
+
+function isBuiltinToken(tokenName) {
+ return tokenName == "Builtin Object Token";
+}
+
+function isCertBuiltIn(cert) {
+ let tokenNames = cert.getAllTokenNames({});
+ if (!tokenNames) {
+ return false;
+ }
+ if (tokenNames.some(isBuiltinToken)) {
+ return true;
+ }
+ return false;
+}
+
+function download(filename) {
+ let req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+ .createInstance(Ci.nsIXMLHttpRequest);
+ req.open("GET", filename, false); // doing the request synchronously
+ try {
+ req.send();
+ }
+ catch (e) {
+ throw new Error(`ERROR: problem downloading '${filename}': ${e}`);
+ }
+
+ if (req.status != 200) {
+ throw new Error("ERROR: problem downloading '" + filename + "': status " +
+ req.status);
+ }
+
+ let resultDecoded;
+ try {
+ resultDecoded = atob(req.responseText);
+ }
+ catch (e) {
+ throw new Error("ERROR: could not decode data as base64 from '" + filename +
+ "': " + e);
+ }
+ return resultDecoded;
+}
+
+function downloadAsJson(filename) {
+ // we have to filter out '//' comments, while not mangling the json
+ let result = download(filename).replace(/^(\s*)?\/\/[^\n]*\n/mg, "");
+ let data = null;
+ try {
+ data = JSON.parse(result);
+ }
+ catch (e) {
+ throw new Error("ERROR: could not parse data from '" + filename + "': " + e);
+ }
+ return data;
+}
+
+// Returns a Subject Public Key Digest from the given pem, if it exists.
+function getSKDFromPem(pem) {
+ let cert = gCertDB.constructX509FromBase64(pem, pem.length);
+ return cert.sha256SubjectPublicKeyInfoDigest;
+}
+
+/**
+ * Hashes |input| using the SHA-256 algorithm in the following manner:
+ * btoa(sha256(atob(input)))
+ *
+ * @argument {String} input Base64 string to decode and return the hash of.
+ * @returns {String} Base64 encoded SHA-256 hash.
+ */
+function sha256Base64(input) {
+ let decodedValue;
+ try {
+ decodedValue = atob(input);
+ }
+ catch (e) {
+ throw new Error(`ERROR: could not decode as base64: '${input}': ${e}`);
+ }
+
+ // Convert |decodedValue| to an array so that it can be hashed by the
+ // nsICryptoHash instance below.
+ // In most cases across the code base, convertToByteArray() of
+ // nsIScriptableUnicodeConverter is used to do this, but the method doesn't
+ // seem to work here.
+ let data = [];
+ for (let i = 0; i < decodedValue.length; i++) {
+ data[i] = decodedValue.charCodeAt(i);
+ }
+
+ let hasher = Cc["@mozilla.org/security/hash;1"]
+ .createInstance(Ci.nsICryptoHash);
+ hasher.init(hasher.SHA256);
+ hasher.update(data, data.length);
+
+ // true is passed so that the hasher returns a Base64 encoded string.
+ return hasher.finish(true);
+}
+
+// Downloads the static certs file and tries to map Google Chrome nicknames
+// to Mozilla nicknames, as well as storing any hashes for pins for which we
+// don't have root PEMs. Each entry consists of a line containing the name of
+// the pin followed either by a hash in the format "sha256/" + base64(hash),
+// a PEM encoded public key, or a PEM encoded certificate.
+// For certificates that we have in our database,
+// return a map of Google's nickname to ours. For ones that aren't return a
+// map of Google's nickname to SHA-256 values. This code is modeled after agl's
+// https://github.com/agl/transport-security-state-generate, which doesn't
+// live in the Chromium repo because go is not an official language in
+// Chromium.
+// For all of the entries in this file:
+// - If the entry has a hash format, find the Mozilla pin name (cert nickname)
+// and stick the hash into certSKDToName
+// - If the entry has a PEM format, parse the PEM, find the Mozilla pin name
+// and stick the hash in certSKDToName
+// We MUST be able to find a corresponding cert nickname for the Chrome names,
+// otherwise we skip all pinsets referring to that Chrome name.
+function downloadAndParseChromeCerts(filename, certNameToSKD, certSKDToName) {
+ // Prefixes that we care about.
+ const BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
+ const END_CERT = "-----END CERTIFICATE-----";
+ const BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----";
+ const END_PUB_KEY = "-----END PUBLIC KEY-----";
+
+ // Parsing states.
+ const PRE_NAME = 0;
+ const POST_NAME = 1;
+ const IN_CERT = 2;
+ const IN_PUB_KEY = 3;
+ let state = PRE_NAME;
+
+ let lines = download(filename).split("\n");
+ let name = "";
+ let pemCert = "";
+ let pemPubKey = "";
+ let hash = "";
+ let chromeNameToHash = {};
+ let chromeNameToMozName = {};
+ let chromeName;
+ for (let line of lines) {
+ // Skip comments and newlines.
+ if (line.length == 0 || line[0] == '#') {
+ continue;
+ }
+ switch (state) {
+ case PRE_NAME:
+ chromeName = line;
+ state = POST_NAME;
+ break;
+ case POST_NAME:
+ if (line.startsWith(SHA256_PREFIX)) {
+ hash = line.substring(SHA256_PREFIX.length);
+ chromeNameToHash[chromeName] = hash;
+ certNameToSKD[chromeName] = hash;
+ certSKDToName[hash] = chromeName;
+ state = PRE_NAME;
+ } else if (line.startsWith(BEGIN_CERT)) {
+ state = IN_CERT;
+ } else if (line.startsWith(BEGIN_PUB_KEY)) {
+ state = IN_PUB_KEY;
+ } else {
+ throw new Error("ERROR: couldn't parse Chrome certificate file " +
+ "line: " + line);
+ }
+ break;
+ case IN_CERT:
+ if (line.startsWith(END_CERT)) {
+ state = PRE_NAME;
+ hash = getSKDFromPem(pemCert);
+ pemCert = "";
+ let mozName;
+ if (hash in certSKDToName) {
+ mozName = certSKDToName[hash];
+ } else {
+ // Not one of our built-in certs. Prefix the name with
+ // GOOGLE_PIN_.
+ mozName = GOOGLE_PIN_PREFIX + chromeName;
+ dump("Can't find hash in builtin certs for Chrome nickname " +
+ chromeName + ", inserting " + mozName + "\n");
+ certSKDToName[hash] = mozName;
+ certNameToSKD[mozName] = hash;
+ }
+ chromeNameToMozName[chromeName] = mozName;
+ } else {
+ pemCert += line;
+ }
+ break;
+ case IN_PUB_KEY:
+ if (line.startsWith(END_PUB_KEY)) {
+ state = PRE_NAME;
+ hash = sha256Base64(pemPubKey);
+ pemPubKey = "";
+ chromeNameToHash[chromeName] = hash;
+ certNameToSKD[chromeName] = hash;
+ certSKDToName[hash] = chromeName;
+ } else {
+ pemPubKey += line;
+ }
+ break;
+ default:
+ throw new Error("ERROR: couldn't parse Chrome certificate file " + line);
+ }
+ }
+ return [ chromeNameToHash, chromeNameToMozName ];
+}
+
+// We can only import pinsets from chrome if for every name in the pinset:
+// - We have a hash from Chrome's static certificate file
+// - We have a builtin cert
+// If the pinset meets these requirements, we store a map array of pinset
+// objects:
+// {
+// pinset_name : {
+// // Array of names with entries in certNameToSKD
+// sha256_hashes: []
+// }
+// }
+// and an array of imported pinset entries:
+// { name: string, include_subdomains: boolean, test_mode: boolean,
+// pins: pinset_name }
+function downloadAndParseChromePins(filename,
+ chromeNameToHash,
+ chromeNameToMozName,
+ certNameToSKD,
+ certSKDToName) {
+ let chromePreloads = downloadAsJson(filename);
+ let chromePins = chromePreloads.pinsets;
+ let chromeImportedPinsets = {};
+ let chromeImportedEntries = [];
+
+ chromePins.forEach(function(pin) {
+ let valid = true;
+ let pinset = { name: pin.name, sha256_hashes: [] };
+ // Translate the Chrome pinset format to ours
+ pin.static_spki_hashes.forEach(function(name) {
+ if (name in chromeNameToHash) {
+ let hash = chromeNameToHash[name];
+ pinset.sha256_hashes.push(certSKDToName[hash]);
+
+ // We should have already added hashes for all of these when we
+ // imported the certificate file.
+ if (!certNameToSKD[name]) {
+ throw new Error("ERROR: No hash for name: " + name);
+ }
+ } else if (name in chromeNameToMozName) {
+ pinset.sha256_hashes.push(chromeNameToMozName[name]);
+ } else {
+ dump("Skipping Chrome pinset " + pinset.name + ", couldn't find " +
+ "builtin " + name + " from cert file\n");
+ valid = false;
+ }
+ });
+ if (valid) {
+ chromeImportedPinsets[pinset.name] = pinset;
+ }
+ });
+
+ // Grab the domain entry lists. Chrome's entry format is similar to
+ // ours, except theirs includes a HSTS mode.
+ const cData = gStaticPins.chromium_data;
+ let entries = chromePreloads.entries;
+ entries.forEach(function(entry) {
+ // HSTS entry only
+ if (!entry.pins) {
+ return;
+ }
+ let pinsetName = cData.substitute_pinsets[entry.pins];
+ if (!pinsetName) {
+ pinsetName = entry.pins;
+ }
+
+ // We trim the entry name here to avoid breaking hostname comparisons in the
+ // HPKP implementation.
+ entry.name = entry.name.trim();
+
+ let isProductionDomain =
+ (cData.production_domains.indexOf(entry.name) != -1);
+ let isProductionPinset =
+ (cData.production_pinsets.indexOf(pinsetName) != -1);
+ let excludeDomain =
+ (cData.exclude_domains.indexOf(entry.name) != -1);
+ let isTestMode = !isProductionPinset && !isProductionDomain;
+ if (entry.pins && !excludeDomain && chromeImportedPinsets[entry.pins]) {
+ chromeImportedEntries.push({
+ name: entry.name,
+ include_subdomains: entry.include_subdomains,
+ test_mode: isTestMode,
+ is_moz: false,
+ pins: pinsetName });
+ }
+ });
+ return [ chromeImportedPinsets, chromeImportedEntries ];
+}
+
+// Returns a pair of maps [certNameToSKD, certSKDToName] between cert
+// nicknames and digests of the SPKInfo for the mozilla trust store
+function loadNSSCertinfo(extraCertificates) {
+ let allCerts = gCertDB.getCerts();
+ let enumerator = allCerts.getEnumerator();
+ let certNameToSKD = {};
+ let certSKDToName = {};
+ while (enumerator.hasMoreElements()) {
+ let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
+ if (!isCertBuiltIn(cert)) {
+ continue;
+ }
+ let name = cert.nickname.substr(BUILT_IN_NICK_PREFIX.length);
+ let SKD = cert.sha256SubjectPublicKeyInfoDigest;
+ certNameToSKD[name] = SKD;
+ certSKDToName[SKD] = name;
+ }
+
+ for (let cert of extraCertificates) {
+ let name = cert.commonName;
+ let SKD = cert.sha256SubjectPublicKeyInfoDigest;
+ certNameToSKD[name] = SKD;
+ certSKDToName[SKD] = name;
+ }
+
+ {
+ // This is the pinning test certificate. The key hash identifies the
+ // default RSA key from pykey.
+ let name = "End Entity Test Cert";
+ let SKD = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
+ certNameToSKD[name] = SKD;
+ certSKDToName[SKD] = name;
+ }
+ return [certNameToSKD, certSKDToName];
+}
+
+function parseJson(filename) {
+ let json = stripComments(readFileToString(filename));
+ return JSON.parse(json);
+}
+
+function nameToAlias(certName) {
+ // change the name to a string valid as a c identifier
+ // remove non-ascii characters
+ certName = certName.replace(/[^[:ascii:]]/g, "_");
+ // replace non word characters
+ certName = certName.replace(/[^A-Za-z0-9]/g, "_");
+
+ return "k" + certName + "Fingerprint";
+}
+
+function compareByName (a, b) {
+ return a.name.localeCompare(b.name);
+}
+
+function genExpirationTime() {
+ let now = new Date();
+ let nowMillis = now.getTime();
+ let expirationMillis = nowMillis + (PINNING_MINIMUM_REQUIRED_MAX_AGE * 1000);
+ let expirationMicros = expirationMillis * 1000;
+ return "static const PRTime kPreloadPKPinsExpirationTime = INT64_C(" +
+ expirationMicros + ");\n";
+}
+
+function writeFullPinset(certNameToSKD, certSKDToName, pinset) {
+ let prefix = "kPinset_" + pinset.name;
+ if (!pinset.sha256_hashes || pinset.sha256_hashes.length == 0) {
+ throw new Error(`ERROR: Pinset ${pinset.name} does not contain any hashes`);
+ }
+ writeFingerprints(certNameToSKD, certSKDToName, pinset.name,
+ pinset.sha256_hashes);
+}
+
+function writeFingerprints(certNameToSKD, certSKDToName, name, hashes) {
+ let varPrefix = "kPinset_" + name;
+ writeString("static const char* const " + varPrefix + "_Data[] = {\n");
+ let SKDList = [];
+ for (let certName of hashes) {
+ if (!(certName in certNameToSKD)) {
+ throw new Error(`ERROR: Can't find '${certName}' in certNameToSKD`);
+ }
+ SKDList.push(certNameToSKD[certName]);
+ }
+ for (let skd of SKDList.sort()) {
+ writeString(" " + nameToAlias(certSKDToName[skd]) + ",\n");
+ }
+ if (hashes.length == 0) {
+ // ANSI C requires that an initialiser list be non-empty.
+ writeString(" 0\n");
+ }
+ writeString("};\n");
+ writeString("static const StaticFingerprints " + varPrefix + " = {\n " +
+ "sizeof(" + varPrefix + "_Data) / sizeof(const char*),\n " + varPrefix +
+ "_Data\n};\n\n");
+}
+
+function writeEntry(entry) {
+ let printVal = " { \"" + entry.name + "\",\ ";
+ if (entry.include_subdomains) {
+ printVal += "true, ";
+ } else {
+ printVal += "false, ";
+ }
+ // Default to test mode if not specified.
+ let testMode = true;
+ if (entry.hasOwnProperty("test_mode")) {
+ testMode = entry.test_mode;
+ }
+ if (testMode) {
+ printVal += "true, ";
+ } else {
+ printVal += "false, ";
+ }
+ if (entry.is_moz || (entry.pins.indexOf("mozilla") != -1 &&
+ entry.pins != "mozilla_test")) {
+ printVal += "true, ";
+ } else {
+ printVal += "false, ";
+ }
+ if ("id" in entry) {
+ if (entry.id >= 256) {
+ throw new Error("ERROR: Not enough buckets in histogram");
+ }
+ if (entry.id >= 0) {
+ printVal += entry.id + ", ";
+ }
+ } else {
+ printVal += "-1, ";
+ }
+ printVal += "&kPinset_" + entry.pins;
+ printVal += " },\n";
+ writeString(printVal);
+}
+
+function writeDomainList(chromeImportedEntries) {
+ writeString("/* Sort hostnames for binary search. */\n");
+ writeString("static const TransportSecurityPreload " +
+ "kPublicKeyPinningPreloadList[] = {\n");
+ let count = 0;
+ let mozillaDomains = {};
+ gStaticPins.entries.forEach(function(entry) {
+ mozillaDomains[entry.name] = true;
+ });
+ // For any domain for which we have set pins, exclude them from
+ // chromeImportedEntries.
+ for (let i = chromeImportedEntries.length - 1; i >= 0; i--) {
+ if (mozillaDomains[chromeImportedEntries[i].name]) {
+ dump("Skipping duplicate pinset for domain " +
+ JSON.stringify(chromeImportedEntries[i], undefined, 2) + "\n");
+ chromeImportedEntries.splice(i, 1);
+ }
+ }
+ let sortedEntries = gStaticPins.entries;
+ sortedEntries.push.apply(sortedEntries, chromeImportedEntries);
+ for (let entry of sortedEntries.sort(compareByName)) {
+ count++;
+ writeEntry(entry);
+ }
+ writeString("};\n");
+
+ writeString("\n// Pinning Preload List Length = " + count + ";\n");
+ writeString("\nstatic const int32_t kUnknownId = -1;\n");
+}
+
+function writeFile(certNameToSKD, certSKDToName,
+ chromeImportedPinsets, chromeImportedEntries) {
+ // Compute used pins from both Chrome's and our pinsets, so we can output
+ // them later.
+ let usedFingerprints = {};
+ let mozillaPins = {};
+ gStaticPins.pinsets.forEach(function(pinset) {
+ mozillaPins[pinset.name] = true;
+ pinset.sha256_hashes.forEach(function (name) {
+ usedFingerprints[name] = true;
+ });
+ });
+ for (let key in chromeImportedPinsets) {
+ let pinset = chromeImportedPinsets[key];
+ pinset.sha256_hashes.forEach(function(name) {
+ usedFingerprints[name] = true;
+ });
+ }
+
+ writeString(FILE_HEADER);
+
+ // Write actual fingerprints.
+ Object.keys(usedFingerprints).sort().forEach(function(certName) {
+ if (certName) {
+ writeString("/* " + certName + " */\n");
+ writeString("static const char " + nameToAlias(certName) + "[] =\n");
+ writeString(" \"" + certNameToSKD[certName] + "\";\n");
+ writeString("\n");
+ }
+ });
+
+ // Write the pinsets
+ writeString(PINSETDEF);
+ writeString("/* PreloadedHPKPins.json pinsets */\n");
+ gStaticPins.pinsets.sort(compareByName).forEach(function(pinset) {
+ writeFullPinset(certNameToSKD, certSKDToName, pinset);
+ });
+ writeString("/* Chrome static pinsets */\n");
+ for (let key in chromeImportedPinsets) {
+ if (mozillaPins[key]) {
+ dump("Skipping duplicate pinset " + key + "\n");
+ } else {
+ dump("Writing pinset " + key + "\n");
+ writeFullPinset(certNameToSKD, certSKDToName, chromeImportedPinsets[key]);
+ }
+ }
+
+ // Write the domainlist entries.
+ writeString(DOMAINHEADER);
+ writeDomainList(chromeImportedEntries);
+ writeString("\n");
+ writeString(genExpirationTime());
+}
+
+function loadExtraCertificates(certStringList) {
+ let constructedCerts = [];
+ for (let certString of certStringList) {
+ constructedCerts.push(gCertDB.constructX509FromBase64(certString));
+ }
+ return constructedCerts;
+}
+
+var extraCertificates = loadExtraCertificates(gStaticPins.extra_certificates);
+var [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(extraCertificates);
+var [ chromeNameToHash, chromeNameToMozName ] = downloadAndParseChromeCerts(
+ gStaticPins.chromium_data.cert_file_url, certNameToSKD, certSKDToName);
+var [ chromeImportedPinsets, chromeImportedEntries ] =
+ downloadAndParseChromePins(gStaticPins.chromium_data.json_file_url,
+ chromeNameToHash, chromeNameToMozName, certNameToSKD, certSKDToName);
+
+writeFile(certNameToSKD, certSKDToName, chromeImportedPinsets,
+ chromeImportedEntries);
+
+FileUtils.closeSafeFileOutputStream(gFileOutputStream);
diff --git a/security/manager/tools/genRootCAHashes.js b/security/manager/tools/genRootCAHashes.js
new file mode 100644
index 0000000000..0d6f1df48f
--- /dev/null
+++ b/security/manager/tools/genRootCAHashes.js
@@ -0,0 +1,255 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell genRootCAHashes.js \
+// [absolute path to]/RootHashes.inc'
+
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+var Cu = Components.utils;
+var Cr = Components.results;
+
+const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
+const CertDb = Components.classes[nsX509CertDB].getService(Ci.nsIX509CertDB);
+
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/FileUtils.jsm");
+Cu.import("resource://gre/modules/NetUtil.jsm");
+const { CommonUtils } = Cu.import("resource://services-common/utils.js", {});
+
+const FILENAME_OUTPUT = "RootHashes.inc";
+const FILENAME_TRUST_ANCHORS = "KnownRootHashes.json";
+const ROOT_NOT_ASSIGNED = -1;
+
+const JSON_HEADER = "// This Source Code Form is subject to the terms of the Mozilla Public\n" +
+"// License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+"// file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+"//\n" +
+"//***************************************************************************\n" +
+"// This is an automatically generated file. It's used to maintain state for\n" +
+"// runs of genRootCAHashes.js; you should never need to manually edit it\n" +
+"//***************************************************************************\n" +
+"\n";
+
+const FILE_HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
+" * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+" * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+"\n" +
+"/*****************************************************************************/\n" +
+"/* This is an automatically generated file. If you're not */\n" +
+"/* RootCertificateTelemetryUtils.cpp, you shouldn't be #including it. */\n" +
+"/*****************************************************************************/\n" +
+"\n" +
+"#define HASH_LEN 32\n";
+
+const FP_PREAMBLE = "struct CertAuthorityHash {\n" +
+" const uint8_t hash[HASH_LEN];\n" +
+" const int32_t binNumber;\n" +
+"};\n\n" +
+"static const struct CertAuthorityHash ROOT_TABLE[] = {\n";
+
+const FP_POSTAMBLE = "};\n";
+
+// Helper
+function writeString(fos, string) {
+ fos.write(string, string.length);
+}
+
+// Remove all colons from a string
+function stripColons(hexString) {
+ return hexString.replace(/:/g, '');
+}
+
+// Expect an array of bytes and make it C-formatted
+function hexSlice(bytes, start, end) {
+ let ret = "";
+ for (let i = start; i < end; i++) {
+ let hex = (0 + bytes.charCodeAt(i).toString(16)).slice(-2).toUpperCase();
+ ret += "0x" + hex;
+ if (i < end - 1) {
+ ret += ", ";
+ }
+ }
+ return ret;
+}
+
+function stripComments(buf) {
+ let lines = buf.split("\n");
+ let entryRegex = /^\s*\/\//;
+ let data = "";
+ for (let i = 0; i < lines.length; i++) {
+ let match = entryRegex.exec(lines[i]);
+ if (!match) {
+ data = data + lines[i];
+ }
+ }
+ return data;
+}
+
+
+// Load the trust anchors JSON object from disk
+function loadTrustAnchors(file) {
+ if (file.exists()) {
+ let stream = Cc["@mozilla.org/network/file-input-stream;1"]
+ .createInstance(Ci.nsIFileInputStream);
+ stream.init(file, -1, 0, 0);
+ let buf = NetUtil.readInputStreamToString(stream, stream.available());
+ return JSON.parse(stripComments(buf));
+ }
+ // If there's no input file, bootstrap.
+ return { roots: [], maxBin: 0 };
+}
+
+// Saves our persistence file so that we don't lose track of the mapping
+// between bin numbers and the CA-hashes, even as CAs come and go.
+function writeTrustAnchors(file) {
+ let fos = FileUtils.openSafeFileOutputStream(file);
+
+ let serializedData = JSON.stringify(gTrustAnchors, null, ' ');
+ fos.write(JSON_HEADER, JSON_HEADER.length);
+ fos.write(serializedData, serializedData.length);
+
+ FileUtils.closeSafeFileOutputStream(fos);
+}
+
+
+// Write the C++ header file
+function writeRootHashes(fos) {
+ try {
+ writeString(fos, FILE_HEADER);
+
+ // Output the sorted gTrustAnchors
+ writeString(fos, FP_PREAMBLE);
+ gTrustAnchors.roots.forEach(function(fp) {
+ let fpBytes = atob(fp.sha256Fingerprint);
+
+ writeString(fos, " {\n");
+ writeString(fos, " /* " + fp.label + " */\n");
+ writeString(fos, " { " + hexSlice(fpBytes, 0, 16) + ",\n");
+ writeString(fos, " " + hexSlice(fpBytes, 16, 32) + " },\n");
+ writeString(fos, " " + fp.binNumber + " /* Bin Number */\n");
+
+ writeString(fos, " },\n");
+ });
+ writeString(fos, FP_POSTAMBLE);
+
+ writeString(fos, "\n");
+
+ }
+ catch (e) {
+ dump("ERROR: problem writing output: " + e + "\n");
+ }
+}
+
+// Scan our list (linearly) for the given fingerprint string
+function findTrustAnchorByFingerprint(sha256Fingerprint) {
+ for (let i = 0; i < gTrustAnchors.roots.length; i++) {
+ if (sha256Fingerprint == gTrustAnchors.roots[i].sha256Fingerprint) {
+ return i;
+ }
+ }
+ return ROOT_NOT_ASSIGNED;
+}
+
+// Get a clean label for a given certificate; usually the common name.
+function getLabelForCert(cert) {
+ let label = cert.commonName;
+
+ if (label.length < 5) {
+ label = cert.subjectName;
+ }
+
+ // replace non-ascii characters
+ label = label.replace(/[^[:ascii:]]/g, "_");
+ // replace non-word characters
+ label = label.replace(/[^A-Za-z0-9]/g, "_");
+ return label;
+}
+
+// Fill in the gTrustAnchors list with trust anchors from the database.
+function insertTrustAnchorsFromDatabase() {
+ // We only want CA certs for SSL
+ const CERT_TYPE = Ci.nsIX509Cert.CA_CERT;
+ const TRUST_TYPE = Ci.nsIX509CertDB.TRUSTED_SSL;
+
+ // Iterate through the whole Cert DB
+ let enumerator = CertDb.getCerts().getEnumerator();
+ while (enumerator.hasMoreElements()) {
+ let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
+
+ // Find the certificate in our existing list. Do it here because we need to check if
+ // it's untrusted too.
+
+ // If this is a trusted cert
+ if (CertDb.isCertTrusted(cert, CERT_TYPE, TRUST_TYPE)) {
+ // Base64 encode the hex string
+ let binaryFingerprint = CommonUtils.hexToBytes(stripColons(cert.sha256Fingerprint));
+ let encodedFingerprint = btoa(binaryFingerprint);
+
+ // Scan to see if this is already in the database.
+ if (findTrustAnchorByFingerprint(encodedFingerprint) == ROOT_NOT_ASSIGNED) {
+
+ // Let's get a usable name; some old certs do not have CN= filled out
+ let label = getLabelForCert(cert);
+
+ // Add to list
+ gTrustAnchors.maxBin += 1;
+ gTrustAnchors.roots.push(
+ {
+ "label": label,
+ "binNumber": gTrustAnchors.maxBin,
+ "sha256Fingerprint": encodedFingerprint
+ });
+ }
+ }
+ }
+}
+
+//
+// PRIMARY LOGIC
+//
+
+if (arguments.length != 1) {
+ throw new Error("Usage: genRootCAHashes.js " +
+ "<absolute path to current RootHashes.inc>");
+}
+
+var trustAnchorsFile = FileUtils.getFile("CurWorkD", [FILENAME_TRUST_ANCHORS]);
+// let rootHashesFile = FileUtils.getFile("CurWorkD", arguments[0]);
+var rootHashesFile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+rootHashesFile.initWithPath(arguments[0]);
+
+// Open the known hashes file; this is to ensure stable bin numbers.
+var gTrustAnchors = loadTrustAnchors(trustAnchorsFile);
+
+// Collect all certificate entries
+insertTrustAnchorsFromDatabase();
+
+// Update known hashes before we sort
+writeTrustAnchors(trustAnchorsFile);
+
+// Sort all trust anchors before writing, as AccumulateRootCA.cpp
+// will perform binary searches
+gTrustAnchors.roots.sort(function(a, b) {
+ // We need to work from the binary values, not the base64 values.
+ let aBin = atob(a.sha256Fingerprint);
+ let bBin = atob(b.sha256Fingerprint);
+
+ if (aBin < bBin) {
+ return -1;
+ }
+ if (aBin > bBin) {
+ return 1;
+ }
+ return 0;
+});
+
+// Write the output file.
+var rootHashesFileOutputStream = FileUtils.openSafeFileOutputStream(rootHashesFile);
+writeRootHashes(rootHashesFileOutputStream);
+FileUtils.closeSafeFileOutputStream(rootHashesFileOutputStream);
diff --git a/security/manager/tools/getHSTSPreloadList.js b/security/manager/tools/getHSTSPreloadList.js
new file mode 100644
index 0000000000..5b950f9381
--- /dev/null
+++ b/security/manager/tools/getHSTSPreloadList.js
@@ -0,0 +1,497 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell \
+// [path to]/getHSTSPreloadlist.js \
+// [absolute path to]/nsSTSPreloadlist.inc'
+// Note: Running this file outputs a new nsSTSPreloadlist.inc in the current
+// working directory.
+
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+var Cu = Components.utils;
+var Cr = Components.results;
+
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/FileUtils.jsm");
+Cu.import("resource:///modules/XPCOMUtils.jsm");
+
+const SOURCE = "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT";
+const OUTPUT = "nsSTSPreloadList.inc";
+const ERROR_OUTPUT = "nsSTSPreloadList.errors";
+const MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 18;
+const MAX_CONCURRENT_REQUESTS = 5;
+const MAX_RETRIES = 3;
+const REQUEST_TIMEOUT = 30 * 1000;
+const ERROR_NONE = "no error";
+const ERROR_CONNECTING_TO_HOST = "could not connect to host";
+const ERROR_NO_HSTS_HEADER = "did not receive HSTS header";
+const ERROR_MAX_AGE_TOO_LOW = "max-age too low: ";
+const HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
+" * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+" * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+"\n" +
+"/*****************************************************************************/\n" +
+"/* This is an automatically generated file. If you're not */\n" +
+"/* nsSiteSecurityService.cpp, you shouldn't be #including it. */\n" +
+"/*****************************************************************************/\n" +
+"\n" +
+"#include <stdint.h>\n";
+
+function download() {
+ var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+ .createInstance(Ci.nsIXMLHttpRequest);
+ req.open("GET", SOURCE, false); // doing the request synchronously
+ try {
+ req.send();
+ }
+ catch (e) {
+ throw new Error(`ERROR: problem downloading '${SOURCE}': ${e}`);
+ }
+
+ if (req.status != 200) {
+ throw new Error("ERROR: problem downloading '" + SOURCE + "': status " +
+ req.status);
+ }
+
+ var resultDecoded;
+ try {
+ resultDecoded = atob(req.responseText);
+ }
+ catch (e) {
+ throw new Error("ERROR: could not decode data as base64 from '" + SOURCE +
+ "': " + e);
+ }
+
+ // we have to filter out '//' comments, while not mangling the json
+ var result = resultDecoded.replace(/^(\s*)?\/\/[^\n]*\n/mg, "");
+ var data = null;
+ try {
+ data = JSON.parse(result);
+ }
+ catch (e) {
+ throw new Error(`ERROR: could not parse data from '${SOURCE}': ${e}`);
+ }
+ return data;
+}
+
+function getHosts(rawdata) {
+ var hosts = [];
+
+ if (!rawdata || !rawdata.entries) {
+ throw new Error("ERROR: source data not formatted correctly: 'entries' " +
+ "not found");
+ }
+
+ for (let entry of rawdata.entries) {
+ if (entry.mode && entry.mode == "force-https") {
+ if (entry.name) {
+ // We trim the entry name here to avoid malformed URI exceptions when we
+ // later try to connect to the domain.
+ entry.name = entry.name.trim();
+ entry.retries = MAX_RETRIES;
+ entry.originalIncludeSubdomains = entry.include_subdomains;
+ hosts.push(entry);
+ } else {
+ throw new Error("ERROR: entry not formatted correctly: no name found");
+ }
+ }
+ }
+
+ return hosts;
+}
+
+var gSSService = Cc["@mozilla.org/ssservice;1"]
+ .getService(Ci.nsISiteSecurityService);
+
+function processStsHeader(host, header, status, securityInfo) {
+ var maxAge = { value: 0 };
+ var includeSubdomains = { value: false };
+ var error = ERROR_NONE;
+ if (header != null && securityInfo != null) {
+ try {
+ var uri = Services.io.newURI("https://" + host.name, null, null);
+ var sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+ .SSLStatus;
+ gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS,
+ uri, header, sslStatus, 0, maxAge,
+ includeSubdomains);
+ }
+ catch (e) {
+ dump("ERROR: could not process header '" + header + "' from " +
+ host.name + ": " + e + "\n");
+ error = e;
+ }
+ } else if (status == 0) {
+ error = ERROR_CONNECTING_TO_HOST;
+ } else {
+ error = ERROR_NO_HSTS_HEADER;
+ }
+
+ let forceInclude = (host.forceInclude || host.pins == "google");
+
+ if (error == ERROR_NONE && maxAge.value < MINIMUM_REQUIRED_MAX_AGE) {
+ error = ERROR_MAX_AGE_TOO_LOW;
+ }
+
+ return { name: host.name,
+ maxAge: maxAge.value,
+ includeSubdomains: includeSubdomains.value,
+ error: error,
+ retries: host.retries - 1,
+ forceInclude: forceInclude,
+ originalIncludeSubdomains: host.originalIncludeSubdomains };
+}
+
+// RedirectAndAuthStopper prevents redirects and HTTP authentication
+function RedirectAndAuthStopper() {}
+
+RedirectAndAuthStopper.prototype = {
+ // nsIChannelEventSink
+ asyncOnChannelRedirect: function(oldChannel, newChannel, flags, callback) {
+ throw new Error(Cr.NS_ERROR_ENTITY_CHANGED);
+ },
+
+ // nsIAuthPrompt2
+ promptAuth: function(channel, level, authInfo) {
+ return false;
+ },
+
+ asyncPromptAuth: function(channel, callback, context, level, authInfo) {
+ throw new Error(Cr.NS_ERROR_NOT_IMPLEMENTED);
+ },
+
+ getInterface: function(iid) {
+ return this.QueryInterface(iid);
+ },
+
+ QueryInterface: XPCOMUtils.generateQI([Ci.nsIChannelEventSink,
+ Ci.nsIAuthPrompt2])
+};
+
+function getHSTSStatus(host, resultList) {
+ var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+ .createInstance(Ci.nsIXMLHttpRequest);
+ var inResultList = false;
+ var uri = "https://" + host.name + "/";
+ req.open("GET", uri, true);
+ req.timeout = REQUEST_TIMEOUT;
+
+ let errorhandler = (evt) => {
+ dump(`ERROR: error making request to ${host.name} (type=${evt.type})\n`);
+ if (!inResultList) {
+ inResultList = true;
+ resultList.push(processStsHeader(host, null, req.status,
+ req.channel.securityInfo));
+ }
+ };
+ req.onerror = errorhandler;
+ req.ontimeout = errorhandler;
+ req.onabort = errorhandler;
+
+ req.onload = function(event) {
+ if (!inResultList) {
+ inResultList = true;
+ var header = req.getResponseHeader("strict-transport-security");
+ resultList.push(processStsHeader(host, header, req.status,
+ req.channel.securityInfo));
+ }
+ };
+
+ try {
+ req.channel.notificationCallbacks = new RedirectAndAuthStopper();
+ req.send();
+ }
+ catch (e) {
+ dump("ERROR: exception making request to " + host.name + ": " + e + "\n");
+ }
+}
+
+function compareHSTSStatus(a, b) {
+ if (a.name > b.name) {
+ return 1;
+ }
+ if (a.name < b.name) {
+ return -1;
+ }
+ return 0;
+}
+
+function writeTo(string, fos) {
+ fos.write(string, string.length);
+}
+
+// Determines and returns a string representing a declaration of when this
+// preload list should no longer be used.
+// This is the current time plus MINIMUM_REQUIRED_MAX_AGE.
+function getExpirationTimeString() {
+ var now = new Date();
+ var nowMillis = now.getTime();
+ // MINIMUM_REQUIRED_MAX_AGE is in seconds, so convert to milliseconds
+ var expirationMillis = nowMillis + (MINIMUM_REQUIRED_MAX_AGE * 1000);
+ var expirationMicros = expirationMillis * 1000;
+ return "const PRTime gPreloadListExpirationTime = INT64_C(" + expirationMicros + ");\n";
+}
+
+function errorToString(status) {
+ return (status.error == ERROR_MAX_AGE_TOO_LOW
+ ? status.error + status.maxAge
+ : status.error);
+}
+
+function writeEntry(status, indices, outputStream) {
+ let includeSubdomains = (status.finalIncludeSubdomains ? "true" : "false");
+ writeTo(" { " + indices[status.name] + ", " + includeSubdomains + " },\n",
+ outputStream);
+}
+
+function output(sortedStatuses, currentList) {
+ try {
+ var file = FileUtils.getFile("CurWorkD", [OUTPUT]);
+ var errorFile = FileUtils.getFile("CurWorkD", [ERROR_OUTPUT]);
+ var fos = FileUtils.openSafeFileOutputStream(file);
+ var eos = FileUtils.openSafeFileOutputStream(errorFile);
+ writeTo(HEADER, fos);
+ writeTo(getExpirationTimeString(), fos);
+
+ for (let status in sortedStatuses) {
+ // If we've encountered an error for this entry (other than the site not
+ // sending an HSTS header), be safe and don't remove it from the list
+ // (given that it was already on the list).
+ if (status.error != ERROR_NONE &&
+ status.error != ERROR_NO_HSTS_HEADER &&
+ status.error != ERROR_MAX_AGE_TOO_LOW &&
+ status.name in currentList) {
+ dump("INFO: error connecting to or processing " + status.name + " - using previous status on list\n");
+ writeTo(status.name + ": " + errorToString(status) + "\n", eos);
+ status.maxAge = MINIMUM_REQUIRED_MAX_AGE;
+ status.includeSubdomains = currentList[status.name];
+ }
+ }
+
+ // Filter out entries we aren't including.
+ var includedStatuses = sortedStatuses.filter(function (status) {
+ if (status.maxAge < MINIMUM_REQUIRED_MAX_AGE && !status.forceInclude) {
+ dump("INFO: " + status.name + " NOT ON the preload list\n");
+ writeTo(status.name + ": " + errorToString(status) + "\n", eos);
+ return false;
+ }
+
+ dump("INFO: " + status.name + " ON the preload list\n");
+ if (status.forceInclude && status.error != ERROR_NONE) {
+ writeTo(status.name + ": " + errorToString(status) + " (error "
+ + "ignored - included regardless)\n", eos);
+ }
+ return true;
+ });
+
+ // Resolve whether we should include subdomains for each entry. We could
+ // do this while writing out entries, but separating out that decision is
+ // clearer. Making that decision here also means we can write the choices
+ // in the comments in the static string table, which makes parsing the
+ // current list significantly easier when we go to update the list.
+ for (let status of includedStatuses) {
+ let incSubdomainsBool = (status.forceInclude && status.error != ERROR_NONE
+ ? status.originalIncludeSubdomains
+ : status.includeSubdomains);
+ status.finalIncludeSubdomains = incSubdomainsBool;
+ }
+
+ writeTo("\nstatic const char kSTSHostTable[] = {\n", fos);
+ var indices = {};
+ var currentIndex = 0;
+ for (let status of includedStatuses) {
+ indices[status.name] = currentIndex;
+ // Add 1 for the null terminator in C.
+ currentIndex += status.name.length + 1;
+ // Rebuilding the preload list requires reading the previous preload
+ // list. Write out a comment describing each host prior to writing out
+ // the string for the host.
+ writeTo(" /* \"" + status.name + "\", " +
+ (status.finalIncludeSubdomains ? "true" : "false") + " */ ",
+ fos);
+ // Write out the string itself as individual characters, including the
+ // null terminator. We do it this way rather than using C's string
+ // concatentation because some compilers have hardcoded limits on the
+ // lengths of string literals, and the preload list is large enough
+ // that it runs into said limits.
+ for (let c of status.name) {
+ writeTo("'" + c + "', ", fos);
+ }
+ writeTo("'\\0',\n", fos);
+ }
+ writeTo("};\n", fos);
+
+ const PREFIX = "\n" +
+ "struct nsSTSPreload\n" +
+ "{\n" +
+ " const uint32_t mHostIndex : 31;\n" +
+ " const uint32_t mIncludeSubdomains : 1;\n" +
+ "};\n" +
+ "\n" +
+ "static const nsSTSPreload kSTSPreloadList[] = {\n";
+ const POSTFIX = "};\n";
+
+ writeTo(PREFIX, fos);
+ for (let status of includedStatuses) {
+ writeEntry(status, indices, fos);
+ }
+ writeTo(POSTFIX, fos);
+ FileUtils.closeSafeFileOutputStream(fos);
+ FileUtils.closeSafeFileOutputStream(eos);
+ }
+ catch (e) {
+ dump("ERROR: problem writing output to '" + OUTPUT + "': " + e + "\n");
+ }
+}
+
+function shouldRetry(response) {
+ return (response.error != ERROR_NO_HSTS_HEADER &&
+ response.error != ERROR_MAX_AGE_TOO_LOW &&
+ response.error != ERROR_NONE && response.retries > 0);
+}
+
+function getHSTSStatuses(inHosts, outStatuses) {
+ var expectedOutputLength = inHosts.length;
+ var tmpOutput = [];
+ for (var i = 0; i < MAX_CONCURRENT_REQUESTS && inHosts.length > 0; i++) {
+ let host = inHosts.shift();
+ dump("spinning off request to '" + host.name + "' (remaining retries: " +
+ host.retries + ")\n");
+ getHSTSStatus(host, tmpOutput);
+ }
+
+ while (outStatuses.length != expectedOutputLength) {
+ waitForAResponse(tmpOutput);
+ var response = tmpOutput.shift();
+ dump("request to '" + response.name + "' finished\n");
+ if (shouldRetry(response)) {
+ inHosts.push(response);
+ } else {
+ outStatuses.push(response);
+ }
+
+ if (inHosts.length > 0) {
+ let host = inHosts.shift();
+ dump("spinning off request to '" + host.name + "' (remaining retries: " +
+ host.retries + ")\n");
+ getHSTSStatus(host, tmpOutput);
+ }
+ }
+}
+
+// Since all events are processed on the main thread, and since event
+// handlers are not preemptible, there shouldn't be any concurrency issues.
+function waitForAResponse(outputList) {
+ // From <https://developer.mozilla.org/en/XPConnect/xpcshell/HOWTO>
+ var threadManager = Cc["@mozilla.org/thread-manager;1"]
+ .getService(Ci.nsIThreadManager);
+ var mainThread = threadManager.currentThread;
+ while (outputList.length == 0) {
+ mainThread.processNextEvent(true);
+ }
+}
+
+function readCurrentList(filename) {
+ var currentHosts = {};
+ var file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+ file.initWithPath(filename);
+ var fis = Cc["@mozilla.org/network/file-input-stream;1"]
+ .createInstance(Ci.nsILineInputStream);
+ fis.init(file, -1, -1, Ci.nsIFileInputStream.CLOSE_ON_EOF);
+ var line = {};
+ // While we generate entries matching the version 2 format (see bug 1255425
+ // for details), we still need to be able to read entries in the version 1
+ // format for bootstrapping a version 2 preload list from a version 1
+ // preload list. Hence these two regexes.
+ var v1EntryRegex = / { "([^"]*)", (true|false) },/;
+ var v2EntryRegex = / \/\* "([^"]*)", (true|false) \*\//;
+ while (fis.readLine(line)) {
+ var match = v1EntryRegex.exec(line.value);
+ if (!match) {
+ match = v2EntryRegex.exec(line.value);
+ }
+ if (match) {
+ currentHosts[match[1]] = (match[2] == "true");
+ }
+ }
+ return currentHosts;
+}
+
+function combineLists(newHosts, currentHosts) {
+ for (let currentHost in currentHosts) {
+ let found = false;
+ for (let newHost of newHosts) {
+ if (newHost.name == currentHost) {
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ newHosts.push({ name: currentHost, retries: MAX_RETRIES });
+ }
+ }
+}
+
+const TEST_ENTRIES = [
+ { name: "includesubdomains.preloaded.test", includeSubdomains: true },
+ { name: "includesubdomains2.preloaded.test", includeSubdomains: true },
+ { name: "noincludesubdomains.preloaded.test", includeSubdomains: false },
+];
+
+function deleteTestHosts(currentHosts) {
+ for (let testEntry of TEST_ENTRIES) {
+ delete currentHosts[testEntry.name];
+ }
+}
+
+function insertTestHosts(hstsStatuses) {
+ for (let testEntry of TEST_ENTRIES) {
+ hstsStatuses.push({
+ name: testEntry.name,
+ maxAge: MINIMUM_REQUIRED_MAX_AGE,
+ includeSubdomains: testEntry.includeSubdomains,
+ error: ERROR_NONE,
+ // This deliberately doesn't have a value for `retries` (because we should
+ // never attempt to connect to this host).
+ forceInclude: true,
+ originalIncludeSubdomains: testEntry.includeSubdomains,
+ });
+ }
+}
+
+// ****************************************************************************
+// This is where the action happens:
+if (arguments.length != 1) {
+ throw new Error("Usage: getHSTSPreloadList.js " +
+ "<absolute path to current nsSTSPreloadList.inc>");
+}
+// get the current preload list
+var currentHosts = readCurrentList(arguments[0]);
+// delete any hosts we use in tests so we don't actually connect to them
+deleteTestHosts(currentHosts);
+// disable the current preload list so it won't interfere with requests we make
+Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", false);
+// download and parse the raw json file from the Chromium source
+var rawdata = download();
+// get just the hosts with mode: "force-https"
+var hosts = getHosts(rawdata);
+// add hosts in the current list to the new list (avoiding duplicates)
+combineLists(hosts, currentHosts);
+// get the HSTS status of each host
+var hstsStatuses = [];
+getHSTSStatuses(hosts, hstsStatuses);
+// add the hosts we use in tests
+insertTestHosts(hstsStatuses);
+// sort the hosts alphabetically
+hstsStatuses.sort(compareHSTSStatus);
+// write the results to a file (this is where we filter out hosts that we
+// either couldn't connect to, didn't receive an HSTS header from, couldn't
+// parse the header, or had a header with too short a max-age)
+output(hstsStatuses, currentHosts);
+// ****************************************************************************
diff --git a/security/manager/tools/makeCNNICHashes.js b/security/manager/tools/makeCNNICHashes.js
new file mode 100644
index 0000000000..1b558949e4
--- /dev/null
+++ b/security/manager/tools/makeCNNICHashes.js
@@ -0,0 +1,282 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// How to run this file:
+// 1. [obtain CNNIC-issued certificates to be whitelisted]
+// 2. [obtain firefox source code]
+// 3. [build/obtain firefox binaries]
+// 4. run `[path to]/run-mozilla.sh [path to]/xpcshell makeCNNICHashes.js \
+// [path to]/intermediatesFile
+// [path to]/certlist'
+// Where |intermediatesFile| is a file containing PEM encoded intermediate
+// certificates that the certificates in |certlist| may be issued by.
+// where certlist is a file containing a list of paths to certificates to
+// be included in the whitelist
+
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+var Cu = Components.utils;
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
+ .getService(Ci.nsIX509CertDB);
+
+var { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
+var { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
+
+const HEADER = "// This Source Code Form is subject to the terms of the Mozilla Public\n" +
+"// License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+"// file, You can obtain one at http://mozilla.org/MPL/2.0/.\n" +
+"//\n" +
+"//***************************************************************************\n" +
+"// This file was automatically generated by makeCNNICHashes.js. It shouldn't\n" +
+"// need to be manually edited.\n" +
+"//***************************************************************************\n" +
+"\n";
+
+const PREAMBLE = "#define CNNIC_WHITELIST_HASH_LEN 32\n\n" +
+"struct WhitelistedCNNICHash {\n" +
+" const uint8_t hash[CNNIC_WHITELIST_HASH_LEN];\n" +
+"};\n\n" +
+"static const struct WhitelistedCNNICHash WhitelistedCNNICHashes[] = {\n";
+
+const POSTAMBLE = "};\n";
+
+function writeString(fos, string) {
+ fos.write(string, string.length);
+}
+
+// fingerprint is in the form "00:11:22:..."
+function hexSlice(fingerprint, start, end) {
+ let hexBytes = fingerprint.split(":");
+ let ret = "";
+ for (let i = start; i < end; i++) {
+ let hex = hexBytes[i];
+ ret += "0x" + hex;
+ if (i < end - 1) {
+ ret += ", ";
+ }
+ }
+ return ret;
+}
+
+// Write the C++ header file
+function writeHashes(certs, lastValidTime, fos) {
+ writeString(fos, HEADER);
+ writeString(fos, `// This file may be removed after ${new Date(lastValidTime)}\n\n`);
+ writeString(fos, PREAMBLE);
+
+ certs.forEach(function(cert) {
+ writeString(fos, " {\n");
+ writeString(fos, " { " + hexSlice(cert.sha256Fingerprint, 0, 16) + ",\n");
+ writeString(fos, " " + hexSlice(cert.sha256Fingerprint, 16, 32) + " },\n");
+
+ writeString(fos, " },\n");
+ });
+ writeString(fos, POSTAMBLE);
+}
+
+function readFileContents(file) {
+ let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
+ .createInstance(Ci.nsIFileInputStream);
+ fstream.init(file, -1, 0, 0);
+ let data = NetUtil.readInputStreamToString(fstream, fstream.available());
+ fstream.close();
+ return data;
+}
+
+function relativePathToFile(path) {
+ let currentDirectory = Cc["@mozilla.org/file/directory_service;1"]
+ .getService(Ci.nsIProperties)
+ .get("CurWorkD", Ci.nsILocalFile);
+ let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+ file.initWithPath(currentDirectory.path + "/" + path);
+ return file;
+}
+
+function pathToFile(path) {
+ let file = relativePathToFile(path);
+ if (!file.exists()) {
+ // Fall back to trying absolute path
+ file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+ file.initWithPath(path);
+ }
+ return file;
+}
+
+// punt on dealing with leap-years
+const sixYearsInMilliseconds = 6 * 366 * 24 * 60 * 60 * 1000;
+
+function loadCertificates(certFile, currentWhitelist) {
+ let nowInMilliseconds = (new Date()).getTime();
+ // months are 0-indexed, so April is month 3 :(
+ let april1InMilliseconds = (new Date(2015, 3, 1)).getTime();
+ let latestNotAfter = nowInMilliseconds;
+ let certs = [];
+ let certMap = {};
+ let invalidCerts = [];
+ let paths = readFileContents(certFile).split("\n");
+ for (let path of paths) {
+ if (!path) {
+ continue;
+ }
+ let certData = readFileContents(pathToFile(path));
+ let cert = null;
+ try {
+ cert = gCertDB.constructX509FromBase64(certData);
+ } catch (e) {}
+ if (!cert) {
+ cert = gCertDB.constructX509(certData, certData.length);
+ }
+ // Don't add multiple copies of any particular certificate.
+ if (cert.sha256Fingerprint in certMap) {
+ continue;
+ }
+ certMap[cert.sha256Fingerprint] = true;
+ // If we can't verify the certificate, don't include it. Unfortunately, if
+ // a CNNIC-issued certificate wasn't previously on the whitelist but it
+ // otherwise verifies successfully, verifyCertNow will return
+ // SEC_ERROR_REVOKED_CERTIFICATE, so we count that as verifying
+ // successfully. If the certificate is later revoked by CNNIC, the user
+ // will see that when they attempt to connect to a site using it and we do
+ // normal revocation checking.
+ let errorCode = gCertDB.verifyCertNow(cert, 2 /* SSL Server */,
+ Ci.nsIX509CertDB.LOCAL_ONLY, null,
+ {}, {});
+ if (errorCode != 0 &&
+ errorCode != -8180 /* SEC_ERROR_REVOKED_CERTIFICATE */) {
+ continue;
+ }
+ let durationMilliseconds = (cert.validity.notAfter - cert.validity.notBefore) / 1000;
+ let notBeforeMilliseconds = cert.validity.notBefore / 1000;
+ let notAfterMilliseconds = cert.validity.notAfter / 1000;
+ // Only consider certificates that were issued before 1 April 2015, haven't
+ // expired, and have a validity period shorter than 6 years (there is a
+ // delegated OCSP responder certificate with a validity period of 6 years
+ // that should be on the whitelist).
+ // Also only consider certificates that were already on the whitelist.
+ if (notBeforeMilliseconds < april1InMilliseconds &&
+ notAfterMilliseconds > nowInMilliseconds &&
+ durationMilliseconds < sixYearsInMilliseconds &&
+ currentWhitelist[cert.sha256Fingerprint]) {
+ certs.push(cert);
+ if (notAfterMilliseconds > latestNotAfter) {
+ latestNotAfter = notAfterMilliseconds;
+ }
+ }
+ if (durationMilliseconds >= sixYearsInMilliseconds) {
+ invalidCerts.push(cert);
+ }
+ }
+ return { certs: certs,
+ lastValidTime: latestNotAfter,
+ invalidCerts: invalidCerts };
+}
+
+// Expects something like "00:11:22:...", returns a string of bytes.
+function hexToBinaryString(hexString) {
+ let hexBytes = hexString.split(":");
+ let result = "";
+ for (let hexByte of hexBytes) {
+ result += String.fromCharCode(parseInt(hexByte, 16));
+ }
+ return result;
+}
+
+function compareCertificatesByHash(certA, certB) {
+ let aBin = hexToBinaryString(certA.sha256Fingerprint);
+ let bBin = hexToBinaryString(certB.sha256Fingerprint);
+
+ if (aBin < bBin) {
+ return -1;
+ }
+ if (aBin > bBin) {
+ return 1;
+ }
+ return 0;
+}
+
+function certToPEM(cert) {
+ let der = cert.getRawDER({});
+ let derString = '';
+ for (let i = 0; i < der.length; i++) {
+ derString += String.fromCharCode(der[i]);
+ }
+ let base64Lines = btoa(derString).replace(/(.{64})/g, "$1\n");
+ let output = "-----BEGIN CERTIFICATE-----\n";
+ for (let line of base64Lines.split("\n")) {
+ if (line.length > 0) {
+ output += line + "\n";
+ }
+ }
+ output += "-----END CERTIFICATE-----";
+ return output;
+}
+
+function loadIntermediates(intermediatesFile) {
+ let pem = readFileContents(intermediatesFile);
+ let intermediates = [];
+ let currentPEM = "";
+ for (let line of pem.split("\r\n")) {
+ if (line == "-----END CERTIFICATE-----") {
+ if (currentPEM) {
+ intermediates.push(gCertDB.constructX509FromBase64(currentPEM));
+ }
+ currentPEM = "";
+ continue;
+ }
+ if (line != "-----BEGIN CERTIFICATE-----") {
+ currentPEM += line;
+ }
+ }
+ return intermediates;
+}
+
+function readCurrentWhitelist(currentWhitelistFile) {
+ let contents = readFileContents(currentWhitelistFile).replace(/[\r\n ]/g, "");
+ let split = contents.split(/((?:0x[0-9A-F][0-9A-F],){31}0x[0-9A-F][0-9A-F])/);
+ // The hashes will be every odd-indexed element of the array.
+ let currentWhitelist = {};
+ for (let i = 1; i < split.length && i < split.length - 1; i += 2) {
+ let hash = split[i].replace(/0x/g, "").replace(/,/g, ":");
+ currentWhitelist[hash] = true;
+ }
+ return currentWhitelist;
+}
+
+///////////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////////
+
+if (arguments.length != 3) {
+ throw new Error("Usage: makeCNNICHashes.js <PEM intermediates file> " +
+ "<path to list of certificates> <path to current whitelist file>");
+}
+
+Services.prefs.setIntPref("security.OCSP.enabled", 0);
+var intermediatesFile = pathToFile(arguments[0]);
+var intermediates = loadIntermediates(intermediatesFile);
+var certFile = pathToFile(arguments[1]);
+var currentWhitelistFile = pathToFile(arguments[2]);
+var currentWhitelist = readCurrentWhitelist(currentWhitelistFile);
+var { certs, lastValidTime, invalidCerts } = loadCertificates(certFile, currentWhitelist);
+
+dump("The following certificates were not included due to overlong validity periods:\n");
+for (let cert of invalidCerts) {
+ dump(certToPEM(cert) + "\n");
+}
+
+// Sort the key hashes to allow for binary search.
+certs.sort(compareCertificatesByHash);
+
+// Write the output file.
+var outFile = relativePathToFile("CNNICHashWhitelist.inc");
+if (!outFile.exists()) {
+ outFile.create(Ci.nsIFile.NORMAL_FILE_TYPE, 0o644);
+}
+var outStream = Cc["@mozilla.org/network/file-output-stream;1"]
+ .createInstance(Ci.nsIFileOutputStream);
+outStream.init(outFile, -1, 0, 0);
+writeHashes(certs, lastValidTime, outStream);
+outStream.close();