#574: switch cert source to ESR68 and update certs, pins, TLDs, miners
This commit is contained in:
parent
6a76bff74a
commit
9a7e8a97a2
|
@ -0,0 +1,57 @@
|
|||
#!/usr/bin/perl -s
|
||||
|
||||
print <<'EOF';
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/*****************************************************************************/
|
||||
/* This is an automatically generated file. If you're not */
|
||||
/* nsSiteSecurityService.cpp, you shouldn't be #including it. */
|
||||
/*****************************************************************************/
|
||||
|
||||
/* imported from ESR68 by TenFourFox conversion script */
|
||||
|
||||
#include <stdint.h>
|
||||
EOF
|
||||
|
||||
# let's have a little paranoia.
|
||||
while(<>) {
|
||||
if (/^const PRTime gPreloadListExpirationTime = INT64_C/) {
|
||||
print;
|
||||
$got_time = 1;
|
||||
}
|
||||
if (/%%/) {
|
||||
$got_delim = 1;
|
||||
last;
|
||||
}
|
||||
}
|
||||
die("unexpected format of $source\n") if (!$got_time || !$got_delim);
|
||||
print <<'EOF';
|
||||
|
||||
class nsSTSPreload
|
||||
{
|
||||
public:
|
||||
const char *mHost;
|
||||
const bool mIncludeSubdomains;
|
||||
};
|
||||
|
||||
static const nsSTSPreload kSTSPreloadList[] = {
|
||||
EOF
|
||||
|
||||
while(<>) {
|
||||
chomp;
|
||||
last if (/%%/);
|
||||
($host, $subd, $crap) = split(/, /, $_, 3);
|
||||
if (!length($crap) && length($host) &&
|
||||
($subd eq '0' || $subd eq '1')) {
|
||||
print " { \"$host\", ";
|
||||
print (($subd eq '1') ? "true" : "false");
|
||||
print " },\n";
|
||||
} else {
|
||||
die("unexpected line: $_\n");
|
||||
}
|
||||
}
|
||||
|
||||
print "};\n";
|
||||
|
|
@ -10,9 +10,14 @@ endif
|
|||
# if we update NSS, we need to remove that patch (TenFourFox issue 512).
|
||||
|
||||
set verbose
|
||||
cp ../esr60/security/nss/lib/ckfw/builtins/certdata.txt security/nss/lib/ckfw/builtins/certdata.txt
|
||||
cp ../esr60/security/manager/ssl/StaticHPKPins.h security/manager/ssl/StaticHPKPins.h
|
||||
cp ../esr60/netwerk/dns/effective_tld_names.dat netwerk/dns/effective_tld_names.dat
|
||||
perl ./104fx_import_esr60_stspreload.pl > security/manager/ssl/nsSTSPreloadList.inc
|
||||
set release_url=https://hg.mozilla.org/releases/mozilla-esr68/raw-file/tip/
|
||||
|
||||
# self test to ensure certificates and encryption methods are correct
|
||||
curl ${release_url}/config/milestone.txt || exit
|
||||
|
||||
curl ${release_url}/security/manager/ssl/StaticHPKPins.h > security/manager/ssl/StaticHPKPins.h
|
||||
curl ${release_url}/security/nss/lib/ckfw/builtins/certdata.txt > security/nss/lib/ckfw/builtins/certdata.txt
|
||||
curl ${release_url}/netwerk/dns/effective_tld_names.dat > netwerk/dns/effective_tld_names.dat
|
||||
curl ${release_url}/security/manager/ssl/nsSTSPreloadList.inc | perl ./104fx_import_esr68_stspreload.pl > security/manager/ssl/nsSTSPreloadList.inc
|
||||
perl ./104fx_import_shavar_cryptominers.pl > caps/shavar-blocklist.h
|
||||
|
||||
|
|
|
@ -6047,6 +6047,16 @@ org.so
|
|||
// sr : https://en.wikipedia.org/wiki/.sr
|
||||
sr
|
||||
|
||||
// ss : https://registry.nic.ss/
|
||||
// Submitted by registry <technical@nic.ss>
|
||||
ss
|
||||
biz.ss
|
||||
com.ss
|
||||
edu.ss
|
||||
gov.ss
|
||||
net.ss
|
||||
org.ss
|
||||
|
||||
// st : http://www.nic.st/html/policyrules/
|
||||
st
|
||||
co.st
|
||||
|
@ -6789,6 +6799,9 @@ yt
|
|||
// xn--e1a4c ("eu", Cyrillic) : EU
|
||||
ею
|
||||
|
||||
// xn--mgbah1a3hjkrd ("Mauritania", Arabic) : MR
|
||||
موريتانيا
|
||||
|
||||
// xn--node ("ge", Georgian Mkhedruli) : GE
|
||||
გე
|
||||
|
||||
|
@ -7062,7 +7075,7 @@ org.zw
|
|||
|
||||
// newGTLDs
|
||||
|
||||
// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2019-08-23T16:26:02Z
|
||||
// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2019-10-13T16:52:09Z
|
||||
// This list is auto-generated, don't edit it manually.
|
||||
// aaa : 2015-02-26 American Automobile Association, Inc.
|
||||
aaa
|
||||
|
@ -7967,9 +7980,6 @@ duck
|
|||
// dunlop : 2015-07-02 The Goodyear Tire & Rubber Company
|
||||
dunlop
|
||||
|
||||
// duns : 2015-08-06 The Dun & Bradstreet Corporation
|
||||
duns
|
||||
|
||||
// dupont : 2015-06-25 E. I. du Pont de Nemours and Company
|
||||
dupont
|
||||
|
||||
|
@ -8858,6 +8868,9 @@ lixil
|
|||
// llc : 2017-12-14 Afilias Limited
|
||||
llc
|
||||
|
||||
// llp : 2019-08-26 Dot Registry LLC
|
||||
llp
|
||||
|
||||
// loan : 2014-11-20 dot Loan Limited
|
||||
loan
|
||||
|
||||
|
@ -9026,9 +9039,6 @@ mma
|
|||
// mobile : 2016-06-02 Dish DBS Corporation
|
||||
mobile
|
||||
|
||||
// mobily : 2014-12-18 GreenTech Consultancy Company W.L.L.
|
||||
mobily
|
||||
|
||||
// moda : 2013-11-07 Dog Beach, LLC
|
||||
moda
|
||||
|
||||
|
@ -9830,6 +9840,9 @@ sony
|
|||
// soy : 2014-01-23 Charleston Road Registry Inc.
|
||||
soy
|
||||
|
||||
// spa : 2019-09-19 Asia Spa and Wellness Promotion Council Limited
|
||||
spa
|
||||
|
||||
// space : 2014-04-03 DotSpace Inc.
|
||||
space
|
||||
|
||||
|
@ -10118,7 +10131,7 @@ unicom
|
|||
// university : 2014-03-06 Binky Moon, LLC
|
||||
university
|
||||
|
||||
// uno : 2013-09-11 Dot Latin LLC
|
||||
// uno : 2013-09-11 DotSite Inc.
|
||||
uno
|
||||
|
||||
// uol : 2014-05-01 UBN INTERNET LTDA.
|
||||
|
@ -10427,7 +10440,7 @@ xin
|
|||
// xn--cg4bki : 2013-09-27 SAMSUNG SDS CO., LTD
|
||||
삼성
|
||||
|
||||
// xn--czr694b : 2014-01-16 Dot Trademark TLD Holding Company Limited
|
||||
// xn--czr694b : 2014-01-16 Internet DotTrademark Organisation Limited
|
||||
商标
|
||||
|
||||
// xn--czrs0t : 2013-12-19 Binky Moon, LLC
|
||||
|
@ -10484,7 +10497,7 @@ xin
|
|||
// xn--i1b6b1a6a2e : 2013-11-14 Public Interest Registry
|
||||
संगठन
|
||||
|
||||
// xn--imr513n : 2014-12-11 Dot Trademark TLD Holding Company Limited
|
||||
// xn--imr513n : 2014-12-11 Internet DotTrademark Organisation Limited
|
||||
餐厅
|
||||
|
||||
// xn--io0a7i : 2013-11-14 China Internet Network Information Center (CNNIC)
|
||||
|
@ -10520,9 +10533,6 @@ xin
|
|||
// xn--mgbab2bd : 2013-10-31 CORE Association
|
||||
بازار
|
||||
|
||||
// xn--mgbb9fbpob : 2014-12-18 GreenTech Consultancy Company W.L.L.
|
||||
موبايلي
|
||||
|
||||
// xn--mgbca7dzdo : 2015-07-30 Abu Dhabi Systems and Information Centre
|
||||
ابوظبي
|
||||
|
||||
|
@ -10556,7 +10566,7 @@ xin
|
|||
// xn--nyqy26a : 2014-11-07 Stable Tone Limited
|
||||
健康
|
||||
|
||||
// xn--otu796d : 2017-08-06 Dot Trademark TLD Holding Company Limited
|
||||
// xn--otu796d : 2017-08-06 Internet DotTrademark Organisation Limited
|
||||
招聘
|
||||
|
||||
// xn--p1acf : 2013-12-12 Rusnames Limited
|
||||
|
@ -10694,6 +10704,10 @@ barsy.ca
|
|||
*.compute.estate
|
||||
*.alces.network
|
||||
|
||||
// Altervista: https://www.altervista.org
|
||||
// Submitted by Carlo Cannas <tech_staff@altervista.it>
|
||||
altervista.org
|
||||
|
||||
// alwaysdata : https://www.alwaysdata.com
|
||||
// Submitted by Cyril <admin@alwaysdata.com>
|
||||
alwaysdata.net
|
||||
|
@ -11776,6 +11790,10 @@ gitlab.io
|
|||
// Submitted by Mads Hartmann <mads@glitch.com>
|
||||
glitch.me
|
||||
|
||||
// GMO Pepabo, Inc. : https://pepabo.com/
|
||||
// Submitted by dojineko <admin@pepabo.com>
|
||||
lolipop.io
|
||||
|
||||
// GOV.UK Platform as a Service : https://www.cloud.service.gov.uk/
|
||||
// Submitted by Tom Whitwell <tom.whitwell@digital.cabinet-office.gov.uk>
|
||||
cloudapps.digital
|
||||
|
@ -12778,6 +12796,7 @@ i234.me
|
|||
myds.me
|
||||
synology.me
|
||||
vpnplus.to
|
||||
direct.quickconnect.to
|
||||
|
||||
// TAIFUN Software AG : http://taifun-software.de
|
||||
// Submitted by Bjoern Henke <dev-server@taifun-software.de>
|
||||
|
@ -12994,8 +13013,4 @@ virtualserver.io
|
|||
site.builder.nu
|
||||
enterprisecloud.nu
|
||||
|
||||
// Zone.id : https://zone.id/
|
||||
// Submitted by Su Hendro <admin@zone.id>
|
||||
zone.id
|
||||
|
||||
// ===END PRIVATE DOMAINS===
|
||||
|
|
|
@ -131,10 +131,6 @@ static const char kGOOGLE_PIN_COMODORSADomainValidationSecureServerCAFingerprint
|
|||
static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] =
|
||||
"PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=";
|
||||
|
||||
/* GOOGLE_PIN_DigiCertSHA2HighAssuranceServerCA */
|
||||
static const char kGOOGLE_PIN_DigiCertSHA2HighAssuranceServerCAFingerprint[] =
|
||||
"k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=";
|
||||
|
||||
/* GOOGLE_PIN_Entrust_SSL */
|
||||
static const char kGOOGLE_PIN_Entrust_SSLFingerprint[] =
|
||||
"nsxRNo6G40YPZsKV5JQt1TCA8nseQQr/LRqp1Oa8fnw=";
|
||||
|
@ -311,10 +307,6 @@ static const char kTor2Fingerprint[] =
|
|||
static const char kTor3Fingerprint[] =
|
||||
"CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo=";
|
||||
|
||||
/* TumblrBackup */
|
||||
static const char kTumblrBackupFingerprint[] =
|
||||
"avlD96PLERV78IN1fD+ab5cupkUDD9wTZWJjHX6VC9w=";
|
||||
|
||||
/* Twitter1 */
|
||||
static const char kTwitter1Fingerprint[] =
|
||||
"vU9M48LzD/CF34wE5PPf4nBwRyosy06X21J0ap8yS5s=";
|
||||
|
@ -638,16 +630,6 @@ static const StaticFingerprints kPinset_swehackCom = {
|
|||
kPinset_swehackCom_Data
|
||||
};
|
||||
|
||||
static const char* const kPinset_tumblr_Data[] = {
|
||||
kDigiCert_High_Assurance_EV_Root_CAFingerprint,
|
||||
kTumblrBackupFingerprint,
|
||||
kGOOGLE_PIN_DigiCertSHA2HighAssuranceServerCAFingerprint,
|
||||
};
|
||||
static const StaticFingerprints kPinset_tumblr = {
|
||||
sizeof(kPinset_tumblr_Data) / sizeof(const char*),
|
||||
kPinset_tumblr_Data
|
||||
};
|
||||
|
||||
/* Domainlist */
|
||||
struct TransportSecurityPreload {
|
||||
// See bug 1338873 about making these fields const.
|
||||
|
@ -693,8 +675,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
|
|||
{ "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems },
|
||||
{ "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "cdn.ampproject.org", true, false, false, -1, &kPinset_google_root_pems },
|
||||
{ "cdn.mozilla.net", true, false, true, -1, &kPinset_mozilla_services },
|
||||
{ "cdn.mozilla.org", true, false, true, -1, &kPinset_mozilla_services },
|
||||
{ "cdn.mozilla.net", true, false, true, 16, &kPinset_mozilla_services },
|
||||
{ "cdn.mozilla.org", true, false, true, 17, &kPinset_mozilla_services },
|
||||
{ "cg.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "ch.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "check.torproject.org", true, false, false, -1, &kPinset_tor },
|
||||
|
@ -721,7 +703,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
|
|||
{ "cr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "crash-reports-xpsp2.mozilla.com", false, false, true, 11, &kPinset_mozilla_services },
|
||||
{ "crash-reports.mozilla.com", false, false, true, 10, &kPinset_mozilla_services },
|
||||
{ "crash-stats.mozilla.com", false, false, true, 12, &kPinset_mozilla_services },
|
||||
{ "crash-stats.mozilla.org", false, false, true, 12, &kPinset_mozilla_services },
|
||||
{ "crbug.com", true, false, false, -1, &kPinset_google_root_pems },
|
||||
{ "crosbug.com", true, false, false, -1, &kPinset_google_root_pems },
|
||||
{ "crrev.com", true, false, false, -1, &kPinset_google_root_pems },
|
||||
|
@ -749,11 +731,12 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
|
|||
{ "es.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "espanol.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "example.test", true, true, false, -1, &kPinset_test },
|
||||
{ "exclude-subdomains.pinning.example.com", false, false, false, 0, &kPinset_mozilla_test },
|
||||
{ "exclude-subdomains.pinning.example.com", false, false, false, -1, &kPinset_mozilla_test },
|
||||
{ "facebook.com", false, false, false, -1, &kPinset_facebook },
|
||||
{ "fi.google.com", true, false, false, -1, &kPinset_google_root_pems },
|
||||
{ "fi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "firebaseio.com", true, false, false, -1, &kPinset_google_root_pems },
|
||||
{ "firefox.com", true, true, true, 15, &kPinset_mozilla_services },
|
||||
{ "fj.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "fr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "g.co", false, false, false, -1, &kPinset_google_root_pems },
|
||||
|
@ -1138,7 +1121,6 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
|
|||
{ "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
|
||||
{ "www.messenger.com", true, false, false, -1, &kPinset_facebook },
|
||||
{ "www.torproject.org", true, false, false, -1, &kPinset_tor },
|
||||
{ "www.tumblr.com", false, true, false, -1, &kPinset_tumblr },
|
||||
{ "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
|
||||
{ "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
|
||||
{ "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
|
||||
|
@ -1155,4 +1137,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
|
|||
|
||||
static const int32_t kUnknownId = -1;
|
||||
|
||||
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1575551133599000);
|
||||
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1579537847247000);
|
||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue