#574: switch cert source to ESR68 and update certs, pins, TLDs, miners

2019-10-14 19:47:21 -07:00 · 2019-10-14 19:47:21 -07:00 · 9a7e8a97a2
parent 6a76bff74a
commit 9a7e8a97a2
6 changed files with 7301 additions and 4274 deletions
--- a/104fx_import_esr68_stspreload.pl
+++ b/104fx_import_esr68_stspreload.pl
@ -0,0 +1,57 @@
+#!/usr/bin/perl -s
+
+print <<'EOF';
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*****************************************************************************/
+/* This is an automatically generated file. If you're not                    */
+/* nsSiteSecurityService.cpp, you shouldn't be #including it.                */
+/*****************************************************************************/
+
+/* imported from ESR68 by TenFourFox conversion script */
+
+#include <stdint.h>
+EOF
+
+# let's have a little paranoia.
+while(<>) {
+	if (/^const PRTime gPreloadListExpirationTime = INT64_C/) {
+		print;
+		$got_time = 1;
+	}
+	if (/%%/) {
+		$got_delim = 1;
+		last;
+	}
+}
+die("unexpected format of $source\n") if (!$got_time || !$got_delim);
+print <<'EOF';
+
+class nsSTSPreload
+{
+  public:
+    const char *mHost;
+    const bool mIncludeSubdomains;
+};
+
+static const nsSTSPreload kSTSPreloadList[] = {
+EOF
+
+while(<>) {
+	chomp;
+	last if (/%%/);
+	($host, $subd, $crap) = split(/, /, $_, 3);
+	if (!length($crap) && length($host) &&
+			($subd eq '0' || $subd eq '1')) {
+		print "  { \"$host\", ";
+		print (($subd eq '1') ? "true" : "false");
+		print " },\n";
+	} else {
+		die("unexpected line: $_\n");
+	}
+}
+
+print "};\n";
+
--- a/104fx_upcerts.sh
+++ b/104fx_upcerts.sh
@ -10,9 +10,14 @@ endif
 # if we update NSS, we need to remove that patch (TenFourFox issue 512).

 set verbose
-cp ../esr60/security/nss/lib/ckfw/builtins/certdata.txt security/nss/lib/ckfw/builtins/certdata.txt
-cp ../esr60/security/manager/ssl/StaticHPKPins.h security/manager/ssl/StaticHPKPins.h
-cp ../esr60/netwerk/dns/effective_tld_names.dat netwerk/dns/effective_tld_names.dat
-perl ./104fx_import_esr60_stspreload.pl > security/manager/ssl/nsSTSPreloadList.inc
+set release_url=https://hg.mozilla.org/releases/mozilla-esr68/raw-file/tip/
+
+# self test to ensure certificates and encryption methods are correct
+curl ${release_url}/config/milestone.txt || exit
+
+curl ${release_url}/security/manager/ssl/StaticHPKPins.h > security/manager/ssl/StaticHPKPins.h
+curl ${release_url}/security/nss/lib/ckfw/builtins/certdata.txt > security/nss/lib/ckfw/builtins/certdata.txt
+curl ${release_url}/netwerk/dns/effective_tld_names.dat > netwerk/dns/effective_tld_names.dat
+curl ${release_url}/security/manager/ssl/nsSTSPreloadList.inc | perl ./104fx_import_esr68_stspreload.pl > security/manager/ssl/nsSTSPreloadList.inc
 perl ./104fx_import_shavar_cryptominers.pl > caps/shavar-blocklist.h

--- a/netwerk/dns/effective_tld_names.dat
+++ b/netwerk/dns/effective_tld_names.dat
@ -6047,6 +6047,16 @@ org.so
 // sr : https://en.wikipedia.org/wiki/.sr
 sr

+// ss : https://registry.nic.ss/
+// Submitted by registry <technical@nic.ss>
+ss
+biz.ss
+com.ss
+edu.ss
+gov.ss
+net.ss
+org.ss
+
 // st : http://www.nic.st/html/policyrules/
 st
 co.st
@ -6789,6 +6799,9 @@ yt
 // xn--e1a4c ("eu", Cyrillic) : EU
 ею

+// xn--mgbah1a3hjkrd ("Mauritania", Arabic) : MR
+موريتانيا
+
 // xn--node ("ge", Georgian Mkhedruli) : GE
 გე

@ -7062,7 +7075,7 @@ org.zw

 // newGTLDs

-// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2019-08-23T16:26:02Z
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2019-10-13T16:52:09Z
 // This list is auto-generated, don't edit it manually.
 // aaa : 2015-02-26 American Automobile Association, Inc.
 aaa
@ -7967,9 +7980,6 @@ duck
 // dunlop : 2015-07-02 The Goodyear Tire & Rubber Company
 dunlop

-// duns : 2015-08-06 The Dun & Bradstreet Corporation
-duns
-
 // dupont : 2015-06-25 E. I. du Pont de Nemours and Company
 dupont

@ -8858,6 +8868,9 @@ lixil
 // llc : 2017-12-14 Afilias Limited
 llc

+// llp : 2019-08-26 Dot Registry LLC
+llp
+
 // loan : 2014-11-20 dot Loan Limited
 loan

@ -9026,9 +9039,6 @@ mma
 // mobile : 2016-06-02 Dish DBS Corporation
 mobile

-// mobily : 2014-12-18 GreenTech Consultancy Company W.L.L.
-mobily
-
 // moda : 2013-11-07 Dog Beach, LLC
 moda

@ -9830,6 +9840,9 @@ sony
 // soy : 2014-01-23 Charleston Road Registry Inc.
 soy

+// spa : 2019-09-19 Asia Spa and Wellness Promotion Council Limited
+spa
+
 // space : 2014-04-03 DotSpace Inc.
 space

@ -10118,7 +10131,7 @@ unicom
 // university : 2014-03-06 Binky Moon, LLC
 university

-// uno : 2013-09-11 Dot Latin LLC
+// uno : 2013-09-11 DotSite Inc.
 uno

 // uol : 2014-05-01 UBN INTERNET LTDA.
@ -10427,7 +10440,7 @@ xin
 // xn--cg4bki : 2013-09-27 SAMSUNG SDS CO., LTD
 삼성

-// xn--czr694b : 2014-01-16 Dot Trademark TLD Holding Company Limited
+// xn--czr694b : 2014-01-16 Internet DotTrademark Organisation Limited
 商标

 // xn--czrs0t : 2013-12-19 Binky Moon, LLC
@ -10484,7 +10497,7 @@ xin
 // xn--i1b6b1a6a2e : 2013-11-14 Public Interest Registry
 संगठन

-// xn--imr513n : 2014-12-11 Dot Trademark TLD Holding Company Limited
+// xn--imr513n : 2014-12-11 Internet DotTrademark Organisation Limited
 餐厅

 // xn--io0a7i : 2013-11-14 China Internet Network Information Center (CNNIC)
@ -10520,9 +10533,6 @@ xin
 // xn--mgbab2bd : 2013-10-31 CORE Association
 بازار

-// xn--mgbb9fbpob : 2014-12-18 GreenTech Consultancy Company W.L.L.
-موبايلي
-
 // xn--mgbca7dzdo : 2015-07-30 Abu Dhabi Systems and Information Centre
 ابوظبي

@ -10556,7 +10566,7 @@ xin
 // xn--nyqy26a : 2014-11-07 Stable Tone Limited
 健康

-// xn--otu796d : 2017-08-06 Dot Trademark TLD Holding Company Limited
+// xn--otu796d : 2017-08-06 Internet DotTrademark Organisation Limited
 招聘

 // xn--p1acf : 2013-12-12 Rusnames Limited
@ -10694,6 +10704,10 @@ barsy.ca
 *.compute.estate
 *.alces.network

+// Altervista: https://www.altervista.org
+// Submitted by Carlo Cannas <tech_staff@altervista.it>
+altervista.org
+
 // alwaysdata : https://www.alwaysdata.com
 // Submitted by Cyril <admin@alwaysdata.com>
 alwaysdata.net
@ -11776,6 +11790,10 @@ gitlab.io
 // Submitted by Mads Hartmann <mads@glitch.com>
 glitch.me

+// GMO Pepabo, Inc. : https://pepabo.com/
+// Submitted by dojineko <admin@pepabo.com>
+lolipop.io
+
 // GOV.UK Platform as a Service : https://www.cloud.service.gov.uk/
 // Submitted by Tom Whitwell <tom.whitwell@digital.cabinet-office.gov.uk>
 cloudapps.digital
@ -12778,6 +12796,7 @@ i234.me
 myds.me
 synology.me
 vpnplus.to
+direct.quickconnect.to

 // TAIFUN Software AG : http://taifun-software.de
 // Submitted by Bjoern Henke <dev-server@taifun-software.de>
@ -12994,8 +13013,4 @@ virtualserver.io
 site.builder.nu
 enterprisecloud.nu

-// Zone.id : https://zone.id/
-// Submitted by Su Hendro <admin@zone.id>
-zone.id
-
 // ===END PRIVATE DOMAINS===
--- a/security/manager/ssl/StaticHPKPins.h
+++ b/security/manager/ssl/StaticHPKPins.h
@ -131,10 +131,6 @@ static const char kGOOGLE_PIN_COMODORSADomainValidationSecureServerCAFingerprint
 static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] =
  "PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=";

-/* GOOGLE_PIN_DigiCertSHA2HighAssuranceServerCA */
-static const char kGOOGLE_PIN_DigiCertSHA2HighAssuranceServerCAFingerprint[] =
-  "k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=";
-
 /* GOOGLE_PIN_Entrust_SSL */
 static const char kGOOGLE_PIN_Entrust_SSLFingerprint[] =
  "nsxRNo6G40YPZsKV5JQt1TCA8nseQQr/LRqp1Oa8fnw=";
@ -311,10 +307,6 @@ static const char kTor2Fingerprint[] =
 static const char kTor3Fingerprint[] =
  "CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo=";

-/* TumblrBackup */
-static const char kTumblrBackupFingerprint[] =
-  "avlD96PLERV78IN1fD+ab5cupkUDD9wTZWJjHX6VC9w=";
-
 /* Twitter1 */
 static const char kTwitter1Fingerprint[] =
  "vU9M48LzD/CF34wE5PPf4nBwRyosy06X21J0ap8yS5s=";
@ -638,16 +630,6 @@ static const StaticFingerprints kPinset_swehackCom = {
  kPinset_swehackCom_Data
 };

-static const char* const kPinset_tumblr_Data[] = {
-  kDigiCert_High_Assurance_EV_Root_CAFingerprint,
-  kTumblrBackupFingerprint,
-  kGOOGLE_PIN_DigiCertSHA2HighAssuranceServerCAFingerprint,
-};
-static const StaticFingerprints kPinset_tumblr = {
-  sizeof(kPinset_tumblr_Data) / sizeof(const char*),
-  kPinset_tumblr_Data
-};
-
 /* Domainlist */
 struct TransportSecurityPreload {
  // See bug 1338873 about making these fields const.
@ -693,8 +675,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems },
  { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "cdn.ampproject.org", true, false, false, -1, &kPinset_google_root_pems },
-  { "cdn.mozilla.net", true, false, true, -1, &kPinset_mozilla_services },
-  { "cdn.mozilla.org", true, false, true, -1, &kPinset_mozilla_services },
+  { "cdn.mozilla.net", true, false, true, 16, &kPinset_mozilla_services },
+  { "cdn.mozilla.org", true, false, true, 17, &kPinset_mozilla_services },
  { "cg.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "ch.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "check.torproject.org", true, false, false, -1, &kPinset_tor },
@ -721,7 +703,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "cr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "crash-reports-xpsp2.mozilla.com", false, false, true, 11, &kPinset_mozilla_services },
  { "crash-reports.mozilla.com", false, false, true, 10, &kPinset_mozilla_services },
-  { "crash-stats.mozilla.com", false, false, true, 12, &kPinset_mozilla_services },
+  { "crash-stats.mozilla.org", false, false, true, 12, &kPinset_mozilla_services },
  { "crbug.com", true, false, false, -1, &kPinset_google_root_pems },
  { "crosbug.com", true, false, false, -1, &kPinset_google_root_pems },
  { "crrev.com", true, false, false, -1, &kPinset_google_root_pems },
@ -749,11 +731,12 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "es.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "espanol.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "example.test", true, true, false, -1, &kPinset_test },
-  { "exclude-subdomains.pinning.example.com", false, false, false, 0, &kPinset_mozilla_test },
+  { "exclude-subdomains.pinning.example.com", false, false, false, -1, &kPinset_mozilla_test },
  { "facebook.com", false, false, false, -1, &kPinset_facebook },
  { "fi.google.com", true, false, false, -1, &kPinset_google_root_pems },
  { "fi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "firebaseio.com", true, false, false, -1, &kPinset_google_root_pems },
+  { "firefox.com", true, true, true, 15, &kPinset_mozilla_services },
  { "fj.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "fr.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "g.co", false, false, false, -1, &kPinset_google_root_pems },
@ -1138,7 +1121,6 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
  { "www.messenger.com", true, false, false, -1, &kPinset_facebook },
  { "www.torproject.org", true, false, false, -1, &kPinset_tor },
-  { "www.tumblr.com", false, true, false, -1, &kPinset_tumblr },
  { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
  { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
  { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
@ -1155,4 +1137,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {

 static const int32_t kUnknownId = -1;

-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1575551133599000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1579537847247000);
--- a/security/manager/ssl/nsSTSPreloadList.inc
+++ b/security/manager/ssl/nsSTSPreloadList.inc
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt