From 280b07eecd9023e9fd78de9f7b710f788ba71419 Mon Sep 17 00:00:00 2001 From: celenity Date: Sat, 3 May 2025 17:02:30 -0400 Subject: [PATCH] fix: Update certificate pinning for `beacondb.net`, `openstreetmap.org`, & `openstreetmaps.org` - fixes https://gitlab.com/ironfox-oss/IronFox/-/issues/89 Signed-off-by: celenity --- patches/certificate-pinning.patch | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/patches/certificate-pinning.patch b/patches/certificate-pinning.patch index f7de5c7..c4878d2 100644 --- a/patches/certificate-pinning.patch +++ b/patches/certificate-pinning.patch @@ -1,5 +1,5 @@ diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h -index 644f20e9d3..efe706535c 100644 +index 644f20e9d3..0502afba9c 100644 --- a/security/manager/ssl/StaticHPKPins.h +++ b/security/manager/ssl/StaticHPKPins.h @@ -7,6 +7,10 @@ @@ -133,7 +133,7 @@ index 644f20e9d3..efe706535c 100644 }; static const StaticFingerprints kPinset_mozilla_services = { sizeof(kPinset_mozilla_services_Data) / sizeof(const char*), -@@ -316,6 +349,826 @@ static const StaticFingerprints kPinset_facebook = { +@@ -316,6 +349,830 @@ static const StaticFingerprints kPinset_facebook = { kPinset_facebook_Data }; @@ -212,6 +212,8 @@ index 644f20e9d3..efe706535c 100644 +}; + +static const char* const kPinset_beacondb_Data[] = { ++ kGTS_Root_R3Fingerprint, ++ kGTS_Root_R4Fingerprint, + kISRG_Root_X1Fingerprint, + kISRG_Root_X2Fingerprint, +}; @@ -637,6 +639,8 @@ index 644f20e9d3..efe706535c 100644 +}; + +static const char* const kPinset_openstreetmap_Data[] = { ++ kGlobalSign_Root_CA___R3Fingerprint, ++ kGlobalSign_Root_CA___R6Fingerprint, + kGTS_Root_R3Fingerprint, + kGTS_Root_R4Fingerprint, +}; @@ -960,7 +964,7 @@ index 644f20e9d3..efe706535c 100644 /* Domainlist */ struct TransportSecurityPreload { // See bug 1338873 about making these fields const. -@@ -329,76 +1182,441 @@ struct TransportSecurityPreload { +@@ -329,76 +1186,441 @@ struct TransportSecurityPreload { /* Sort hostnames for binary search. */ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { @@ -1406,7 +1410,7 @@ index 644f20e9d3..efe706535c 100644 { "google.ac", true, false, false, -1, &kPinset_google_root_pems }, { "google.ad", true, false, false, -1, &kPinset_google_root_pems }, { "google.ae", true, false, false, -1, &kPinset_google_root_pems }, -@@ -529,6 +1747,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { +@@ -529,6 +1751,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "google.cv", true, false, false, -1, &kPinset_google_root_pems }, { "google.cz", true, false, false, -1, &kPinset_google_root_pems }, { "google.de", true, false, false, -1, &kPinset_google_root_pems }, @@ -1414,7 +1418,7 @@ index 644f20e9d3..efe706535c 100644 { "google.dj", true, false, false, -1, &kPinset_google_root_pems }, { "google.dk", true, false, false, -1, &kPinset_google_root_pems }, { "google.dm", true, false, false, -1, &kPinset_google_root_pems }, -@@ -623,90 +1842,638 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { +@@ -623,90 +1846,638 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "google.vg", true, false, false, -1, &kPinset_google_root_pems }, { "google.vu", true, false, false, -1, &kPinset_google_root_pems }, { "google.ws", true, false, false, -1, &kPinset_google_root_pems }, @@ -2054,7 +2058,7 @@ index 644f20e9d3..efe706535c 100644 { "wf-bigsky-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, { "wf-demo-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, { "wf-demo-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, -@@ -716,23 +2483,73 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { +@@ -716,23 +2487,73 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { { "wf-training-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, { "wf-training-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, { "wf-trial-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems },