package info.guardianproject.otr.app.im.plugin.xmpp;
import java.util.ArrayList;
import java.util.HashSet;
public class XMPPCertPins
{
// Use the following rules
// https://wiki.mozilla.org/Security/Server_Side_TLS
// AEADs over everything else
// PFS over non-PFS
// AES-128 over AES-256 ( https://www.schneier.com/blog/archives/2009/07/another_new_aes.html )
// Avoid SHA-1
// Remove RC4, MD5, DES
public final static String[] SSL_IDEAL_CIPHER_SUITES_API_20 = {
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
// "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", //not support in Android 6
// "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
// "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
// "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
// "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
// "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA"
};
// Follow above rules but as closely as possible but if we have to use RC4, use it last
public final static String[] SSL_IDEAL_CIPHER_SUITES = {
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
// "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
// "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
// "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
// "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
//"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
// "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
// UNCOMMENT THIS BLOCK ONLY IF ABSOLUTELY NECESSARY
/*
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
*/
};
public static ArrayList<String> PINLIST = null;
/**
* These are currently all pins of the CA's signing keys for the CAs used by
* servers that we trust. AndroidPinning always validates using the normal
* CA method, so there is no use to include cacert.org, similar CAs, or
* self-signed certificates here. AndroidPinning will fail anyway when it
* runs its built-in check against the system's trust manager.
*
* @return
*/
public static String[] getPinList() {
if (PINLIST == null) {
PINLIST = new ArrayList<String>();
// generated using http://gitlab.doeg.gy/cpu/jabberpinfetch
/* chat.facebook.com
SubjectDN: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
IssuerDN: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Fingerprint: 42857855FB0EA43F54C9911E30E7791D8CE82705
SPKI Pin: 95F9D7434B1CE71DEF4211EE6BE3C0E0256FAD95
*/
PINLIST.add("95F9D7434B1CE71DEF4211EE6BE3C0E0256FAD95");
/* gmail.com
SubjectDN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
IssuerDN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Fingerprint: 7359755C6DF9A0ABC3060BCE369564C8EC4542A3
SPKI Pin: C07A98688D89FBAB05640C117DAA7D65B8CACC4E
*/
PINLIST.add("C07A98688D89FBAB05640C117DAA7D65B8CACC4E");
/* duck.co/dukgo.com im.mayfirst.org jabberpl.org neko.im riseup.net
SubjectDN: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
IssuerDN: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Fingerprint: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
SPKI Pin: 6E584E3375BD57F6D5421B1601C2D8C0F53A9F6E
*/
PINLIST.add("6E584E3375BD57F6D5421B1601C2D8C0F53A9F6E");
/* jabber.calyxinstitute.org
SubjectDN: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
IssuerDN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Fingerprint: C039A3269EE4B8E82D00C53FA797B5A19E836F47
SPKI Pin: A39399C404C3B209B081C21F21622778C2748E4C
*/
PINLIST.add("A39399C404C3B209B081C21F21622778C2748E4C");
/* xmpp.jp
SubjectDN: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
IssuerDN: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Fingerprint: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
SPKI Pin: 234B71255613E130DDE34269C9CC30D46F0841E0
*/
PINLIST.add("234B71255613E130DDE34269C9CC30D46F0841E0");
/* The following pins are for self-signed certificates and the
* cacert.org Certificate Authority certificate. AndroidPinning
* will always fail on these unless they have been manually
* installed into the system's keystore. AndroidPinning always
* does a check using the system's default trust manager.
*/
/*
SubjectDN: CN=jabber.ccc.de, O=Chaos Computer Club e.V., L=Hamburg, ST=Hamburg, C=DE
IssuerDN: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Fingerprint: 4E09F9D9F224174684768D467A84B139B86A021F
SPKI Pin: 686B3569ABE87202E9018532719CB67DD7EA3356
*/
PINLIST.add("686B3569ABE87202E9018532719CB67DD7EA3356");
/*
SubjectDN: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
IssuerDN: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Fingerprint: 135CEC36F49CB8E93B1AB270CD80884676CE8F33
SPKI Pin: 10DA624DEF41A3046DCDBA3D018F19DF3DC9A07C
*/
PINLIST.add("10DA624DEF41A3046DCDBA3D018F19DF3DC9A07C");
//added pin from cacert.org downloadable class3 crt
PINLIST.add("f061d83f958f4d78b147b31339978ea9c251ba9b");
/* guardianproject.info/hyper.to self-signed
SubjectDN: CN=hyper.to, O=Chaos Inc., L=San Francisco, ST=California, C=US
IssuerDN: CN=hyper.to, O=Chaos Inc., L=San Francisco, ST=California, C=US
Fingerprint: 1064712E64D1AE7F4FDC2DEFDE7F19B1CEEB82B8
SPKI Pin: 2B1292D6CD084EC90B5DBD398AEA15B853337971
*/
PINLIST.add("2B1292D6CD084EC90B5DBD398AEA15B853337971");
// double check there are no duplicates by mistake
if (PINLIST.size() != new HashSet<String>(PINLIST).size())
throw new SecurityException("PINLIST has duplicate entries!");
}
return PINLIST.toArray(new String[PINLIST.size()]);
}
}