From 249e38c32f534ee8c766551172597f18854790b5 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Sat, 2 Aug 2014 00:16:08 -0400
Subject: [PATCH] include relevant sites in list of HTTPS pins

The current HTTPS trust model is to first check if a site's key is TOFUed,
then check if it is pinned and check the CA, then prompt the user.  There
is currently no way to only check the CA for validity.  Ultimately, that
should probably not be needed if the repo URLs can include the HTTPS pin
info in the same way that the repo fingerprint is specified.  Then it can
be added to the TOFU/POP keystore when the user accepts the Add Repo dialog

Since that idea does not exist yet, this commit adds the sites that are
likely to run their own repos in the near future:

https://f-droid.org
https://guardianproject.info
https://s3.amazonaws.com  # multiple orgs use this
https://panicbutton.io    # Amnesty International's app
https://psiphon.ca        # circumvention tool
---
 src/org/fdroid/fdroid/FDroidCertPins.java | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/org/fdroid/fdroid/FDroidCertPins.java b/src/org/fdroid/fdroid/FDroidCertPins.java
index cc7bb7f19..d91563edb 100644
--- a/src/org/fdroid/fdroid/FDroidCertPins.java
+++ b/src/org/fdroid/fdroid/FDroidCertPins.java
@@ -23,13 +23,22 @@ import java.util.Arrays;
 
 public class FDroidCertPins {
     public static final String[] DEFAULT_PINS = {
-        /*
-         * SubjectDN: CN=f-droid.org, OU=PositiveSSL, OU=Domain Control Validated
-         * IssuerDN: CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
-         * Fingerprint: 84B91CDF2312CB9BA7F3BE803783302F8D8C299F
-         * SPKI Pin: 638F93856E1F5EDFCBD40C46D4160CFF21B0713A
-         */
-        "638F93856E1F5EDFCBD40C46D4160CFF21B0713A",
+
+            // OU=PositiveSSL, CN=f-droid.org
+            // Fingerprint: 84B91CDF2312CB9BA7F3BE803783302F8D8C299F
+            "638F93856E1F5EDFCBD40C46D4160CFF21B0713A",
+
+            // OU=Gandi Standard SSL, CN=guardianproject.info
+            "cf2f8e226027599a1a933701418c58ec688a8305",
+
+            // C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=s3.amazonaws.com
+            "5e77905babb66ca7082979435afbe4edf3f5af12",
+
+            // OU=Domain Control Validated - RapidSSL(R), CN=www.psiphon.ca
+            "3aa1726e64d54bf58bf68fe23208928fd0d9cf8a",
+
+            // OU=EssentialSSL Wildcard, CN=*.panicbutton.io
+            "cdae8cc70af09a55a7642d13f84241cba1c3a3e6",
     };
 
     public static ArrayList<String> PINLIST = null;