[obfs4/master] Update Azure's root CA certificate pins. - tor-commits

7 Dec 2020

commit 40245c4a1cf221395c59d1f4bf274127045352f9
Author: Philipp Winter phw@nymity.ch
Date:   Mon Dec 7 10:23:44 2020 -0800
Update Azure's root CA certificate pins.
Microsoft recently updated the root CA certificates that are served to
    Azure clients.  See the following article for more details:
    https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate...
This change broke meek-lite because none of its pins work anymore.  That
    means that Tor Browser users can no longer use meek-azure or moat as
    both rely on meek-lite.
This patch fixes the problem by updating the certificate pins.
Signed-off-by: Yawning Angel yawning@schwanenlied.me
---
 ChangeLog                        |  1 +
 transports/meeklite/hpkp_lite.go | 21 ++++++++++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index eb4efc7..5b16201 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 Changes in version 0.0.12 - UNRELEASED:
  - Replace the extra25519 import with an internal package.
+ - Update the Azure TLS certificate digest (Thanks to Philipp Winter).
Changes in version 0.0.11 - 2019-06-21:
  - Update my e-mail address.
diff --git a/transports/meeklite/hpkp_lite.go b/transports/meeklite/hpkp_lite.go
index 0ff56f9..97ac590 100644
--- a/transports/meeklite/hpkp_lite.go
+++ b/transports/meeklite/hpkp_lite.go
@@ -103,19 +103,22 @@ func init() {
    	pins: make(map[string]*pinEntry),
    }
-	// Pin all of Microsoft's CA intermediary certificates for the
-	// Tor Browser Azure bridge.
+	// Pin all of Microsoft Azure's root CA certificates for the Tor Browser
+	// Azure bridge.
    //
-	// See: https://www.microsoft.com/pki/mscorp/cps/default.htm
+	// See: https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate...
    builtinPinDB.Add(
    	"ajax.aspnetcdn.com",
    	[]string{
-			"CzdPous1hY3sIkO55pUH7vklXyIHVZAl/UnprSQvpEI=", // Microsoft IT SSL SHA2 - 2018-05-07 17:03:30
-			"xjXxgkOYlag7jCtR5DreZm9b61iaIhd+J3+b2LiybIw=", // Microsoft IT TLS CA 1 - 2024-05-20 12:51:28
-			"wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=", // Microsoft IT TLS CA 2 - 2024-05-20 12:51:57
-			"wUY9EOTJmS7Aj4fDVCu/KeE++mV7FgIcbn4WhMz1I2k=", // Microsoft IT TLS CA 4 - 2024-05-20 12:52:38
-			"RCbqB+W8nwjznTeP4O6VjqcwdxIgI79eBpnBKRr32gc=", // Microsoft IT TLS CA 5 - 2024-05-20 12:53:03
+			"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2 - 2038-01-15 12:00:00
+			"r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=", // DigiCert Global Root CA - 2031-11-10 00:00:00
+			"Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=", // Baltimore CyberTrust Root - 2025-05-12 23:59:00
+			"7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E=", // D-TRUST Root Class 3 CA 2 2009 - 2029-11-05 08:35:58
+			"svcpi1K/LDysTd/nLeTWgqxYlXWVmC8rYjAa9ZfGmcU=", // Microsoft RSA Root Certificate Authority 2017 - 2042-07-18 23:00:23
+			"NfU84SZGEeAzQP434ex9TMmGxWE9ynD9BKpEVF8tryg=", // Microsoft ECC Root Certificate Authority 2017 - 2042-07-18 23:16:04
    	},
-		time.Date(2024, time.May, 20, 00, 00, 00, 00, time.UTC),
+		// As of 2020-12-07, we're getting the "DigiCert Global Root CA"
+		// certificate, so our expiration time matches this certificate.
+		time.Date(2031, time.November, 20, 00, 00, 00, 00, time.UTC),
    )
 }

    